demote a dc, break active directory

LunaRavenscroft
LunaRavenscroft used Ask the Experts™
on
I configured a 2008r2 server as a new domain controller and that was working well for a few weeks, so I demoted a 2003 server. The 2008r2 server had all of the fsmo roles on it, and the dcpromo didn't have any issues. Now I cannot connect to a remote server via remote desktop. I can map a network share to it but cannot  browse for it. DCDIAG really isn't showing any errors on the 2008r2 machine, as well as repadmin. A third remote server can at least connect to remote desktop, but can't browse for the network either. That has a clean dcdiag and repadmin too. The things I see that in AD sites and sevices, my main server is not there. On the servers folder is a yellow triange with a question mark. I get an error clicking on it that says data from server is not available from domain controller because an operations error has occured. Select another dc form the domain context menu. The other 2 branch servers are there. If I look at it with adsiedit, it all looks correct. Help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
can you login to local admin on the new DC?

Author

Commented:
yes I can do pretty much anything on the new dc.
It would really help if you can post some screen shots of the errors (RDP and AD sites and services). Also post any errors that you see in the event logs. Yellow triangle in AD sites and services and Remote desktop does not have any link. Check if Remote desktop is enabled and also check group policies if the "Allow logon through terminal services" setting has Administors group added.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Here are some docs on what I see. I am nor really getting errors in the event viewer, but what I have been getting is enclosed. The problem is I cannot remote desktop to river falls but I can to eauclaire. I can ping by name and see the ip address.

here it goes:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DURAN-DC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Duran\DURAN-DC
      Starting test: Connectivity
         ......................... DURAN-DC passed test Connectivity

Doing primary tests

   Testing server: Durand\DURAN-DC
      Starting test: Advertising
         ......................... DURAN-DC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DURAN-DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DURAN-DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DURAN-DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DURAN-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DURAN-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DURAN-DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=sfb,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=snb,DC=org
         ......................... DURAN-DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... DURAN-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DURAN-DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... DURAN-DC passed test Replications
      Starting test: RidManager
         ......................... DURAN-DC passed test RidManager
      Starting test: Services
         ......................... DURAN-DC passed test Services
      Starting test: SystemLog
         ......................... DURAN-DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DURAN-DC passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : sfb
      Starting test: CheckSDRefDom
         ......................... sfb passed test
         CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... sfb passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : snb.org
      Starting test: LocatorCheck
         ......................... snb.org passed test
         LocatorCheck
      Starting test: Intersite
         ......................... snb.org passed test
         Intersite

C:\Users\administrator>

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = EAUCLAIRE-DC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: RiverFalls\EAUCLAIRE-DC
      Starting test: Connectivity
         ......................... EAUCLAIRE-DC passed test Connectivity

Doing primary tests

   Testing server: RiverFalls\EAUCLAIRE-DC
      Starting test: Advertising
         ......................... EAUCLAIRE-DC passed test Advertising
      Starting test: FrsEvent
         ......................... EAUCLAIRE-DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... EAUCLAIRE-DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... EAUCLAIRE-DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... EAUCLAIRE-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... EAUCLAIRE-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... EAUCLAIRE-DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=sfb,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=snb,DC=org
         ......................... EAUCLAIRE-DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... EAUCLAIRE-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... EAUCLAIRE-DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... EAUCLAIRE-DC passed test Replications
      Starting test: RidManager
         ......................... EAUCLAIRE-DC passed test RidManager
      Starting test: Services
         ......................... EAUCLAIRE-DC passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000008E
            Time Generated: 05/14/2011   02:50:17
            Event String:
            The time service has stopped advertising as a time source because th
e local clock is not synchronized.
         A warning event occurred.  EventID: 0x00000032
            Time Generated: 05/14/2011   02:50:17
            Event String:
            The time service detected a time difference of greater than 128 mill
iseconds for 90 seconds. The time difference might be caused by synchronization
with low-accuracy time sources or by suboptimal network conditions. The time ser
vice is no longer synchronized and cannot provide the time to other clients or u
pdate the system clock. When a valid time stamp is received from a time service
provider, the time service will correct itself.
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 05/14/2011   03:44:14
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... EAUCLAIRE-DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... EAUCLAIRE-DC passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : sfb
      Starting test: CheckSDRefDom
         ......................... sfb passed test
         CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... sfb passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : snb.org
      Starting test: LocatorCheck
         ......................... snb.org passed test
         LocatorCheck
      Starting test: Intersite
         ......................... snb.org passed test
         Intersite



C:\Users\administrator>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Duran\DURAN-DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
DSA invocationID: d3d8d5d1-0f79-47c0-972d-45836957cbdb

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=snb,DC=org
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:20 was successful.

CN=Schema,CN=Configuration,DC=snb,DC=org
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:20 was successful.

DC=sfb,DC=com
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:21 was successful.

DC=ForestDnsZones,DC=snb,DC=org
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:21 was successful.

DC=DomainDnsZones,DC=sfb,DC=com
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:22 was successful.

DC=snb,DC=org
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 01:58:22 was successful.


Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
RiverFalls\EAUCLAIRE-DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 131ed307-2529-4c34-9ac1-09b5befa5b34
DSA invocationID: dbf4c424-ad2e-457a-a313-9ea434671625

==== INBOUND NEIGHBORS ======================================

CN=Configuration,DC=snb,DC=org
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:32 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 03:44:22 was successful.

CN=Schema,CN=Configuration,DC=snb,DC=org
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:33 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 02:59:30 was successful.

DC=sfb,DC=com
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:33 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 02:59:31 was successful.

DC=ForestDnsZones,DC=snb,DC=org
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:34 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 02:59:31 was successful.

DC=DomainDnsZones,DC=sfb,DC=com
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:34 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 02:59:31 was successful.

DC=snb,DC=org
    Durand\DURAN-DC via RPC
        DSA object GUID: 5098def4-9e6e-4e20-a40c-22a25dd03fe0
        Last attempt @ 2011-05-14 01:59:35 was successful.
    RiverFalls\DC-RIVERFALLS via RPC
        DSA object GUID: ed550fbe-8b15-46ff-972f-9a6528cbe9ce
        Last attempt @ 2011-05-14 02:59:31 was successful.

thanks!
AD.jpg
Is the time/date out of sync on the DCs?

Author

Commented:
the servers are all within seconds of eachother (the one I can't see I'm sure is the same). It is about a minute off from my cell phone, but at least all the servers are the same.
From: EAUCLAIRE-DC

Time Generated: 05/14/2011   02:50:17
            Event String:
            The time service has stopped advertising as a time source because th
e local clock is not synchronized.
         A warning event occurred.  EventID: 0x00000032
            Time Generated: 05/14/2011   02:50:17

Author

Commented:
I think it stopped the same time I did the dcpromo and things went down hill from there. Got it fixed. Thanks!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial