Domain Controller in Unusable State

Posted on 2008-10-21
Last Modified: 2012-05-05
About 2 months ago we utitlzed VMware to performa P2V of one of our Domain Controllers.  Last week we were trying to make some Group Policy changes and we noticed lots of errors on our DC's.  We have Mission Critical support on the Dell servers that are running ESX which also allows us to obtain support on all applications running on these servers.  We called them to get assistance resolving some of these errors and they were able to get one of the replication errors cleared up.  There are still numerous errors though and the technician told us that it is never good to perform a P2V on a DC, contrary to what our consultants said.  He said it would be simpler to correct these issues by doing the following:
             1.  Transfer the FSMO roles off of the DC with issues to our other DC.
             2.  Demote the DC with issues and then disjoin it from the Domain.
             3.  Bring up a new virtual server, promote it to a DC, and the transfer the FSMO roles back.

After looking into this, I noticed there are some additional factors that are coming into play.  I thought before spending the time to open a support call with Microsoft, I would reach out to the EE community first for guidance which might save me a lot of phone time and money.  Below are my concerns:
            1.  The DC that is having problems is only performing the FSMO roles of "Schema Owner" and "Domain Role Owner".  We only have 1 other DC in our environment.  Is there an issue have all FSMO roles on the 1 DC for a short period of time?  What other issues might I experience moving the FSMO roles over to the good DC?
            2.  The DC that is having issues is also the Global Catalog server?  What exactly does this mean and what is the process of making the other DC the global catalog server?
            3.  The DC that is having problems also serves as our secondary DNS server.  What is the proces for shutting down the DNS function on it properly and then making the new virtual server the secondary DNS server?
            4.  Once we have all the roles and functions moved off the server with issue, what is the proper procedure to demote it and clean it up from our Domain?
            5.  After bring the new virtual server up, what are the tricks to migrating all the roles the old one was previously taking to this new server?
            6.  We would like to give the new virtual server DC the same IP Addresses as the old DC because all of our servers have it hard-coded as their secondary DNS server.  Will we experience any issues giving the new DC the same IP as the old one?  Does it need to have the same name as the old one or can it have a different name?

I know this question should probably be worth 1,000,000 points but I will greatly appreciate any feedback I get.

  John David Lambert
Question by:neptuneit
  • 4
  • 3

Accepted Solution

Mikealcl earned 500 total points
ID: 22770271
1.  No problem having all the FSMO on 1 server
2. Adding global Cat is easy.  In AD Sites and Services expand the DC you want to add it on > NTDS Settings > right click > properties > checkmark global catalog

You should have at least 2 global catalogs normally.

3.  DNS isn't a big issue.  When you demote dns will just function off your primary.  The exception might be exchange.  Exchange might not roll over so make sure its not the primary dns on your exchange server.  Just don't leave the network with 1 DNS server forever.

4.  DCpromo is what you want to use to remove it.

5. You should know how to do this from transfer of the rolls the first time.  Link below should be useful for understanding FSMO

6.  Name shouldn't matter.  It will have a new identifier in active directory.  Just make sure your AD replication took place successfully and you can reuse the ip address.


Expert Comment

ID: 22770354
In case your consultant left this stuff out too

1) Don't use suspend option on VMware for AD Domain controllers
2) Don't use snapshots it will mess up the USNs


Author Comment

ID: 22770719
Some additional questions about your reply:

1.  We only have 1 DC running as the Global Catalog.  We think the information on the GC may be corrupt.  Currently we cannot autenticate to our Exchange POP3 server and from some research POP3 we think uses the GC to authenticate.  If we turn on our good DC as a GC server, will it replicate invalid information from the bad DC or will it create this information anew?

2.  How do we determine what DNS server our Exchange environment is using?  If it is using the bad DNS server, how do we change it?

3.  As for the VMware, what actually is the suspend option?

 Thanks for all your assistance.
       John David Lambert
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Expert Comment

ID: 22770863
1.  I've never heard of the GC actually being corrupt so I'm not sure.  Exchange does depend on the GC for sure though.  If you really had a corruption you would have to restore from backup I believe.  Not sure how long ago your P2V was but I think you only get 60 days on tombstone so that might not even be an option.  

I would probably just add the GC and see if it works.  

2.  Exchange server will use whatever the primary assigned to the network card is.

3.  VMware suspend is like pausing a VCR.  Problem with this is active directory can change via other servers while your in 'paused' state and it causes issues.
LVL 13

Expert Comment

ID: 22773501
Just some advice. I was told by Microsoft that the primary DC, the one holding the FSMO roles and schema will not be supported by them if it is a virtual machine. I am running three DC's as virtual machines with another DC loaded on a physical server in order to satisfy this. I have had not issues with running the VM DC's which are DC's, DNS servers and global catologue servers. Transfering the roles from the VM to a physical server is really simple and will not cause any hassles. You can use the manage my computer wizard found in Administrative tools to demote the DC, if this wizard runs through correctly without errors you will not need to do any additional AD cleanup.

Author Comment

ID: 22775923
We've turned on our good DC as a Global Catalog server but before we demote the DC having issues, how do we determine if the DC that we made a Global Catalog server is actually taking on the role as one?  We can't seem to find where to determine this.

Expert Comment

ID: 22777412

Author Closing Comment

ID: 31508426
Excellent solution to this problem.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question