Solved

Issue with AD

Posted on 2011-03-23
21
408 Views
Last Modified: 2012-05-11
I have a Windows 2008 network which was working fine on Friday.   On Tuesday I tried to add a new server to the domain and set some Group Policies.  When I had issues applying the policies I ran dcdiag on the member servers and the primary DC.  It generated lots of errors and the primary DC said it was having issues connecting to itself.

I tried several things and could not get it working.  I then had the bright idea to restore the server from backup.   I booted into Directory Services Restore mode and ran a restore of the system state including AD and rebooted the server.  i still had the same issues so I went to the backup domain controller seized the RID and other roles from the primary and removed AD from the primary.

When I ran DCPromo it would not do a standard uninstall i had to do a /forceremove followed by a /removebinaries.    I then rebooted the server and added AD back onto the server.   When i ran DCPromo to add it back into the domain it told me it could not find any GC even though the backup domain controller is a GC.  

I then had the bright idea to reboot the backkup domain controller.  Now no one can log onto the Domain.

Any suggestions on how to reenable login
0
Comment
Question by:qvfps
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35200402
Restart your surviving DC in restore mode, log on and make sure:

1) The DNS settings are correct. You should be pointing to the server itself.
2) There's a DNS server in the surviving DC.
3) Make sure, dynamic updates are configured properly in the DNS zone.

Export all the Event Viewer logs and upload them here. Issue an ipconfig /all > ipconfig.txt and upload it here too.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35200761
Can post post the result of dcdiag /v /f:dcdiag.txt?
0
 

Author Comment

by:qvfps
ID: 35201751
Currently I am out of the office and on my way in.   I was out of the office when the issue was discovered last night and I traveling today and will not be onsite until this evening.

I did make sure that DNS was setup on the secondary Domain controller and that it was pointing to itself.  I will check the other settings as well.

As a last resort will it cause problems if I down all of the servers and do a full restore on the primary domain controller and the secondary domain controller (which is also the backup server) back to Friday evening when everything was working, restart both  then bring the remaining servers back online?  

The only other servers I have are an Exchange server which no one can log onto and a new terminal server I was setting up when I discovered the issue.    Other than trying to add the new terminal server and set up a local policy for it there have been no changes to AD.

This is the first AD issue I have had which was not resolved easily.  Any comments are appreciated.
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35201823

Just a suggestion.

Keep in mind that when you do a  dcpromo /forceremoval you have to manually clean up the metadata left in Active Directory including the server object.  If you don't it can cause serious problems. I would make sure that the metadata is not in active directory which I presume it still is.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35202084
Logon locally (restore mode) and export the event viewer logs. Upload them here so we can have a nice picture of your issue.
0
 

Author Comment

by:qvfps
ID: 35203861
I am onsite and working on this issue.   i went through the output from DCDIAG  and noticed that sysvol was in jrnl_wrap_error.  I followed the instructins and set the Enable Journal Wrap Automatic Restore key to 1, started and stopped ntfrs but I am still cannot get users able to logon.   I have attached the output from dcdiag /v, ipconfig /all and the results of the ntfrs reload and the only recent error in the AD event log

I tried opening up Active Directory Users and COmputers and Active Directory Sites and Services and i receive the following error message

Naming informatino can not be be located because:
The specified domain either does not exist or could not be contacted.

I also ran net share and I do not see any share listed for sysvol dcdiag.txt ipconfig.txt eventlog-1.txt eventlog-2.txt eventlog-3.txt eventlog-4.txt eventlog-ad-1.txt
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35204413
What's your real domain name? root-myco.internal or root-ddps.internal?

Who is the computer us1mts-sw1060? I suppose it's the surviving DC. Is that correct?

The dcdiag was run at the server wyo-1060. It was the dead DC, right?

It seems that your file replication service is not running properly. If you cant get it to run, your users wont be able to log on. To make sure, see if you have the SYSVOL and Netlogon shares by typing:

net share

If you haven't, there's a document that will guide you in the recovering process if the Journal Wrap Automatic Restore procedure couldn't did the trick.

You should use the BlurFlags parameter to make your FRS replica authoritative:

**** Before proceding, make a full system state backup of your server. If it's not possible, go ahead. You might have to rebuild your GPOs and reposition you scripts in the new SYSVOL tree.

Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762

Note in the document that you will go D4. This one is the authoritative (will create a new master copy) option.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35204426
Please, confirm your domain name. This domain mismatch might be a problem. If you have renamed your domain name in the text files, just let us know that root-myco is a fake name, but it's a consistent (the same in DNS, AD and in your server) dns suffix.
0
 

Author Comment

by:qvfps
ID: 35204439
I renamed the domain name in the files.  It is consistant in DNS and AD.
0
 
LVL 11

Accepted Solution

by:
Renato Montenegro Rustice earned 250 total points
ID: 35204450
If the BlurFlags works, please we need to fix at least one of your FSMO roles, the PDC Emulator. Well, let's see where they are. Run this command and send the output to us:

netdom query fsmo

If the dead server is holding any role, you will need to seize it:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

Finally, we will need to check if there's any configuration pointing to the old DC. Use this document to cleanup the AD metabase:

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

This is a summary:

Clean up server metadata
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35204453
After that, dont try to bring the old server back to life.
0
 

Author Comment

by:qvfps
ID: 35204628
Ok,  I have checked that all the metadata for the original PDC was removed,   I ran ntdsutil again and sielzed all the roles it would allow me to again. I did get one error message about their being no operations master and nto being able to move it but i could not get it reapear so I could get the exact wording.  

I ran netdom query fsmo and received the following message which is the same message I get when I try and access Active Directory Users and Computers or Active Directory Sites and Services

The specified domain either does not exist or could not be contacted.  


I am getting  the following certificate enrollment  error

 event-log.txt

I thought I had resovled this issue once.  But after I restarted the server it has come back and I can not access AD.

I also have the following warning in the file replication log
 file-replication-service-event.txt
This was added to the log over an hour ago when I last restarted the server.    

I did a net share and I do not see any shares for sysvol or netlogon


can I use the BlurFlags while the warning is still in the File Replication Log?
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35204774



Until the server finishes building its database it cannot become a domain controller and netlogon and sysvol will not be shared out.  
0
 

Author Comment

by:qvfps
ID: 35204828
I set the burflag to d4 and i can now get into Active Directory Users andComputers and  Active Directory Sites and Services.  However I am getting an error on the netolog share  below

The Netlogon service could not create server share c:\windows\sysvol\sysvol\root-myco.internal\scripts.  The following error occurred
The system cannot find the file specified.  

I have attached the most recent dcdiag below  dcdiag.txt

I can now connect using Outlook anywhere or Outlook Web Access and receive email.  However it doesnt look like outgoing email is being delivered
0
 

Author Comment

by:qvfps
ID: 35204846
I ran netdom query fsmo and it shows the following on the new DC
Schema Master
Domain Naming Master
PDC
RID Pool Manager
Infrastructure Manager
0
 

Author Comment

by:qvfps
ID: 35204889
I tried changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
key to 0 and then back to 1 but I still not see a netlogon share
0
 
LVL 8

Assisted Solution

by:ActiveDirectoryman
ActiveDirectoryman earned 250 total points
ID: 35204991


You have an issue with the sysvol share.

Here's  a link on how to rebuild the SYSVOL tree and its content in a domain:

http://support.microsoft.com/kb/315457
0
 

Author Comment

by:qvfps
ID: 35205915
I resolved the GPO issues by bringing down all of the servers except the backup server and the old DC.  I restored AD to the old dc and copied the policies and scripts folder to the new DC.   I then shutdown the original DC and brought everything back up.   I can not login, Exchange is connecting to  the DC and sending and receiving email.

I ran a DCDIAG and the only error was a kerbos error from a workstation which I will have to look into later.  

The other issue I have is that i can no longer connect to the new (originaly the secondary) DC remotely using remote desktop.  Until yesterday when the issue started I had no problem connecting to it.  

There was a comment earlier that I should not bring the old server back to life. Since  i uninstalled AD on the server I cant just reinstall it and make it a domain controller again?   Do I need to build a new server, add it to the domain and make it domain controller?  

Right now I just have a single DC/GC

Thanks for all the help.  I am going to call it a night/morning and check in later to make sure everything is still running.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35207319
There is a typo in your phrase ( I can not login)? Did You mean you can now logon to your DC?

You can, of course, install a new domain controller. It seems you might have some sort of file system corruption in your DC. Install a new DC, migrate everything to it and demote the old one.

Do you have a certification authority in place? Is it installed in the surviving domain controller? If it is, please make sure you make the appropriate backups in order to restore it in the new DC.

The kerberos errors is another issue. You can check it out latter.

I would like to thank ActiveDirectoryMan. We are working in shifts here! I went to bed but it helped you a lot.
0
 

Author Comment

by:qvfps
ID: 35210551
Yes it is a typo.  It had been a very long day.   I greatly appreciate the help.  
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35212179
That's really cool! I am glad it's all better now.
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now