Server 2003 replacement domain controller issue

I have a client that had a 2003 domain server crash. I had installed a secondary domain controller and promoted it to secondary DC status before the crash, however failover did not happen and it took the network down. I seized the fsmo roles from the crashed server to the new server and everything was working that day. I was remoted in when I seized the roles and told the client that the old server MUST be disconnected so that it could not miraculously comeback online and cause problems since the roles were seized and not transferred. The client did not disconnect the old server and it came online and now I have issues with the new replacement server.

Now on the new replacement server the "sysvol" and "netlogon" folders are empty and unshared. The workstations keep connecting back to the old server instead of the new one.

My question is there a way to resolve this without reloading the new server and rebuilding the domain from scratch and rejoining all the workstations. I really don't want to have to go this route as they have 100+ workstations.
microdome7Asked:
Who is Participating?
 
5g6tdcv4Commented:
It's actually a simple solution.
Shut down new dc you built. Verify everything is working,
Format new dc you built and bring it back online as a new dc with a new name
Then transfer the roles to the new dc and you will be good to go.
0
 
every1isevil2Commented:
it sounds like the workstations are getting confused on who to connect to.  on the old server do
net stop dhcpserver
net stop ntds

this will turn off active directory and the dhcp service.  and see if it resolves its self.  if it seems to be working fine

dcpromo /forceremoval
http://support.microsoft.com/kb/332199

your in a sticky situation right now.  create a backup of both servers before the forceremoval
0
 
Darius GhassemCommented:
You need to run a metadata cleanup to remove lingering objects from the failed DC.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If your network logon and SYSVOL do not get the contents from the prior DC you could restore these two from backup
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Omer_SaeedCommented:
Also try to make sure your clients DNS settings is pointing correctly to the server if they are not depending on dhcp ! ...
0
 
microdome7Author Commented:
DHCP and DNS had already been transferred to the new server before the old one crashed so I wouldn't think it would be a DHCP or DNS communication issue unless it is something I am missing.
0
 
every1isevil2Commented:
if the server that is to be decomissioned has its dhcp turned on.  the workstations may want to try to connect to it.  the workstation will use the first server to reply to its broadcast for dhcp.  hence why workstations are connecting to the old server.  like i said.  or 5g6tdcv4 said.  either turn off ntds and dhcp services or turn off that server
0
 
microdome7Author Commented:
If I take the old server offline and open AD Users and Computers on the new server it gives a "domain not found" error. Even though the roles were seized to the new server it is like it is still looking to the old server somehow.
0
 
Leon FesterSenior Solutions ArchitectCommented:
You mention the old server was not disconnected, and it "came back".
Is it now working correctly?
Do you get any errors logged in the Event Viewer or when running DCDIAG?

If yes then, Don't work on the new Server until it is functioning and replicating with the old server.
So how would you get the new server to talk to the old server?

dcpromo /forceremoval the new DC.
Double check on the old server that the new one is not there. by doing a metadata cleanup
Delete the computer account for the new DC is it exists on the LAN.
Restart the NEW DC and it to the domain and then dcpromo it again.

If the old server is not "working" properly, then you'll need to use a backup and restore it on the new server. This process of restoring is dependent on what kind of backup you have.
0
 
microdome7Author Commented:
dvt_localboy,

I tried your suggestion of dcpromo /forceremoval of the new DC, doing metadata cleanup, and rejoining, dcpromo again. After doing so the new DC sits at the login screen and hangs on "Applying computer settings..." for over an hour like it is having trouble resolving dns.

I am thinking at this point probably the best thing to do is completely reformat the new DC, rejoin, and dcpromo it again.
0
 
Darius GhassemCommented:
Post dcdiag
0
 
Leon FesterSenior Solutions ArchitectCommented:
If you've removed the DC role, then the DNS configuration on that server would also have been removed.
So if it was pointing to itself as DNS then it won't be able to resolve.

Confirm that DNS is working on the old server, and then add the DNS role on the new server and let it replicate.

If issues still persist then reply with the results of a dcdiag.
0
 
microdome7Author Commented:

Here is the dcdiag.

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DC-SERVER
      Starting test: Connectivity
         ......................... DC-SERVER passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\DC-SERVER
      Starting test: Replications
         [DCSERV] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... DC-SERVER passed test Replications
      Starting test: NCSecDesc
         ......................... DC-SERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-SERVER passed test NetLogons
      Starting test: Advertising
         ......................... DC-SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC-SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC-SERVER passed test RidManager
      Starting test: MachineAccount
         ......................... DC-SERVER passed test MachineAccount
      Starting test: Services
         ......................... DC-SERVER passed test Services
      Starting test: ObjectsReplicated
         ......................... DC-SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC-SERVER passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC-SERVER failed test frsevent
      Starting test: kccevent
         ......................... DC-SERVER passed test kccevent
      Starting test: systemlog
         ......................... DC-SERVER passed test systemlog
      Starting test: VerifyReferences
         ......................... DC-SERVER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
   
   Running enterprise tests on : domain.name
      Starting test: Intersite
         ......................... domain.name passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.name passed test FsmoCheck
0
 
Darius GhassemCommented:
Do you dcpromo /forceremoval of the new DC? The old one should have been metadata cleanup
0
 
Leon FesterSenior Solutions ArchitectCommented:
Like dariusg asked above, did you do the metadata cleanup on the OLD DC before promoting again?
If you've used the forceremoval switch you will need to do the metadata cleanup, or at least delete the server under "Sites and Services" and also delete the computer account to be safe.
The metadata cleanup is required to fully delete any existence of the NEW DC.

If you did the metadata cleanup, then have a look at this document
http://support.microsoft.com/?id=839880

If you don't mind, could you post a dcdiag /v if there are still issues.
0
 
microdome7Author Commented:
Yes I did a metadata cleanup on the old dc server before forceremoval and repromoting the new dc server and basically it is still the same thing. If I take the old dc server offline nobody can logon and the new dc server gives a domain not found error when opening AD users & computers, etc.

I am actually trying a fresh format and reload on the new dc server now to see if that resolves the issue. If it does not then I assume it almost must be an issue caused by the old dc server.
0
 
Darius GhassemCommented:
Run dcdiag on old DC I think you might have gotten rid of some critical data
0
 
microdome7Author Commented:
The dcdiag I posted earlier was from the old dc server. It is currently up and running.
0
 
Darius GhassemCommented:
but failing

 DsBindWithSpnEx() failed with error 1722
0
 
Darius GhassemCommented:
Post dcdiag /test:dns
0
 
microdome7Author Commented:
I just ran dcdiag /fix and now I don't get the DsBindWithSpnEx() failed with error 1722 error. So now when I run a dcdiag /v I get no failures. I am hoping that this plus the format and reload on the new dc resolves the issues I have been having.
0
 
Darius GhassemCommented:
Make sure you run metadata cleanup to remove any lingering objects from all failed DCs.

Delete any DNS records for non working DCs.
0
 
microdome7Author Commented:
After doing a fresh load of the OS and promoting the new dc again everything seems to be working fine now. Somehow when that old dc server that had its roles seized came back online it broke something in the new dc server. I am sure more troubleshooting probably could have resolved the issue without having to do a format and reload but since it was a new server with nothing on it yet it just made more since to save time and just reload it.

Thanks everyone for all your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.