?
Solved

2008 Domain Controller NETLOGON service paused due to Event 2103

Posted on 2010-11-11
22
Medium Priority
?
5,008 Views
Last Modified: 2012-05-10
I am receiving an error in my event log on my Windows Server 2008 DC, event 2103

The Active Directory Domain Services database has been restored using an unsupported restoration procedure.
 
Active Directory Domain Services will be unable to log on users while this condition persists. As a result, the Net Logon service has paused.


I haven't restored AD so I am assuming that the DB got corrupted. Here is my current setup.

2 Domain Controllers

Server 2003Domain Controller and Global Catolog
Roles: Infrastructure, Domain Naming, Schema

Server 2008 (Receiving error 2103)Domain Controller and Global Catolog
Roles: PDC, RID

Would you agree that my steps below will resolve the issue?

1. Transfer PDC and RID to Server 2003
2. Demote Server 2008
3. Check for Metadata and perform cleanup if necessary.
4. Run DCPROMO on Server 2008 and monitor events.

If the roles don't transfer over than I can sieze them and run through the metadata cleanup. Then I can run through DCPROMO to get the DC back up.

Do you agree/disagree with this method?
0
Comment
Question by:ICCNetworkAdmin
  • 7
  • 7
  • 5
  • +1
22 Comments
 
LVL 10

Expert Comment

by:cjrmail2k
ID: 34113738
that is the way I would do it. Make sure you have seized ALL fsmo roles though. Also are they both DNS servers? Where is your DHCP server? Just a couple of other things to look into.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34113932
I would just seize the roles and do a metadata cleanup of the 2008 DC. Then on the 2008 DC run dcpromo /forceremoval

How did you restore the database?
0
 
LVL 10

Expert Comment

by:cjrmail2k
ID: 34113937
I dont think he did restore the DB, thats why there is confusion
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 27

Expert Comment

by:KenMcF
ID: 34113966
I missed that line about not restoring the database.

Is this DC a VM?
0
 
LVL 24

Accepted Solution

by:
Awinish earned 2000 total points
ID: 34114156
You can give a try to below method from the link. I think step listed in below link will solve your issue.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24937093.html

You can also go with your method of demoting & repromoting, if above method doesn't solve your problem.


0
 

Author Comment

by:ICCNetworkAdmin
ID: 34114859
The DC is a VM.

Both are DNS servers.

Thank you for your quick responses!

Awinish, I read through this accepted solution and be much happier running through these steps to attempt to resolve the issue rather than dealing with the demote, promoting, and possibly the metadata cleanup.

Do you all agree that this is safe and should be attempted?

To resolve Netlogon pause issue,do the below operation.


-To get a single domain controller out of USN Rollback:
-Open Regedit
-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
-Locate the key Dsa Not Writable=dword:00000004
-Delete the entire key
-Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL
-Reboot.

If problem is not resolved,still getting netlogon pause error along with usn roll back, the only option is demote & promote the ADC.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34114875
Yes, i have done many times & if you are scared just take backup of registry or system state backup of AD.
0
 

Author Comment

by:ICCNetworkAdmin
ID: 34114889
KenMcF, do you think this could have been caused by misconfiguration of the VM? Both of my domain controllers are running as VM's on ESX 4.0.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34114944
Writable domain controllers are not recommended on Vm's & there is lot of know issue with DC on VM.

http://support.microsoft.com/kb/888794

Only RODC can be on Vm, which is recommended by MS.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34114958
It is very poosible, are you using snapshots on your VMs
0
 

Author Comment

by:ICCNetworkAdmin
ID: 34115004
I take snapshots when applying updates, but haven't had to revert to a snapshot.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34115023
I would recommend not to take snapshots of any DCs. It is not support by MS and can cause these kind of problems.

http://support.microsoft.com/kb/888794 
0
 

Author Comment

by:ICCNetworkAdmin
ID: 34115112
Thank you for the link. I skimmed over it and will give it a good reading in the near future.
0
 

Author Comment

by:ICCNetworkAdmin
ID: 34115242
My plan is to take a system state backup and then run through the reg edit mentioned above. Hopefully that will resolve my issue.

I will then stop taking snapshots for the domain controllers.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34115269
Awinish, I know that deleting that REG key will work but is that supported by Microsoft? I thought I either read somewhere or was to by a Microsoft PFE that deleting that key to correct a USN issue left AD in an unsupported state. I will see if I can find anything on that.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34117796
It worked most of the time & when someone had single dc they did & they were able to correct the issue & it will not leave AD in any unsupported state.

All the article recommends for demote & promote but doing the reg work around is not a bad option, if issue can be resolved.

I did so many times, tested it & that's why i recommended it.
0
 
LVL 10

Expert Comment

by:cjrmail2k
ID: 34119098
Do you not think that the demote/promote option would still be the easiest and quickest way to get ad cleaned up on that dc?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34119312
Give try to registry tweak it will never create problem for other dc & btw, if it doesn't work you are going to perform demote & promote.

0
 

Author Comment

by:ICCNetworkAdmin
ID: 34145233
I ran the system state backups and tried the registry tweak. It appears to have resolved the issue. Netlogon and the W32Time service are running without user interaction. I have not had any side effects as of yet.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34145272
I told you coz that was the last way to resolve netlogon pause & if it doesn't demote & promote.

I did so many time & mentioned in the link.

Great, it work for you too..:)
0
 

Author Comment

by:ICCNetworkAdmin
ID: 34145301
Thank you for sharing your knowledge. That was much easier than running through that tedious process of demoting and promoting and metadata cleanup.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34145315
Your welcome..:)
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question