• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2267
  • Last Modified:

Why domain controller is not available?

I have two domain controllers running Windows 2003 server (dc1, dc2).
Both are up and running.
There is no network connectivity issue.
When I login as domain admin and try to open Group Policy Object from both dc1 and dc2, it ends up with error: Failed to open Group Policy Object. You may not have appropriate rights.
Note: Net Logon is started.
Q#1. How to turn it on manually?
Q#2. Why all of sudden the domain controllers are unavailable?
Q#3. What common services are required to start as dc?

Thanks a lot.
0
richtree
Asked:
richtree
  • 8
  • 5
6 Solutions
 
richtreeAuthor Commented:
on dc1, I am able to open Active Directory Users and Computers and see the domain. Right click it and connect to domain controller and is able to see both domain controller dc1 and dc2; if clicking dc1, able to see all users; if clicking dc2, able to all users too.
on dc1, I open Active Directory Domains and Trusts and see my domain, but nothing shows when expanding my domain. Right click my domain and choose properties, it shows error message: You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted.
Q#4. How to make a dc as PDC emulator?
0
 
richtreeAuthor Commented:
on dc1, I open Active Directory Users and Computers, right click my domains, I see three tabs: RID, PDC, Infrastructure.
RID:
  Operations master: dc1
PDC:
  Operations master: ERROR
  The current operations master is offline. The role cannot be transferred.
Infrastructure:
  Operations master: ERROR
  The current operations master is offline. The role cannot be transferred.

I get the same result on dc2.

Q#5. How to assume PDC and Infrastructure operation master? Any side effect of this operation?

Thanks.
0
 
kind4meCommented:
I have to ask, have you reboot the dcs yet?  If it is possible (maybe after hours) should both dcs off, then bring dc1 up and check.  if it works shut it down and bring dc2 up make sure it works.  If it does then shut it down again. bring up dc1 then dc2 and see if they are working.  

In the short term, untill you can shut both down you should shut down dc2, bring it back up, shut down dc1, bring it back up and then reboot dc 2 again.  

If that fails then you may have a corrupted AD.  Do you have any tape backups.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
richtreeAuthor Commented:
One more detail:
There were dc1 and dc3 only when everything is fine.
dc3 failed due to power supply failure.
because dc3 hardware is old and I decided to retire it without further repair.
I thought dc3 did not assume any master roles, so I install dc2 and run dcpromo on it.

Now dc3 is runnable. I turn it on (without connecting to network) and found out it assumes the PDC and Infrastructure master role.

I still want to retire dc3 due to hardware issue in the end.

Two options here:
 Option#:1 Let dc1 seize the master role without dc3 ever connecting back to the network again
 Option#2: connect dc3 temporarily back to the network, transfer the roles off dc3 to dc1, then disconnect dc3 from the network.

Q#6. Which option is better?
Q#7. Please give detail steps of your recommendation. (including steps for dc1/2/3 if any).

Thanks a lot.
0
 
ChiefITCommented:
Well, if I understand you correctly, it sounds like you have metadata from DC3 and DC3 has some of your roles.

First off, you will need to assume the five FMSO roles to be your primary DC. Then, you should remove all metadata of that server from your other DCs.

How to view and transfer roles:
http://support.microsoft.com/kb/324801

______________________________________________________

Then, you should remove the metadata from DC3. Metadata is defined as left over, (or orphaned), data from an active directory object.

DCdiag is one of the easiest tools to see orphaned AD objects. DCdiag is a part of a set of administrative tools you can get off the internet and it is installed on your server. As an alternative, you can also use  the NTDSUTIL to browse a list of orphaned server objects.

The combination of the two "DCdiag and NTDSUTIL" is the method that most everyone uses to remove metadata from a improperly demoted domain controller, or other forms of metadata in AD. There are a couple articles you might want to read when doing this.

1) Phantom, Tombstone, and the AD infrastructure master. (explains the four stages of a Deleted SID).
http://support.microsoft.com/kb/248047

2) How to remove metadata from AD:(Use of the NTDSUTIL)
 http://support.microsoft.com/kb/230306
or preferably,
http://www.petri.co.il/fix_unsuccessful_demotion.htm




0
 
richtreeAuthor Commented:
DC3 is not officially retired yet. It went offline due to hardware problem.
Not sure if dc1 is copied from dc3, but dc2 is copied from dc1 after dc3 went offline.
Can someone if any one of my options mentioned above will work?
Thanks.
0
 
ChiefITCommented:
Two options here:
 Option#:1 Let dc1 seize the master role without dc3 ever connecting back to the network again
>>>Sure can.
 
Option#2: connect dc3 temporarily back to the network, transfer the roles off dc3 to dc1, then disconnect dc3 from the network.
>>>>Should be able to, depending on the extent of the hardware failure you mentioned above.

Q#6. Which option is better?
It may not seem like it, but you are in a pretty good situation. Most don't have the opportunity to make this decision. To retire DC3 or to properly Demote DC3 depends on what you feel most comfortable with. Your decision should depend upon your current situation.

Retiring DC3:
Do you need any data off DC3? If not, it may be a good time to retire DC3 by seizing the roles on DC1, and do a metadata cleanup. Maybe you just don't want to deal with the hardware issues of DC3 and it is a good time to retire it.

Demoting DC3:
The alternative to retirement is to plug it in and demote the machine. You may need some data off DC3, or maybe you just don't feel comfortable in removing DC3 metadata from the other two DC's.  

Q#7. Please give detail steps of your recommendation. (including steps for dc1/2/3 if any).
Both are viable solutions: If you have no problems with Active directory or DNS on DC3, you might want to consider demotion rather than retirement. All a demotion does is removes the AD database, transfers the roles and demotes it to a stand alone server. Depending on what you think best for your network will depend on what steps we take to fix these issues. Removing all metadata of an improperly demoted domain controller can be a bit daunting to somone who hasn't done it before. And most administrators will say that removing metadata should be the last resort. But, I have seen it work many times over.

Evaluate your situation and let me know if you want to retire or demote.
0
 
richtreeAuthor Commented:
There is no other data on dc3 to transfer. dc3 is just a domain controller. dc3 went offline (unexpected shutdown) due to power supply problem, so no data loss except possible AD data out-of-synch issue.
Given this,
Q#8 Is my option#2 easier than option#1?
Q#9. If option#2 chosen, I imagine the steps like the following. Are these steps correct?
9.1 shut down dc1
9.2 turn on dc3
9.3 turn on dc1
Q#10 What will happen between dc1 and dc3?
9.4 transfer master roles from dc3 to dc1
9.5 shutdown dc3
9.6 turn on dc2
Q#11 What will happen between dc1 and dc2?
Please advise. Thanks.

0
 
ChiefITCommented:
OK, I think I see where you are going with this.

The roles will not transfer unless you, as the administrator, tell them to do so. So, shutting down one server and bringing up another will not transfer those roles to the other server. From what I see, DC3 has custody of your roles, even if it has been off line.

I think your easiest solution is to bring DC3 back on line, while dc1 and 2 are still running, and transfer the FSMO roles. Then, demote DC3 to a stand-alone server. However, don't do this if you suspect the Active directory database to be corrupt or out of date. You don't want to replicate out bad AD data.
0
 
richtreeAuthor Commented:
Hi ChiefIT,

Thanks a lot for your ideas. Now more questions with my option#2.
I did not have any problems with dc3 before it went down.
There is really not much change after dc3 went down. The only change is some AD users.

Given this,
Q#12. is option#2 still ok?
Q#13. Do I HAVE to demote dc3 after transfer roles to dc1? Can I simply shut dc3 off and put aside? Or is there any fundamental change to dc1/dc2 by demoting dc3?
My goal is to transfer all AD info/roles into dc1/dc2 properly. As long as this is done, I do not care what's left to dc3. I can simply wipe it out if just to prevent future interference.

Please let me know. Thanks again.
0
 
ChiefITCommented:
Option#2: connect dc3 temporarily back to the network, transfer the roles off dc3 to dc1, then disconnect dc3 from the network.

Option 2 is a good solution, unless the AD data on DC3 is corrupt.

Turning on DC3, transfering FSMO roles, and demoting the machine is the correct way to retire a domain controller. What that does is it transfers the roles and strips DC3's data of being an active domain controller off DC2 and DC1.

 
0
 
richtreeAuthor Commented:
dc1 is able to transfer the pdc role from dc3 successfully.
because dc1 is a global catalog server, so dc1 warns against taking over Infrastructure role from dc3.
so I let dc2 try to take the Infrastructure role over. it sees dc3 is Infrastructure master but it says unable to contact it when trying to take it over. it suggests 'force transfer' and I select it. it shows successful.
now dc1 and dc2 see each other correctly.
but dc3 still thinks he is the Infractructure master. (I already disconnect dc3 from the network).
Q#14 is this an issue?
0
 
ChiefITCommented:
If DC2 has the five FSMO roles, then it can be retired. Now you have two FSMO role holders, DC3 and DC2. Since you don't want them to conflict, It might be a good idea to leave DC3 off line and remove metadata from DC2 and DC1.

How to remove metadata from AD:(Use of the NTDSUTIL)
 http://support.microsoft.com/kb/230306
or preferably,
http://www.petri.co.il/fix_unsuccessful_demotion.htm

(Also remove the DNS records of DC3)


Once the metadata removal has been completed, you should check out DC1 and DC2 for errors. I can tell you how, when you are ready.

0
 
richtreeAuthor Commented:
Thank you both. I will post new questions to continue from here.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now