Solved

I forgot to prep my 2003 domain before I added a 2008 R2 domain controller... can I fix this?

Posted on 2011-02-22
24
1,116 Views
Last Modified: 2012-05-11
Hello,

I had a domain with one 2003 R2 DC, and an Exchange 2003 server running on another 2003 R2 member server, along with a couple of other member servers and a mixture of XP Pro and Windows 7 clients.

I recently added a server 2008 R2 Standard member server, and promoted it to DC status.  I then modified the DNS settings in each server and client in the domain to reflect the additional DNS server (the 2003 server is listed first, the 2008 server listed second).  This worked well... for a while.

Monday, things began to blow up.  I have a few Outlook clients (2007 and 2010) that now come up with a security logon, asking for username and password (this of course shouldn't happen with local clients)... entering usernames and passwords doesn't work, as the server rejects the logon.

I began to look into the problem, but it mysteriously resolved itself, and the affected clients began working again.

Today, the problem recurred, with one of the same client workstations and two new ones.  As I dug into the event viewers, I see Kerberos authentication errors, mostly relating back to time discrepancies between the servers and the clients.

At this point, the 2003 DC is 10 minutes ahead of the member servers and many of the client workstations.  The 2008 DC seems to be synced with the clients.  If I do a net time /query from the mail server (2003), it returns time.nist.gov, rather than DC1.

As I thought through my installaiton and promotion of the 2008 server, I realize now that I totally blew the process, which may be the root cause of all my issues.  I believe (its been a month, so I can't 100% confirm) that I dcpromo'd the 2008 server without prepping my 2003 active directory for the 2008 server.

Can I fix this?

My first thought is to demote the 2008 server, go around to every client and member server (i have manually assigned IP addresses) and remove the 2008 DC from their DNS listing, reboot each (or logoff and logon) to get them to reauthenticate with the 2003 DC only, and check the time on each to be sure it coincides with the 2003 DC.  

Once I am sure things have settled down, I can then properly prep the 2003 DC's active directory, promote the 2008 to DC, and make it a global catalog server.

However, with the mess I made of the first go, I am worried I will make a bigger mess of things... does anyone have any suggestions as to how I can fix this?
0
Comment
Question by:meelnah
  • 14
  • 6
  • 3
  • +1
24 Comments
 
LVL 3

Expert Comment

by:Frank_Alphaserveit
ID: 34952697
i'm pretty certain you cannot promote a 2008 server WITHOUT running adprep - dcpromo will fail.  Are you sure you or someone else did not run ADprep?
0
 
LVL 31

Assisted Solution

by:DrUltima
DrUltima earned 200 total points
ID: 34952737
Your 2008 R2 server should not have allowed itself to be promoted if you had not prepped the domain already for it.  Your time is the problem.  

AD requires all clocks to be within five minutes of the DC which hosts the PDC emulator role, +/- (in other words, if the DC says it is 13:00:00, then your member machines, servers or workstations, must be between 12:55:01 and 13:04:59).  You MUST fix this for AD health to continue.

Your non PDCe DCs must use the PDCe as their time authority.  Your member machines should use the %LOGONSERVER% as their authoritative time server.

Resources:
How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx

Windows Time Service and Internet Communication
http://technet.microsoft.com/en-us/library/cc779145%28WS.10%29.aspx

Configuring a time source for the forest
http://technet.microsoft.com/en-us/library/cc784800%28WS.10%29.aspx

DrUltima
0
 
LVL 1

Author Comment

by:meelnah
ID: 34952752
no... I SUSPECT I forgot a step somewhere, and it was the first thing that came to mind.  To run adprep I would have had to insert the 2008 R2 cd in the 2003 DC and run adprep from it, correct?  I may have, but I don't recall doing that...

0
 
LVL 1

Author Comment

by:meelnah
ID: 34952810

Thanks DrUltima... I knew that, but thought that the servers (both member and DC) and clients receive their time updates automatically as part of the Domain logon process, and also periodically while they are logged on.

Are you saying that there is a manual process to set the NTP server, even when joined to a domain?

I will review the docs you provided... thanks!
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 34952838
To run ADPREP for a DCPromo, you need to use the ADPREP which is on the 2008 Installation disc.  If you are installing R2, it is a 64 bit OS, and if your 2003 servers are 32 bit, you will have to run the ADPREP32 instead.  But again, if you had not already done this, you would not have been able to promote your 2008 R2 box to make it a DC.

DrUltima
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 34952859
In a perfect world, the PDCe is supposed to broadcast itself as the authoritative time server.  I have seen many cases where it doesn't.  It will not hurt anything at all to manually configure it to do so, as long as you remember to change the authoritative time server should your PDCe ever move to a different server.

DrUltima
0
 
LVL 1

Author Comment

by:meelnah
ID: 34953163
Would that explain why my exchange server (server 2003) responds to a net time /query command with time.windows.com?  This is the default NTP server from the OS, correct?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34953917
You should be using w32tm not net time
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34953948
If you didn't prep your domain then you would not be able to add the Windows 2008 Server R2 to an existing domain.

