Solved

SBS 2003 Active directory errors and wierd things after a image restore (Acronis)

Posted on 2010-11-09
4
841 Views
Last Modified: 2016-10-27
Hello I have been recovering from a monumental disaster recovery.

This happened once before a few years ago and i had no problems getting it back up but this time i think i broke the forest somehow.

So whats happened is in sunday evening the main HD decided to die in our server. ( this is old hardware and has been on the books to be updated anyway soon to ,mirrored raid  )
i take 2 different types of backups one with ntbackup (both backups r courupted ) :P
and one with acronis.

problem was ntbackup ones where courpt and wouldnt load, the acronis one somehow stopped taking backups 3 weeks ago and i didnt not notice as i was getting mail saying it had finished successfully so i had to resore the server from the 17 day old image.

this is when the poo hit the fan , i forgot we had other sub dc in the forest and when i booted the sbs dc problems arose .( I realize what BIG MISTAKE THIS WAS)

at this point i tryed to dcpromo the other dc off the domain as we dont need it  and this failed
and couldn't transfer roles so i force removed the 2nd dc and cleaned meta data in the first dc

flushed dns
and registerd dns back

now everythig works if i manually start the net login service and time service after reboot  but each reboot it pauses the net login service and i need to restart everythig manually for it to work.

erros i get :
Event ID 2103
The Active Directory database has been restored using an unsupported restoration procedure.
Active Directory will be unable to log on users while this condition persists. As a result, the Net Logon service has paused.
User Action
See previous event logs for details.
 

also I cant seem to add domain computers anymore in event log it tells there is rreplica SID for the computer account in sam database but i cant seem to find any duplicates in order to reset the accounts.

error 12293
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Pekka,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=osmoproduction,DC=fi. All duplicate  accounts have been deleted. Check the event log for additional duplicates.

Any help with fixing this and removing any trace elements of the member DC i removed would be greatlly appreciated


here is a copy of dcdiag /v
and repadmin /showrepl


C:\Program Files\Support Tools>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\OSMOSERVER
DC Options: IS_GC
Site Options: (none)
DC object GUID: 2dd69cb8-9a9a-4c1d-9fce-528c9bbfbe31
DC invocationID: d09d396f-ddd2-422b-9bc6-00e625e3a1a3



C:\Program Files\Support Tools>dcdiag /V

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine osmoserver, is a DC.
   * Connecting to directory service on server osmoserver.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\OSMOSERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... OSMOSERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\OSMOSERVER
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=osmoproduction,DC=fi
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=DomainDnsZones,DC=osmoproduction,DC=fi
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=osmoproduction,DC=fi
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=osmoproduction,DC=fi
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=osmoproduction,DC=fi
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         * Replication Site Latency Check
         ......................... OSMOSERVER passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC OSMOSERVER.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=osmoproduction,DC=fi
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=osmoproduction,DC=fi
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=osmoproduction,DC=fi
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=osmoproduction,DC=fi
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=osmoproduction,DC=fi
            (Domain,Version 2)
         ......................... OSMOSERVER passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\OSMOSERVER\netlogon
         Verified share \\OSMOSERVER\sysvol
         ......................... OSMOSERVER passed test NetLogons
      Starting test: Advertising
         The DC OSMOSERVER is advertising itself as a DC and having a DS.
         The DC OSMOSERVER is advertising as an LDAP server
         The DC OSMOSERVER is advertising as having a writeable directory
         The DC OSMOSERVER is advertising as a Key Distribution Center
         The DC OSMOSERVER is advertising as a time server
         The DS OSMOSERVER is advertising as a GC.
         ......................... OSMOSERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Defaul
t-First-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=fi
         Role Domain Owner = CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Defaul
t-First-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=fi
         Role PDC Owner = CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=fi
         Role Rid Owner = CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=fi
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=OSMOSERVER,CN=Se
rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=
fi
         ......................... OSMOSERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4609 to 1073741823
         * osmoserver.osmoproduction.fi is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4109 to 4608
         * rIDPreviousAllocationPool is 3109 to 3608
         * rIDNextRID: 3368
         ......................... OSMOSERVER passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC OSMOSERVER on DC OSMOSERVER.
         * SPN found :LDAP/osmoserver.osmoproduction.fi/osmoproduction.fi
         * SPN found :LDAP/osmoserver.osmoproduction.fi
         * SPN found :LDAP/OSMOSERVER
         * SPN found :LDAP/osmoserver.osmoproduction.fi/OSMOPRODUCTION
         * SPN found :LDAP/2dd69cb8-9a9a-4c1d-9fce-528c9bbfbe31._msdcs.osmoprodu
ction.fi
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2dd69cb8-9a9a-4c1d-9f
ce-528c9bbfbe31/osmoproduction.fi
         * SPN found :HOST/osmoserver.osmoproduction.fi/osmoproduction.fi
         * SPN found :HOST/osmoserver.osmoproduction.fi
         * SPN found :HOST/OSMOSERVER
         * SPN found :HOST/osmoserver.osmoproduction.fi/OSMOPRODUCTION
         * SPN found :GC/osmoserver.osmoproduction.fi/osmoproduction.fi
         ......................... OSMOSERVER passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [OSMOSERVER]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... OSMOSERVER failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         OSMOSERVER is in domain DC=osmoproduction,DC=fi
         Checking for CN=OSMOSERVER,OU=Domain Controllers,DC=osmoproduction,DC=f
i in domain DC=osmoproduction,DC=fi on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=osmoproduction,DC=fi in domain CN=Config
uration,DC=osmoproduction,DC=fi on 1 servers
            Object is up-to-date on all servers.
         ......................... OSMOSERVER passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... OSMOSERVER passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... OSMOSERVER passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... OSMOSERVER passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... OSMOSERVER passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=OSMOSERVER,OU=Domain Controllers,DC=osmoproduction,DC=fi and
         backlink on
         CN=OSMOSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
ration,DC=osmoproduction,DC=fi
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=OSMOSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=osmoproduction,DC=fi
         and backlink on
         CN=OSMOSERVER,OU=Domain Controllers,DC=osmoproduction,DC=fi are
         correct.
         The system object reference (serverReferenceBL)
         CN=OSMOSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=osmoproduction,DC=fi
         and backlink on
         CN=NTDS Settings,CN=OSMOSERVER,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=osmoproduction,DC=fi
         are correct.
         ......................... OSMOSERVER passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : osmoproduction
      Starting test: CrossRefValidation
         ......................... osmoproduction passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... osmoproduction passed test CheckSDRefDom

   Running enterprise tests on : osmoproduction.fi
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... osmoproduction.fi passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\osmoserver.osmoproduction.fi
         Locator Flags: 0xe00003fd
         PDC Name: \\osmoserver.osmoproduction.fi
         Locator Flags: 0xe00003fd
         Time Server Name: \\osmoserver.osmoproduction.fi
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\osmoserver.osmoproduction.fi
         Locator Flags: 0xe00003fd
         KDC Name: \\osmoserver.osmoproduction.fi
         Locator Flags: 0xe00003fd
         ......................... osmoproduction.fi passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

C:\Program Files\Support Tools>
0
Comment
Question by:Cormacp
  • 2
  • 2
4 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 34095952
You will not be able to fix the current version.
Restore the Acronis image again, clean out the AD from  the (now gone) DC2, continue from there.
For the future: do NOT use an imaging software to backup DCs if you have more than one DC (or know EXACTLY what you're doing).
AD has to be backed up and restored using AD aware backup software.
What you're currently experiencing is a USN rollback:
How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495
0
 

Author Comment

by:Cormacp
ID: 34105338
Ok thanks for reply i restore the image and now the dc2 is gone and i removed active directory form it along with changing its network name and removing it from domain

ill let you know how it goes

thanks again
0
 

Author Comment

by:Cormacp
ID: 34109976
it seemed to go better now the 2nd dc is gone,
all test r ok and computers acan join domain normally

is it safe now to re add the old dc now i have removed active directory form it and domain controller role with new name ? i just want tit to act as a fileserver so i need to connect it to the domain for share permissions
0
 
LVL 83

Expert Comment

by:oBdA
ID: 34115396
If you've removed the second DC correctly from AD, there should be no issues in adding it back to the domain.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now