silviotucciarone
asked on
active directory server 2008 issues
Ok so i am having sort of a big problem that i am trying to work through.
How this all started was i had a domain controller that had a bad name, it was one of those windows auto generated ones were its like WIN-9m9..... the random generated ones.
I wanted to obviously change this to a correct naming scheme. What i did was bring up a vmware server 2008 system and added it to the forest. Once i did this i dcpromo'd out the initial domain controller so that i could change its name.
Once i did this i had many problems, first of which resided because everyone was using the old dns servers... Once i figured that out i changed the dns servers in the dhcp setup.
This sort of fixed my problem.
Then i went ahead and fully reinstalled the initial server with the OS again. Once that was done i installed the AD role and re added it to the forest. At the end of the dcpromo addition, i got a message along the lines of it not being able to create DNS records and that i should create them manually.
I did not think much of this at the time but i think this coupled with other stuff is causing problems.
The way i figured out i actually had a problem was when i tried to access a network drive that uses Single sign on to authenticate.
It comes up with a message "\\10.0.5.22 is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
There are currently no logon servers available to service the logon request."
After i saw this i googled it and then once i went into the event vwr i realized i have a problem.
I have numerous errors from NETLOGON which are only found on the second domain controller JJDAD02, on JJDAD01 which is the initial one i reinstalled i do not find these errors.
One of these errors is as follows:
"The session setup for the computer JJDAD01 failed to authenticate. The following error occured: Access is denied"
"The session setup from computer 'JJDAD01' failed because the security database does not contain a trust account 'JJDAD01$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'JJDAD01$' is a legitimate machine account for the computer 'JJDAD01' then 'JJDAD01' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:
If 'JJDAD01$' is a legitimate machine account for the computer 'JJDAD01', then 'JJDAD01' should be rejoined to the domain.
If 'JJDAD01$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'JJDAD01$' is not a legitimate account, the following action should be taken on 'JJDAD01':
If 'JJDAD01' is a Domain Controller, then the trust associated with 'JJDAD01$' should be deleted.
If 'JJDAD01' is not a Domain Controller, it should be disjoined from the domain."
The intresting thing is these errors are from earlier in the day before i wiped the domain controller jjdad01. I tried to just dcpromo it out, change the name, and dcpromo it in but it did not work.
This is why i decided to wipe the system and start fresh.
As i said once i added it the second time it only told me the message about the DNS not registering and how i should do it manually.
maybe this is my issue?
So my that is my issue. Essentialy at this point i do not know were to start to fully rectify this issue, so any guidance is very much appreciated.
Let me know if you need any error messages or logs so that you can help me out.
Thanks
How this all started was i had a domain controller that had a bad name, it was one of those windows auto generated ones were its like WIN-9m9..... the random generated ones.
I wanted to obviously change this to a correct naming scheme. What i did was bring up a vmware server 2008 system and added it to the forest. Once i did this i dcpromo'd out the initial domain controller so that i could change its name.
Once i did this i had many problems, first of which resided because everyone was using the old dns servers... Once i figured that out i changed the dns servers in the dhcp setup.
This sort of fixed my problem.
Then i went ahead and fully reinstalled the initial server with the OS again. Once that was done i installed the AD role and re added it to the forest. At the end of the dcpromo addition, i got a message along the lines of it not being able to create DNS records and that i should create them manually.
I did not think much of this at the time but i think this coupled with other stuff is causing problems.
The way i figured out i actually had a problem was when i tried to access a network drive that uses Single sign on to authenticate.
It comes up with a message "\\10.0.5.22 is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
There are currently no logon servers available to service the logon request."
After i saw this i googled it and then once i went into the event vwr i realized i have a problem.
I have numerous errors from NETLOGON which are only found on the second domain controller JJDAD02, on JJDAD01 which is the initial one i reinstalled i do not find these errors.
One of these errors is as follows:
"The session setup for the computer JJDAD01 failed to authenticate. The following error occured: Access is denied"
"The session setup from computer 'JJDAD01' failed because the security database does not contain a trust account 'JJDAD01$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'JJDAD01$' is a legitimate machine account for the computer 'JJDAD01' then 'JJDAD01' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:
If 'JJDAD01$' is a legitimate machine account for the computer 'JJDAD01', then 'JJDAD01' should be rejoined to the domain.
If 'JJDAD01$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'JJDAD01$' is not a legitimate account, the following action should be taken on 'JJDAD01':
If 'JJDAD01' is a Domain Controller, then the trust associated with 'JJDAD01$' should be deleted.
If 'JJDAD01' is not a Domain Controller, it should be disjoined from the domain."
The intresting thing is these errors are from earlier in the day before i wiped the domain controller jjdad01. I tried to just dcpromo it out, change the name, and dcpromo it in but it did not work.
This is why i decided to wipe the system and start fresh.
As i said once i added it the second time it only told me the message about the DNS not registering and how i should do it manually.
maybe this is my issue?
So my that is my issue. Essentialy at this point i do not know were to start to fully rectify this issue, so any guidance is very much appreciated.
Let me know if you need any error messages or logs so that you can help me out.
Thanks
ASKER
so let me clarify...
JJDAD02 was the new one i brought into the foreset when the old WIN-9M9... server was the main DC.
After JJDAD02 was brought in, i dcpromo'd WIN-9M9 out but if i remeber right i didnt remove dns...
Then i brought the new JJDAD01 into the forest.
So your saying take JJDAD02 out again leaving JJDAD01?
JJDAD02 was the new one i brought into the foreset when the old WIN-9M9... server was the main DC.
After JJDAD02 was brought in, i dcpromo'd WIN-9M9 out but if i remeber right i didnt remove dns...
Then i brought the new JJDAD01 into the forest.
So your saying take JJDAD02 out again leaving JJDAD01?
Thanks for clarifying. I was under the impression you brought AD02 in, took it out, then brought it back in again.
So you had AD02 as the sole DC and no DNS in the domain? I wouldn't have thought that was possible, unless you forcibly removed the old 9M9 DC.
Did 9M9 end up becoming AD01? Did you wipe it, reinstall, then DCPromo it?
Ultimately, all items in AD are known by thier SID. What I'm suggesting is that there's some confusion in AD regarding SIDs, but I may very well be wrong about that.
So you had AD02 as the sole DC and no DNS in the domain? I wouldn't have thought that was possible, unless you forcibly removed the old 9M9 DC.
Did 9M9 end up becoming AD01? Did you wipe it, reinstall, then DCPromo it?
Ultimately, all items in AD are known by thier SID. What I'm suggesting is that there's some confusion in AD regarding SIDs, but I may very well be wrong about that.
ASKER
AD02 was also a DC and DNS... i checked after i removed 9M9 it had all my records...
yes 9M9 did become AD01 after i wiped and reinstlled yes...
yes 9M9 did become AD01 after i wiped and reinstlled yes...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
problem solved on my own after more research.
If it were me, I'd take down the new DC again, comb through AD and DNS for any traces of it, then maybe bring it back in again. I might even consider using a different host name.