Issue with AD

I have a Windows 2008 network which was working fine on Friday.   On Tuesday I tried to add a new server to the domain and set some Group Policies.  When I had issues applying the policies I ran dcdiag on the member servers and the primary DC.  It generated lots of errors and the primary DC said it was having issues connecting to itself.

I tried several things and could not get it working.  I then had the bright idea to restore the server from backup.   I booted into Directory Services Restore mode and ran a restore of the system state including AD and rebooted the server.  i still had the same issues so I went to the backup domain controller seized the RID and other roles from the primary and removed AD from the primary.

When I ran DCPromo it would not do a standard uninstall i had to do a /forceremove followed by a /removebinaries.    I then rebooted the server and added AD back onto the server.   When i ran DCPromo to add it back into the domain it told me it could not find any GC even though the backup domain controller is a GC.  

I then had the bright idea to reboot the backkup domain controller.  Now no one can log onto the Domain.

Any suggestions on how to reenable login
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Renato Montenegro RusticiConnect With a Mentor IT SpecialistCommented:
If the BlurFlags works, please we need to fix at least one of your FSMO roles, the PDC Emulator. Well, let's see where they are. Run this command and send the output to us:

netdom query fsmo

If the dead server is holding any role, you will need to seize it:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Finally, we will need to check if there's any configuration pointing to the old DC. Use this document to cleanup the AD metabase:

How to remove data in Active Directory after an unsuccessful domain controller demotion

This is a summary:

Clean up server metadata
Renato Montenegro RusticiIT SpecialistCommented:
Restart your surviving DC in restore mode, log on and make sure:

1) The DNS settings are correct. You should be pointing to the server itself.
2) There's a DNS server in the surviving DC.
3) Make sure, dynamic updates are configured properly in the DNS zone.

Export all the Event Viewer logs and upload them here. Issue an ipconfig /all > ipconfig.txt and upload it here too.
Can post post the result of dcdiag /v /f:dcdiag.txt?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

qvfpsAuthor Commented:
Currently I am out of the office and on my way in.   I was out of the office when the issue was discovered last night and I traveling today and will not be onsite until this evening.

I did make sure that DNS was setup on the secondary Domain controller and that it was pointing to itself.  I will check the other settings as well.

As a last resort will it cause problems if I down all of the servers and do a full restore on the primary domain controller and the secondary domain controller (which is also the backup server) back to Friday evening when everything was working, restart both  then bring the remaining servers back online?  

The only other servers I have are an Exchange server which no one can log onto and a new terminal server I was setting up when I discovered the issue.    Other than trying to add the new terminal server and set up a local policy for it there have been no changes to AD.

This is the first AD issue I have had which was not resolved easily.  Any comments are appreciated.

Just a suggestion.

Keep in mind that when you do a  dcpromo /forceremoval you have to manually clean up the metadata left in Active Directory including the server object.  If you don't it can cause serious problems. I would make sure that the metadata is not in active directory which I presume it still is.
Renato Montenegro RusticiIT SpecialistCommented:
Logon locally (restore mode) and export the event viewer logs. Upload them here so we can have a nice picture of your issue.
qvfpsAuthor Commented:
I am onsite and working on this issue.   i went through the output from DCDIAG  and noticed that sysvol was in jrnl_wrap_error.  I followed the instructins and set the Enable Journal Wrap Automatic Restore key to 1, started and stopped ntfrs but I am still cannot get users able to logon.   I have attached the output from dcdiag /v, ipconfig /all and the results of the ntfrs reload and the only recent error in the AD event log

I tried opening up Active Directory Users and COmputers and Active Directory Sites and Services and i receive the following error message

Naming informatino can not be be located because:
The specified domain either does not exist or could not be contacted.

I also ran net share and I do not see any share listed for sysvol dcdiag.txt ipconfig.txt eventlog-1.txt eventlog-2.txt eventlog-3.txt eventlog-4.txt eventlog-ad-1.txt
Renato Montenegro RusticiIT SpecialistCommented:
What's your real domain name? root-myco.internal or root-ddps.internal?

Who is the computer us1mts-sw1060? I suppose it's the surviving DC. Is that correct?

The dcdiag was run at the server wyo-1060. It was the dead DC, right?

It seems that your file replication service is not running properly. If you cant get it to run, your users wont be able to log on. To make sure, see if you have the SYSVOL and Netlogon shares by typing:

net share

If you haven't, there's a document that will guide you in the recovering process if the Journal Wrap Automatic Restore procedure couldn't did the trick.

You should use the BlurFlags parameter to make your FRS replica authoritative:

**** Before proceding, make a full system state backup of your server. If it's not possible, go ahead. You might have to rebuild your GPOs and reposition you scripts in the new SYSVOL tree.

Using the BurFlags registry key to reinitialize File Replication Service replica sets

Note in the document that you will go D4. This one is the authoritative (will create a new master copy) option.
Renato Montenegro RusticiIT SpecialistCommented:
Please, confirm your domain name. This domain mismatch might be a problem. If you have renamed your domain name in the text files, just let us know that root-myco is a fake name, but it's a consistent (the same in DNS, AD and in your server) dns suffix.
qvfpsAuthor Commented:
I renamed the domain name in the files.  It is consistant in DNS and AD.
Renato Montenegro RusticiIT SpecialistCommented:
After that, dont try to bring the old server back to life.
qvfpsAuthor Commented:
Ok,  I have checked that all the metadata for the original PDC was removed,   I ran ntdsutil again and sielzed all the roles it would allow me to again. I did get one error message about their being no operations master and nto being able to move it but i could not get it reapear so I could get the exact wording.  

I ran netdom query fsmo and received the following message which is the same message I get when I try and access Active Directory Users and Computers or Active Directory Sites and Services

The specified domain either does not exist or could not be contacted.  

I am getting  the following certificate enrollment  error


I thought I had resovled this issue once.  But after I restarted the server it has come back and I can not access AD.

I also have the following warning in the file replication log
This was added to the log over an hour ago when I last restarted the server.    

I did a net share and I do not see any shares for sysvol or netlogon

can I use the BlurFlags while the warning is still in the File Replication Log?

Until the server finishes building its database it cannot become a domain controller and netlogon and sysvol will not be shared out.  
qvfpsAuthor Commented:
I set the burflag to d4 and i can now get into Active Directory Users andComputers and  Active Directory Sites and Services.  However I am getting an error on the netolog share  below

The Netlogon service could not create server share c:\windows\sysvol\sysvol\root-myco.internal\scripts.  The following error occurred
The system cannot find the file specified.  

I have attached the most recent dcdiag below  dcdiag.txt

I can now connect using Outlook anywhere or Outlook Web Access and receive email.  However it doesnt look like outgoing email is being delivered
qvfpsAuthor Commented:
I ran netdom query fsmo and it shows the following on the new DC
Schema Master
Domain Naming Master
RID Pool Manager
Infrastructure Manager
qvfpsAuthor Commented:
I tried changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
key to 0 and then back to 1 but I still not see a netlogon share
ActiveDirectorymanConnect With a Mentor Commented:

You have an issue with the sysvol share.

Here's  a link on how to rebuild the SYSVOL tree and its content in a domain:
qvfpsAuthor Commented:
I resolved the GPO issues by bringing down all of the servers except the backup server and the old DC.  I restored AD to the old dc and copied the policies and scripts folder to the new DC.   I then shutdown the original DC and brought everything back up.   I can not login, Exchange is connecting to  the DC and sending and receiving email.

I ran a DCDIAG and the only error was a kerbos error from a workstation which I will have to look into later.  

The other issue I have is that i can no longer connect to the new (originaly the secondary) DC remotely using remote desktop.  Until yesterday when the issue started I had no problem connecting to it.  

There was a comment earlier that I should not bring the old server back to life. Since  i uninstalled AD on the server I cant just reinstall it and make it a domain controller again?   Do I need to build a new server, add it to the domain and make it domain controller?  

Right now I just have a single DC/GC

Thanks for all the help.  I am going to call it a night/morning and check in later to make sure everything is still running.
Renato Montenegro RusticiIT SpecialistCommented:
There is a typo in your phrase ( I can not login)? Did You mean you can now logon to your DC?

You can, of course, install a new domain controller. It seems you might have some sort of file system corruption in your DC. Install a new DC, migrate everything to it and demote the old one.

Do you have a certification authority in place? Is it installed in the surviving domain controller? If it is, please make sure you make the appropriate backups in order to restore it in the new DC.

The kerberos errors is another issue. You can check it out latter.

I would like to thank ActiveDirectoryMan. We are working in shifts here! I went to bed but it helped you a lot.
qvfpsAuthor Commented:
Yes it is a typo.  It had been a very long day.   I greatly appreciate the help.  
Renato Montenegro RusticiIT SpecialistCommented:
That's really cool! I am glad it's all better now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.