?
Solved

Trouble with backup DC

Posted on 2012-09-11
17
Medium Priority
?
679 Views
Last Modified: 2012-09-12
Have run into trouble with our backup DC server, after virtualizing it on the same domain.  It's a Windows 2003 machine, and we were attempting to setup a copy of the server on the network as a virtual machine with a new name and IP address, and it's caused problems with the original machine now.  the Netlogon service fails, and there are errors such as "Windows cannot determine the user or computer name (access denied)" and "attempts to determine if machine is in same forest failed".  so we've obviously messed up this DC by trying to virtualize it.  Since this is a backup DC, can we demote it and somehow get it to rejoin as a member server?  I have tried running DCPROMO already, and it failed.  Any help would be appreciated.

thanks
0
Comment
Question by:Damian_Gardner
  • 7
  • 6
  • 4
17 Comments
 
LVL 12

Accepted Solution

by:
Chris earned 2000 total points
ID: 38387500
So, you virtualised a DC, left both the original and new server running on the domain. Renamed the new (virtual) server (which is still working) and have now got issues with the original?

For future reference, that's a recipe for disaster for a multitude of reasons.

What I would be inclined to do at this stage is the following.

Unplug the server with the issues from the network!
Run dcpromo /forceremoval
Run sysprep
Hook back up to the network
Rejoin to the domain.
Check event viewer on both the current DCs and on the server you've rejoined for any potential issues.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38387594
Before you can rejoin the domain, you'll have to run a metadata cleanup on one of the remaining DCs in order to strip out the bad one from AD:

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx
0
 
LVL 12

Expert Comment

by:Chris
ID: 38387606
Not necessarily. It sounds as though the newly virtualised DC has taken on the role of the physical DC, if metadata cleanup is run then the virtualised DC will also stop functioning.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Author Comment

by:Damian_Gardner
ID: 38387607
Yeah - I learned this the hard way, for sure.  I appreciate your help - let me try these steps and report back the results.  thank you gentlemen, and standby.
0
 

Author Comment

by:Damian_Gardner
ID: 38387617
and in response to Demented_Gooses last comment, yes - it does appear that the VM copy took on the role of the source machine, as I see the VM showing up in the DC lists everywhere.
0
 

Author Comment

by:Damian_Gardner
ID: 38387778
It's been demoting for about 20 minutes now.  I assume it takes a while - which it does say it "may take a few minutes, or longer" in the wizard.  Hopefully it completes ok...
0
 

Author Comment

by:Damian_Gardner
ID: 38388620
That worked.  thanks for your help.
0
 
LVL 12

Expert Comment

by:Chris
ID: 38388981
Glad to be of service. :-)
0
 

Author Comment

by:Damian_Gardner
ID: 38391078
I think I do need to clean up the AD directory now, because a side-effect I didn't expect is my Cisco VPN gateway is now having trouble authenticating users from the outside (inside the network is ok).  I assume maybe it's because it's looking for the VM copy of the old backup DC, which I took offline, but is still listed as a DC on the network.  If I want to get rid of this VM copy and clean it up, should I just perform the metadata cleanup procedure?

thanks again
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38391657
Yes, a metadata cleanup will remove the old backup DC from AD, although you may have to manually delete some of its records from DNS, and possibly remove its empty object from AD Sites and Services afterward.
0
 
LVL 12

Expert Comment

by:Chris
ID: 38391678
Only run metadata cleanup if you're sure your VM is never going back on the network. I would be inclined to try dcpromoing it out first. If this fails then resort to the cleanup.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38391800
He mentioned in the original question that dcpromo failed when he attempted to run it.  Dcpromo /forceremoval will most likely succeed, but that'll only get you a functioning VM in a workgroup; it won't remove references to that VM from the other DCs.  A metadata cleanup is necessary for that to happen.

I'm curious, Damian_Gardner: what procedure did you follow to virtualize that DC, and how many other DCs exist in your domain?
0
 
LVL 12

Expert Comment

by:Chris
ID: 38391854
Dcpromo failed on the physical box not the VM. The VM, from what I can tell, was still working as a DC. It may be possible to dcpromo it out cleanly. If that doesn't work then yes, I agree a cleanup is the only option.
0
 

Author Comment

by:Damian_Gardner
ID: 38391905
I'll try the DCPROMO on the VM then.  As far as # of DC's, there are 2 others on this network.  thanks guys, and standby
0
 

Author Comment

by:Damian_Gardner
ID: 38392343
For some reason it said it could not contact another DC, so I forced the removal.  run the cleanup?
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38392353
Yep, since you had to force the removal, the cleanup will be necessary.
0
 
LVL 12

Expert Comment

by:Chris
ID: 38392431
What he said.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question