Post dcdiag

Your PDC should be giving out time to the domain.

Run netdom /query fsmo to find out what server this is.

TigerMatts article about time service in a domain read this.

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954109
dariusq,

my 2003 DC (DC1) has all five roles, and as teh PDC it should be handing out the time to my domain.  However, it is obvious that it isn't (almost all clients, member servers, and the 2008 DC (DC2) are about 14 minutes behind DC1's time).

I was using the net time /query to try to determine where my 2003 member servers were receiving their time from... in their case, it was time.microsoft.com, not DC1.  I don't know how to query the 2008 and windows 7 clients as to what their time source is.

I will review the docs you listed, but in case the info isn't there, how would any of you troubleshoot/correct this issue?  I have verified that my 2003 DC has the PDC role and should be time source for my domain, but it is apparent that it isn't...
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954221
one more quirk...

if i do a net time from my windows 7 workstation (current time is 12:11pm), it returns 'Current time at \\dc1 is 2/22/2011 12:24:54pm

doesn't this imply that my workstation is receiving it's time updates from the correct domain source (DC1)?  If so, I am unclear how the time is so far off, as the way I understand it, if the PDC sees the time get more than 5 minutes off either way, it prompts the client to reset it's network clock to match the PDC...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34954362
You should again use w32tm not net time. Run w32tm /monitor.

Is you DC a Virtual Machine by chance?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:meelnah
ID: 34954400
to all:

as I look at the affected machines, in the HKLM-System-CCset-Services-w32time-parameters, the type for each is set to NT5DS, which should mean that they are receiving their time via AD.  However, they aren't.

In each case, the NTPServer is set to time.windows.com, 0x9.  According to one of the articles mentioned above, this is residual from before the machine was added to the domain, and should be able to be safely ignored.  However, if I run w32time /unregister and then /register, the NTPServer key is removed from the registry, and once I resync (w32time /resync), the time is updated to reflect the current time on my PDC.

I have yet to try an affected workstation (where the Outlook clients won't connect to Exchange, the original symptom of the problem), but I believe this will remedy the situation.

However, the question remains, any ideas why this happened?  Did I do something inherently wrong in my network setup that would cause this, and was just now 'bitten' by it?  I don't believe I should have had to manually do this process if things were working properly...


Scott
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954407
my second DC (the 2008 DC) is a virtual machine, yes... is that an important clue that I overlooked?
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954430
when I run w32tm /monitor on a 2008 member server, it returns 'GetDcList failed with error code:  0x80070576.  Exiting with error 0x80070576.

I am looking that up now.

0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 300 total points
ID: 34954483
You need to go on the VM settings disable Time Sync with host
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954539
just logged in to my hyper-v console and found that I can't connect to the virtual machines on my host... says the RPC service is down on both hosts... going to try to reboot the machine running the manager console, but I would be this has something to do with the time issues as well...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34954552
No RPC usually deals with other issues like DNS.
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954563
good lord, the day just keeps getting better...  :)
0
 
LVL 1

Author Comment

by:meelnah
ID: 34954746
ok... have my hyper-v-console back, and am looking at the integration services for the Time Sync settings... the closest I can find is 'Integration Services' under management.  In it, I have selected 'Time Synchronization' which tells the hyper-V to offer to synchronize time with the VM.

This sounds great, providing that the hyper-V time is correct... which it hadn't been.  Should I uncheck this offering?  I just don't know the ramifications... will the VM get it's time from the Core server it's running on at that point, or will it look to w32time and pull it from the PDC?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34954928
0
 
LVL 1

Author Comment

by:meelnah
ID: 34955099
got it... thanks.

0
 
LVL 1

Author Closing Comment

by:meelnah
ID: 34956096
Thank you all for your responses, and the links you provided.

I believe (a week or two of monitoring will prove) that my issues stemmed from having one of my DC's being virtual.  I neglected to change the virtual machine configuration to tell it not to synchronize its time with the host.  For some reason (I haven't figured out why) my core server that the virtual DC rides on got out of time.  The second DC picked up that time, which eventually caused my AD to get out of sync between the two DC's.

I am still unclear why some of my clients and member servers were picking up their time from the second DC rather than the primary DC... their w32time parameters were correct... if anyone has any final insight on how to troubleshoot that question, i am all ears.

For now, the problem is resolved.  Thanks for your help!
0
 
LVL 1

Author Comment

by:meelnah
ID: 34956151
I should also add that to get the time to sync up on the workstations in the domain, I ran the following sequence of commands, from tigermatt's time discussion link, provided by dariusg:

w32time /monitor  (this command should return the domain controllers in the domain, as well as their assigned strata (priority level)).  This command failed on all 'out of sync' workstations and member servers with the following error:

'GetDcList failed with error code:  0x80070576.  Exiting with error 0x80070576.

The 0x80070576 is a generic return code saying that the timing of the request is out of sync.

I then ran from a command prompt:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

w32tm /resync /rediscover

The w32tm /monitor command now returns good info on both DCs.


Thanks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now