[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Active Directory with no Domain Controllers

Posted on 2008-06-19
6
Medium Priority
?
261 Views
Last Modified: 2008-06-19
I am migrating from an old SBS2003 environment to a virtual 2003 Standard Server environment. The SBS2003 server has already been demoted and removed from the network, leaving only a stand alone EXCHANGE server/DC for authentication. I created 2 new virtual Windows Server 2003 servers (DC1 & DC2), DCPROMO'd both of them. Both DC1 and DC2 showed errors in their event logs referencing problems with SYSVOL replication, and saying that they would not be fully promoted until SYSVOL was properly replicated.

Further investigation revealed that NTFRS on EXCHANGE was in an error state due to a recent disaster recovery. Had to create file "NTFRS_CMD_FILE_MOVE_ROOT" and restart NTFRS in order to repair. Since DC1 and DC2 are also waiting for SYSVOL replication, there were no other fully promoted DC's on the network (my bad) so there are no replication partners, and now EXCHANGE is also not acting as a DC. As a result, no domain controllers are availalbe to answer domain requests, no GC servers, etc.

I have tried the SYSVOL rebuild methods (D4 and D2) outlined in the article:
<a href="http://support.microsoft.com/kb/315457">http://support.microsoft.com/kb/315457</a>
And it does not appear to have remedied anything. There are still no SYSVOL or NETLOGON shares, and I'm continuing to receive event ID 13508, "The File Replication Service is having trouble enabling replication from EXCHANGE to DC1 for c:\windows\sysvol\domain using the DNS name EXCHANGE.domain.com. FRS will keep retrying."

I'm currently working on a new virtual network that mimics our current environment and hopefully we can move into that new environment soon, but in the meantime I have a very unstable network. Any help is appreciated.
0
Comment
Question by:GarrisonIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828206
Your exchange machine...In TCPIP properties what DNS server is it referencing?  First DNS server should be itself and since you have no other machines yet there should be no secondary.

restart the netlog on service - do the netlogon and sysvol shares show up on the exchange DC?
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 2000 total points
ID: 21828216
Also you shoudl check to make sure your existing exchange dc believes they dcpromod out correctly.

First try cleaning the metadata from the dcpromo
http://technet2.microsoft.com/windowsserver/en/library/012793ee-5e8c-4a5c-9f66-4a486a7114fd1033.mspx?mfr=true

If thats doesnt work then you need to check that they didnt fail on dcpromo
http://support.microsoft.com/kb/216498

Once this is squared away retry starting the netlog on service if no go I would rebuild the shares again
http://support.microsoft.com/kb/315457
0
 

Author Comment

by:GarrisonIT
ID: 21828420
On a hunch (based on your advice), I retried the NTFRS_CMD_FILE_MOVE_ROOT technique, and now the SYSVOL and NETLOGON shares are present on EXCHANGE, and domain authentication appears to be working again. It appears that the NTFRS_CMD_FILE_MOVE_ROOT *after* the D4 registry modification did the trick, at least for EXCHANGE.

FYI - DNS on EXCHANGE was/is pointing to itself, the DNS records appear to be correct for all computers. There are no warnings or failures recorded in the event log for DNS on EXCHANGE. Also, pinging DC1, DC2 and EXCHANGE from the command line resolves to the correct IP address in all cases from all DC's.

At this point the problem has been reduced to replication between the DC's. I am still receiving the 13508 events on all 3 systems...

"The File Replication Service is having trouble enabling replication from EXCHANGE to DC1 for c:\windows\sysvol\domain using the DNS name EXCHANGE.domain.com. FRS will keep retrying."

This is preventing DC1 and DC2 from being fully promoted to domain controllers.

Any ideas?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 24

Expert Comment

by:ryansoto
ID: 21828489
ok it takes time to replicate and you may see these errors for a few minutes.
But next i woudl run a dcdiag /fix then run a dcdiag and see what errors come back.  The run a netdiag and see what errors come back.

If none come back then wait about 20 minutes to see if replication comes back online and then try to dcpromo.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21828495
Also make sure the SRV records are present.  This will also cause replication issues.  You can always remove them and readd them.  Retstart the replication service and see.
0
 

Author Comment

by:GarrisonIT
ID: 21828602
SRV Records are present and accurate. DCDiag and NetDiag both look pretty clean. I did run FRSDiag on all 3 DC's. EXCHANGE looked good, but both DC1 and DC2 had several errors. At this point the network is functional, so I'm going to stop troubleshooting this SYSVOL replication issue and spend my time putting together the new, clean virtual server environment. Thanks for your help.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question