2092 8456 and other Active directory errors probaby caused by DC virtual machiine import from backup
Where to start.
3 DC's
DC1 = Server 2008R2 as a virtual machine
DC2 = Server 2008R2 as a virtual machine
DC3 = Server 2003 physical machine, and looking to retire soon
Wanted to move the vm's to a new host. Restored from backups taken through the VM interface (xencenter). You can guess the rest (now I know too). Stuck in a USN rollback issue.
Getting trust issues with machines trying to log in, etc.
How to get out of it? Without killing the domain and starting over? Can give you dcdiags of each server.
Thanks for looking!
1qpcserver-diag.pdf 2qpcserver-diag.pdf qpcserver1-diag.pdf
3 DC's
DC1 = Server 2008R2 as a virtual machine
DC2 = Server 2008R2 as a virtual machine
DC3 = Server 2003 physical machine, and looking to retire soon
Wanted to move the vm's to a new host. Restored from backups taken through the VM interface (xencenter). You can guess the rest (now I know too). Stuck in a USN rollback issue.
Getting trust issues with machines trying to log in, etc.
How to get out of it? Without killing the domain and starting over? Can give you dcdiags of each server.
Thanks for looking!
1qpcserver-diag.pdf 2qpcserver-diag.pdf qpcserver1-diag.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have done both the USN and force demote. If you have working DCs I would go with Mike's solution and just demote the servers and run through the steps
Yes I have gone through the process.
If the demotion is not clean you may have to run dcpromo /forceremoval
and then run through metadatacleanup on the fialed DCs
Once they are re-promoted replication should work as long as you followed the steps.
If the demotion is not clean you may have to run dcpromo /forceremoval
and then run through metadatacleanup on the fialed DCs
Once they are re-promoted replication should work as long as you followed the steps.
ASKER
Pretty much worked. I demoted both DC2 and DC3 and kept DC1 ... will add DC2 back later. Since the user and machine database was not in agreement, there were a few users that had to be recreated, and a couple of workstations that needed to be unjoined and rejoined to the domain.
Other hints for those going through this:
1 - I was able to transfer all roles before demotion, so did not have to seize them later.
2 - dcpromo failed on both servers I wanted to demote. Needed to use dcpromo /forceremoval . This recommended ONLY if dcpromo does not work.
3 - Since I did a force removal, did do metadata cleanup for both demoted servers from DC1.
4 - Need to go through DNS with a fine tooth comb and delete all records of the old servers if there are any.
5 - Had DHCP configured but off until demotion of server that had been handling that, and then turned DHCP on the left over DC.
6 - Global Catalogue had not replicated, or I had not set up global catalog on the server I kept, so needed to go to Active Directory Sites and Services > Sites > Default First Site Name > Servers > name of your server > NTDS Settings. Right click on that > Select Properties > select General tab > check Global Catalog. You may get a warning about if you really want to add global catalog to an infrastucture master, but from what I can read, in a single domain forest that is not a problem. After a few minutes, DC! became a global catalog, and could process new user and machine requests.
7 - Make sure that you have an entry in DNS > Forward Lookup Zones > -msdcs.domain name > GC for the global catalog. When you configure the server to be a global catalog, it should do that after about 5 to 10 minutes ... mine did.
8 - Restarted all the workstations to make sure they could log in to their primary user, and they had access to resources.
9 - Breathed a sigh of relief that it was not as bad as I had feared, and gave a prayer of thanks that things went relatively well.
Hope this may help someone.
Other hints for those going through this:
1 - I was able to transfer all roles before demotion, so did not have to seize them later.
2 - dcpromo failed on both servers I wanted to demote. Needed to use dcpromo /forceremoval . This recommended ONLY if dcpromo does not work.
3 - Since I did a force removal, did do metadata cleanup for both demoted servers from DC1.
4 - Need to go through DNS with a fine tooth comb and delete all records of the old servers if there are any.
5 - Had DHCP configured but off until demotion of server that had been handling that, and then turned DHCP on the left over DC.
6 - Global Catalogue had not replicated, or I had not set up global catalog on the server I kept, so needed to go to Active Directory Sites and Services > Sites > Default First Site Name > Servers > name of your server > NTDS Settings. Right click on that > Select Properties > select General tab > check Global Catalog. You may get a warning about if you really want to add global catalog to an infrastucture master, but from what I can read, in a single domain forest that is not a problem. After a few minutes, DC! became a global catalog, and could process new user and machine requests.
7 - Make sure that you have an entry in DNS > Forward Lookup Zones > -msdcs.domain name > GC for the global catalog. When you configure the server to be a global catalog, it should do that after about 5 to 10 minutes ... mine did.
8 - Restarted all the workstations to make sure they could log in to their primary user, and they had access to resources.
9 - Breathed a sigh of relief that it was not as bad as I had feared, and gave a prayer of thanks that things went relatively well.
Hope this may help someone.
ASKER
10 - One other thing I did have to do was turn replication on on the existing server (as recommended by dcdiag ) after all was said and done. This will be crucial as I add the second DC back into the mix.
Thanks Guys, appreciate it.
Thanks Guys, appreciate it.
ASKER
The other one I will study as well.
Have either of you gone through the process? What are the potential things I should look out for?
Other things.
1 - Will DC1 automatically start replication when DC2 comes back?
2 - Do I need to demote DC2 and DC3? Or if I demote DC2 and re-promote, should replication start working between those two at least?
3 - If I have dhcp still running on DC3 will there be any issues stopping that and setting up and starting it on DC1 before demoting DC3
4 - Most importantly, what will happen to my users accessing resources they can still get to. If I have work-arounds in place for now, is this something I should wait until the weekend to do? If the system goes all the way down during the week, I'm a very unpopular guy!