Solved

Global Catalog Errors.  Demoting the additional domain controller

Posted on 2007-11-23
7
632 Views
Last Modified: 2012-08-13
Hi All,
We have two domain controllers in a hosted environment. One of them Server1 is setup as Primary Domain Controller and the other Server2 is setup as the addtional domain controller.
Everything was working fine until there were some changes done on the PDC with respect to security as recommended by the Penetration-Testing group (a third party company). We now have problems with active directory replication and I can cleary see that any new users created in one of the servers are not being replicated to other. We are getting erros in Server2 relating to finding the PDC.
I tried to run the netdiag /fix and dcdiag /fix commands. The netdiag /fix went through successfully, but the dcdiag /fix reported the problem with finding the global catalog server.

My querry is:
In server2 (Additional Domain Controller) we have setup IIS and is being used for some web applications. We also have the SQL server installed in it. Could someboy please suggest me if I can run the DCPROMO in server2, demote it and then put the Active directory back to make it the Additional domain controller. Also would any of the services like the IIS, database etc be affected in doing so!
or
Do we have any other workaround to fix this issue as the application up-time is very critical to me, because the last thing I want hear from our clients is that the website is down just after two day from its launch date.

Pleae advise......

Thanks,
nvrkakarla.
0
Comment
Question by:nvrkakarla
  • 5
  • 2
7 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338486
I recommend against doing a DC demotion.  At the moment your DCs are not syncing and there is nothing to suggest they will after a DC demote-promote.  Instead, you may want to make your second DC a global catalog, and then see how you go.

You need to ensure that replication is working.  It sounds like your penetration testers have asked you to do something non-standard.  Were they MS Gold Partners?  Have they blocked ports between your DCs?

No supported configuration allows for DCs to have restricted access to each other.  Kerberos may be failing, or LDAP may not allow access...
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338489
PS.  I always recommend a minimum of 2 GCs, though they do not need to both be in the same site.  You should also have a minimum of two DCs per domain, as you do, but demoting one isn't going to help you unless you have also fixed replication.

Part of the demotion process is to replicate all queued changes, so you would not be doing a clean demotion in any case.
0
 

Author Comment

by:nvrkakarla
ID: 20338579
Hi Steve,
Thanks for your prmpt reply. I have tried making the server2 as the GC, but with only a partial sucess. After having done this, there seems to be some replication going on between the two servers, as I can see the new users in server1 after creating them in server2. But the viceversa is not working.
Also if I go to AD Sites and Services and go to force replicate the active directory, its giving the error message that "The RPC server is unavailable. This may be a DNS loopup problem".
I have not made any changes to the IP configuration and the DNS settings, but I cannot understand why this is happening!

Please suggest.....
thanks,
nvrkakarla.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338596
Glad you've got the replication working (at least partially).  The second DC will only advertise itself as a DC once replication has completed.

Secondly, the RPC may have be blocked by the penetration testing group.  It requires a whole range of ports.  Microsoft do not support lock-down between DCs or DCs and clients.  We really need to know something of what they did if we are to help you undo their changes.

The RPC server error normally means that you cannot gain access to the server using the RPC protocol.  This is a protocol that is used for a huge amount of stuff in Windows.  This could be down to the time issues, or it could be blocked ports etc.

Are your two DCs in the same AD site?
0
 

Author Comment

by:nvrkakarla
ID: 20338857
Hi Steve,
Thanks for your reply!

Yes my two servers are in the same AD site and also the replication has improved now a little bit, its taking very less time for me to see the users created / deleted compared to the past. Also from your reply, i gather that I have noticed a lot of W32 Time errors in the event log, are these something to do with the issue?????

Please advise.....
Thanks,
nvrkakarla.
0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 500 total points
ID: 20338887
Yes.  The W32 Time service keeps the clocks correct for the entire domain.  Kerberos (and that means authorisation) will not operate correctly if the clocks are skewed.  It will also affect the reliability of other services.

The point about the sites is that you can configure replication between sites to use SMTP or IP, but within site all communication is direct and mustn't be interfered with (i.e. by the penetration testers).
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20758657
Glad it helped :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question