?
Solved

Server 2003 replacement domain controller issue

Posted on 2011-05-11
22
Medium Priority
?
352 Views
Last Modified: 2012-06-21
I have a client that had a 2003 domain server crash. I had installed a secondary domain controller and promoted it to secondary DC status before the crash, however failover did not happen and it took the network down. I seized the fsmo roles from the crashed server to the new server and everything was working that day. I was remoted in when I seized the roles and told the client that the old server MUST be disconnected so that it could not miraculously comeback online and cause problems since the roles were seized and not transferred. The client did not disconnect the old server and it came online and now I have issues with the new replacement server.

Now on the new replacement server the "sysvol" and "netlogon" folders are empty and unshared. The workstations keep connecting back to the old server instead of the new one.

My question is there a way to resolve this without reloading the new server and rebuilding the domain from scratch and rejoining all the workstations. I really don't want to have to go this route as they have 100+ workstations.
0
Comment
Question by:microdome7
  • 8
  • 7
  • 3
  • +3
22 Comments
 
LVL 4

Expert Comment

by:every1isevil2
ID: 35742010
it sounds like the workstations are getting confused on who to connect to.  on the old server do
net stop dhcpserver
net stop ntds

this will turn off active directory and the dhcp service.  and see if it resolves its self.  if it seems to be working fine

dcpromo /forceremoval
http://support.microsoft.com/kb/332199

your in a sticky situation right now.  create a backup of both servers before the forceremoval
0
 
LVL 13

Accepted Solution

by:
5g6tdcv4 earned 668 total points
ID: 35742119
It's actually a simple solution.
Shut down new dc you built. Verify everything is working,
Format new dc you built and bring it back online as a new dc with a new name
Then transfer the roles to the new dc and you will be good to go.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 668 total points
ID: 35742750
You need to run a metadata cleanup to remove lingering objects from the failed DC.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If your network logon and SYSVOL do not get the contents from the prior DC you could restore these two from backup
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 1

Expert Comment

by:Omer_Saeed
ID: 35742878
Also try to make sure your clients DNS settings is pointing correctly to the server if they are not depending on dhcp ! ...
0
 

Author Comment

by:microdome7
ID: 35743003
DHCP and DNS had already been transferred to the new server before the old one crashed so I wouldn't think it would be a DHCP or DNS communication issue unless it is something I am missing.
0
 
LVL 4

Expert Comment

by:every1isevil2
ID: 35743036
if the server that is to be decomissioned has its dhcp turned on.  the workstations may want to try to connect to it.  the workstation will use the first server to reply to its broadcast for dhcp.  hence why workstations are connecting to the old server.  like i said.  or 5g6tdcv4 said.  either turn off ntds and dhcp services or turn off that server
0
 

Author Comment

by:microdome7
ID: 35743635
If I take the old server offline and open AD Users and Computers on the new server it gives a "domain not found" error. Even though the roles were seized to the new server it is like it is still looking to the old server somehow.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 664 total points
ID: 35745086
You mention the old server was not disconnected, and it "came back".
Is it now working correctly?
Do you get any errors logged in the Event Viewer or when running DCDIAG?

If yes then, Don't work on the new Server until it is functioning and replicating with the old server.
So how would you get the new server to talk to the old server?

dcpromo /forceremoval the new DC.
Double check on the old server that the new one is not there. by doing a metadata cleanup
Delete the computer account for the new DC is it exists on the LAN.
Restart the NEW DC and it to the domain and then dcpromo it again.

If the old server is not "working" properly, then you'll need to use a backup and restore it on the new server. This process of restoring is dependent on what kind of backup you have.
0
 

Author Comment

by:microdome7
ID: 35749746
dvt_localboy,

I tried your suggestion of dcpromo /forceremoval of the new DC, doing metadata cleanup, and rejoining, dcpromo again. After doing so the new DC sits at the login screen and hangs on "Applying computer settings..." for over an hour like it is having trouble resolving dns.

I am thinking at this point probably the best thing to do is completely reformat the new DC, rejoin, and dcpromo it again.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35756840
Post dcdiag
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 35763400
If you've removed the DC role, then the DNS configuration on that server would also have been removed.
So if it was pointing to itself as DNS then it won't be able to resolve.

Confirm that DNS is working on the old server, and then add the DNS role on the new server and let it replicate.

If issues still persist then reply with the results of a dcdiag.
0
 

Author Comment

by:microdome7
ID: 35769876

Here is the dcdiag.

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DC-SERVER
      Starting test: Connectivity
         ......................... DC-SERVER passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\DC-SERVER
      Starting test: Replications
         [DCSERV] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... DC-SERVER passed test Replications
      Starting test: NCSecDesc
         ......................... DC-SERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC-SERVER passed test NetLogons
      Starting test: Advertising
         ......................... DC-SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DC-SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DC-SERVER passed test RidManager
      Starting test: MachineAccount
         ......................... DC-SERVER passed test MachineAccount
      Starting test: Services
         ......................... DC-SERVER passed test Services
      Starting test: ObjectsReplicated
         ......................... DC-SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DC-SERVER passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC-SERVER failed test frsevent
      Starting test: kccevent
         ......................... DC-SERVER passed test kccevent
      Starting test: systemlog
         ......................... DC-SERVER passed test systemlog
      Starting test: VerifyReferences
         ......................... DC-SERVER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
   
   Running enterprise tests on : domain.name
      Starting test: Intersite
         ......................... domain.name passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.name passed test FsmoCheck
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35769928
Do you dcpromo /forceremoval of the new DC? The old one should have been metadata cleanup
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 35770474
Like dariusg asked above, did you do the metadata cleanup on the OLD DC before promoting again?
If you've used the forceremoval switch you will need to do the metadata cleanup, or at least delete the server under "Sites and Services" and also delete the computer account to be safe.
The metadata cleanup is required to fully delete any existence of the NEW DC.

If you did the metadata cleanup, then have a look at this document
http://support.microsoft.com/?id=839880

If you don't mind, could you post a dcdiag /v if there are still issues.
0
 

Author Comment

by:microdome7
ID: 35770940
Yes I did a metadata cleanup on the old dc server before forceremoval and repromoting the new dc server and basically it is still the same thing. If I take the old dc server offline nobody can logon and the new dc server gives a domain not found error when opening AD users & computers, etc.

I am actually trying a fresh format and reload on the new dc server now to see if that resolves the issue. If it does not then I assume it almost must be an issue caused by the old dc server.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35770974
Run dcdiag on old DC I think you might have gotten rid of some critical data
0
 

Author Comment

by:microdome7
ID: 35771160
The dcdiag I posted earlier was from the old dc server. It is currently up and running.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35771206
but failing

 DsBindWithSpnEx() failed with error 1722
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35771224
Post dcdiag /test:dns
0
 

Author Comment

by:microdome7
ID: 35771296
I just ran dcdiag /fix and now I don't get the DsBindWithSpnEx() failed with error 1722 error. So now when I run a dcdiag /v I get no failures. I am hoping that this plus the format and reload on the new dc resolves the issues I have been having.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35771307
Make sure you run metadata cleanup to remove any lingering objects from all failed DCs.

Delete any DNS records for non working DCs.
0
 

Author Comment

by:microdome7
ID: 35774500
After doing a fresh load of the OS and promoting the new dc again everything seems to be working fine now. Somehow when that old dc server that had its roles seized came back online it broke something in the new dc server. I am sure more troubleshooting probably could have resolved the issue without having to do a format and reload but since it was a new server with nothing on it yet it just made more since to save time and just reload it.

Thanks everyone for all your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question