Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
8 days, 7 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Active Directory Question
Posted on 2011-02-15
I am hoping somebody has real experience with this situation can give me a hand, thank you.
I have a AD (windows 2003 R2) that has two DCs (both are GC). Last time they two talked to each other (successfully) was over 6 months ago. Since then, DC1 (that has all the FSMO roles, the first DC of the AD) has been shut down and shipped to an oversea site. Some AD changes have been made (creating new users, groups, etc) on DC2 in the past six months while DC1 was offline. Now DC2 has been shut down and shipped to the same oversea site as DC1.
Here comes the question, once both DCs are onsite, how do I get the two DCs replicate to each other so the changes on DC2 won't get lost? Assuming I cannot seize the FSMO roles and rebuild DC1 (this is because of some other reasons).
I have a AD (windows 2003 R2) that has two DCs (both are GC). Last time they two talked to each other (successfully) was over 6 months ago. Since then, DC1 (that has all the FSMO roles, the first DC of the AD) has been shut down and shipped to an oversea site. Some AD changes have been made (creating new users, groups, etc) on DC2 in the past six months while DC1 was offline. Now DC2 has been shut down and shipped to the same oversea site as DC1.
Here comes the question, once both DCs are onsite, how do I get the two DCs replicate to each other so the changes on DC2 won't get lost? Assuming I cannot seize the FSMO roles and rebuild DC1 (this is because of some other reasons).
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
- +2
11 Comments
In theory the newest changes prevails, I rejoin some DC’s in the domain and never have a problem with any object.
The DC in the restart checks if are new changes and apply in itself.
The DC in the restart checks if are new changes and apply in itself.
You have a few options outlined in this question I helped with
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26759380.html
I'd personally go with the dcpromo /forceremoval then add the machine back to the domain and promote. If you are doing this on the box that held the FSMO roles then you would seize those roles.
Make sure in the future to regularly check the health of your AD...you don't want the DCs to not replicate beyond the Tombstone Lifetime.
Thanks
Mike
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26759380.html
I'd personally go with the dcpromo /forceremoval then add the machine back to the domain and promote. If you are doing this on the box that held the FSMO roles then you would seize those roles.
Make sure in the future to regularly check the health of your AD...you don't want the DCs to not replicate beyond the Tombstone Lifetime.
Thanks
Mike
after about 30 days of not talking to each other DC, the trust relationship of the two DCs is messed up.
If I were you, I would first make sure that both servers are running on the same clock, which is essential to all types of domain operations.
In order to recreate the trust relationship between these two DCs, you will step through some procedures with the help of dcdiag (see http://technet.microsoft.com/en-us/library/cc961811.aspx for details).
HTH,
Patric
If I were you, I would first make sure that both servers are running on the same clock, which is essential to all types of domain operations.
In order to recreate the trust relationship between these two DCs, you will step through some procedures with the help of dcdiag (see http://technet.microsoft.com/en-us/library/cc961811.aspx for details).
HTH,
Patric
after about 30 days of not talking to each other DC, the trust relationship of the two DCs is messed up.
That is not correct; trust relationships are not messed up after 30 days. They key is what the tombstone lifetime is set to (usually 60 or 180 days). http://markparris.co.uk/2010/02/01/active-directory-tombstone-lifetime-set-it-to-the-correct-value/
Thanks
Mike
That is not correct; trust relationships are not messed up after 30 days. They key is what the tombstone lifetime is set to (usually 60 or 180 days). http://markparris.co.uk/2010/02/01/active-directory-tombstone-lifetime-set-it-to-the-correct-value/
Thanks
Mike
Hi Mike,
You are the one get the point here. This is an inherited situation for me, the design flaw is really the cause of this.
Anyway, I thought about the forceremoval plan, but this requires DC1 to be rebuilt, right? which is a situation I am trying to avoid (because DC1 is not really our server, it belongs to another company). Any other way?
You are the one get the point here. This is an inherited situation for me, the design flaw is really the cause of this.
Anyway, I thought about the forceremoval plan, but this requires DC1 to be rebuilt, right? which is a situation I am trying to avoid (because DC1 is not really our server, it belongs to another company). Any other way?
No DC1 would not have to be rebuilt (although you could do that); so in this situation you would
If you just decide to rebuild it you will still need to go through steps 2 and 3 to cleanup and seize FSMO roles.
1. dcpromo /forceremoval on DC1
2. Cleanup that DC from AD (metadata cleanup) http://www.petri.co.il/delete_failed_dcs_from_ad.htm
3. Seize FSMO roles off DC1 to DC2 http://www.petri.co.il/seizing_fsmo_roles.htm
4. Promote DC1 again
The AD Team has also outlined the process in their rollback article (same process here)..about halfway down
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx
Thanks
Mike
If you just decide to rebuild it you will still need to go through steps 2 and 3 to cleanup and seize FSMO roles.
1. dcpromo /forceremoval on DC1
2. Cleanup that DC from AD (metadata cleanup) http://www.petri.co.il/delete_failed_dcs_from_ad.htm
3. Seize FSMO roles off DC1 to DC2 http://www.petri.co.il/seizing_fsmo_roles.htm
4. Promote DC1 again
The AD Team has also outlined the process in their rollback article (same process here)..about halfway down
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx
Thanks
Mike
Well, my bad here. When I said "DC1 need rebuilt", I really mean the AD on DC1 need to be re-built.
OK. My concerns about your suggestion is, there's a chance that AD changes has been made on DC1 as well while the two DCs are seperated. Plus, as I said, DC1 belongs to another company, any change on that server will need co-ordination, which we are trying to avoid (unless we definitely have to).
Any idea? thank you.
OK. My concerns about your suggestion is, there's a chance that AD changes has been made on DC1 as well while the two DCs are seperated. Plus, as I said, DC1 belongs to another company, any change on that server will need co-ordination, which we are trying to avoid (unless we definitely have to).
Any idea? thank you.
When you look at the logs check for event 2042; registry key you can try there http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx
That other company is going to have to clean it up too; this issue affects both DCs.
That other company is going to have to clean it up too; this issue affects both DCs.
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
Are you ready to implement Active Directory best practices without reading 300+ pages?
You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month8 days, 7 hours left to enroll
617 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.