Solved

Domain Controller in Unusable State

Posted on 2008-10-21
8
255 Views
Last Modified: 2012-05-05
About 2 months ago we utitlzed VMware to performa P2V of one of our Domain Controllers.  Last week we were trying to make some Group Policy changes and we noticed lots of errors on our DC's.  We have Mission Critical support on the Dell servers that are running ESX which also allows us to obtain support on all applications running on these servers.  We called them to get assistance resolving some of these errors and they were able to get one of the replication errors cleared up.  There are still numerous errors though and the technician told us that it is never good to perform a P2V on a DC, contrary to what our consultants said.  He said it would be simpler to correct these issues by doing the following:
             1.  Transfer the FSMO roles off of the DC with issues to our other DC.
             2.  Demote the DC with issues and then disjoin it from the Domain.
             3.  Bring up a new virtual server, promote it to a DC, and the transfer the FSMO roles back.

After looking into this, I noticed there are some additional factors that are coming into play.  I thought before spending the time to open a support call with Microsoft, I would reach out to the EE community first for guidance which might save me a lot of phone time and money.  Below are my concerns:
            1.  The DC that is having problems is only performing the FSMO roles of "Schema Owner" and "Domain Role Owner".  We only have 1 other DC in our environment.  Is there an issue have all FSMO roles on the 1 DC for a short period of time?  What other issues might I experience moving the FSMO roles over to the good DC?
            2.  The DC that is having issues is also the Global Catalog server?  What exactly does this mean and what is the process of making the other DC the global catalog server?
            3.  The DC that is having problems also serves as our secondary DNS server.  What is the proces for shutting down the DNS function on it properly and then making the new virtual server the secondary DNS server?
            4.  Once we have all the roles and functions moved off the server with issue, what is the proper procedure to demote it and clean it up from our Domain?
            5.  After bring the new virtual server up, what are the tricks to migrating all the roles the old one was previously taking to this new server?
            6.  We would like to give the new virtual server DC the same IP Addresses as the old DC because all of our servers have it hard-coded as their secondary DNS server.  Will we experience any issues giving the new DC the same IP as the old one?  Does it need to have the same name as the old one or can it have a different name?

I know this question should probably be worth 1,000,000 points but I will greatly appreciate any feedback I get.

Thanks,
  John David Lambert
0
Comment
Question by:neptuneit
  • 4
  • 3
8 Comments
 
LVL 7

Accepted Solution

by:
Mikealcl earned 500 total points
ID: 22770271
1.  No problem having all the FSMO on 1 server
2. Adding global Cat is easy.  In AD Sites and Services expand the DC you want to add it on > NTDS Settings > right click > properties > checkmark global catalog

You should have at least 2 global catalogs normally.

3.  DNS isn't a big issue.  When you demote dns will just function off your primary.  The exception might be exchange.  Exchange might not roll over so make sure its not the primary dns on your exchange server.  Just don't leave the network with 1 DNS server forever.

4.  DCpromo is what you want to use to remove it.

http://www.msresource.net/knowledge_base/articles/how_to:_remove_a_windows_2000_domain_controller_from_the_domain.html

5. You should know how to do this from transfer of the rolls the first time.  Link below should be useful for understanding FSMO

http://www.computerperformance.co.uk/w2k3/W2K3_FSMO.htm

6.  Name shouldn't matter.  It will have a new identifier in active directory.  Just make sure your AD replication took place successfully and you can reuse the ip address.


0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22770354
In case your consultant left this stuff out too

1) Don't use suspend option on VMware for AD Domain controllers
2) Don't use snapshots it will mess up the USNs


0
 
LVL 1

Author Comment

by:neptuneit
ID: 22770719
Some additional questions about your reply:

1.  We only have 1 DC running as the Global Catalog.  We think the information on the GC may be corrupt.  Currently we cannot autenticate to our Exchange POP3 server and from some research POP3 we think uses the GC to authenticate.  If we turn on our good DC as a GC server, will it replicate invalid information from the bad DC or will it create this information anew?

2.  How do we determine what DNS server our Exchange environment is using?  If it is using the bad DNS server, how do we change it?

3.  As for the VMware, what actually is the suspend option?

 Thanks for all your assistance.
       John David Lambert
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22770863
1.  I've never heard of the GC actually being corrupt so I'm not sure.  Exchange does depend on the GC for sure though.  If you really had a corruption you would have to restore from backup I believe.  Not sure how long ago your P2V was but I think you only get 60 days on tombstone so that might not even be an option.  

I would probably just add the GC and see if it works.  

2.  Exchange server will use whatever the primary assigned to the network card is.

3.  VMware suspend is like pausing a VCR.  Problem with this is active directory can change via other servers while your in 'paused' state and it causes issues.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Expert Comment

by:SagiEDoc
ID: 22773501
Just some advice. I was told by Microsoft that the primary DC, the one holding the FSMO roles and schema will not be supported by them if it is a virtual machine. I am running three DC's as virtual machines with another DC loaded on a physical server in order to satisfy this. I have had not issues with running the VM DC's which are DC's, DNS servers and global catologue servers. Transfering the roles from the VM to a physical server is really simple and will not cause any hassles. You can use the manage my computer wizard found in Administrative tools to demote the DC, if this wizard runs through correctly without errors you will not need to do any additional AD cleanup.
0
 
LVL 1

Author Comment

by:neptuneit
ID: 22775923
We've turned on our good DC as a Global Catalog server but before we demote the DC having issues, how do we determine if the DC that we made a Global Catalog server is actually taking on the role as one?  We can't seem to find where to determine this.
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22777412
0
 
LVL 1

Author Closing Comment

by:neptuneit
ID: 31508426
Excellent solution to this problem.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now