Link to home
Create AccountLog in
Avatar of JamesAnctil
JamesAnctil

asked on

Virtualized Backup of DC and now Server is in USN rollback..

A Storagecraft backup image was used to virtualize the server.

After this was done the server showed showed the symptoms of usn rollback mode,  netlogon paused ect..

I still have the physical server that the image was taken from... what would be the correct way to virtualize the dc?
SOLUTION
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of JamesAnctil
JamesAnctil

ASKER

ok so we have a second domain controller that was built virtual from the beginning.

If I can I would like to promote it to the primary dc and just scrap the old primary dc...
Im thinking the easiest way to get back to normal would be to turn the physical dc back on (shut down its virtual counterpart, then take a windows back up including a system state backup; create a new VM and use the windows backup to virtualize...

Thoughts?
OK after some more research this is what I plan to do.

(situation: primary DC gone, have active backup DC ready to take over)

Backup DC already has DNS/DHCP roles

1. Sieze Fsmo Roles and put them on the backup dc.

..that's it...what else?
just found a TechNet article that says if I use dcprmo to demote the failed DC, that it will (ask?) transfer the FSMO roles to another DC on the network.

Can someone confirm/deny this.

That would seem to be the easiest way to "Promote" a backup dc to the primary DC.

"The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
•An administrator reassigns the role by using a GUI administrative tool.
•An administrator reassigns the role by using the ntdsutil /roles command.
•An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator."
SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
thank you for the response, I did come across this though..

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

The DC I am turning into the Primary DC is a GC. Should I not seize that role?
Another question before I perform this,

currently nothing is being replicated from the primary DC,

ex: user names
ex: group policy wont update.

Once I sieze the roles, essentially making my backup dc my primary, will this tart to work again?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Question

I Cleaned up the meta data on the new primary dc,

do I have to do the same to the dc that is offsite?
If the offsite DC is not replicating and is in USN then you need to demote the server followed by metadata cleanup and promote the server back as DC.Assuming that there is other online DC whcih is working good.
offsite dc is not in usn, just a dc offsite
gc dns dhcp as well for that location
After you facing any replication issue with offsite DC?Currently how many dc you have in the network.Run dcdiag /q and repadmin to verify the health.
hmmm changes not replicating to offsite dc....
potentially this offsite DC does not need to be a DC at all...

sites are connected via mpls w/ backup vpn..

im thinking demote the offsite dc, keep dhcp and dns.

Thoughts?

(server used as a fileserver for that site)
How many DCs you have in env currenly?
Nos of user and machine at offsite location?
virtual enviorment @ mani location

-1 DC (can create a backup dc)
-50 users

Offsite - connected via MPLS  /backup VPN

-1 DC
-15 users

---

(converging offices into one new building within a year/ plan was to virtualize the offsite server then)
If you have single DC then plan to have second DC for redundancy.Assuming currently you have 1 DC in main and 1 DC in offsite.If you remove the DC then you will be left with one DC only.
yes, not worried about that as I am currently building another virtual dc...

only now worried about the ad not replicating, its breaking other applications..
do I have to do meta data cleanup on the offsite dc as well? or was that suppose to replicate automatically from the other dc?
Can you post the dcdiag /q and repadmin /replsum to verify the health of both DCs(Main & office)
New Primary DC
Dcdiag /q
PS C:\Users\techadmin2> dcdiag /q
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 07/24/2013   17:02:12
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 07/24/2013   17:02:12
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 07/24/2013   17:02:12
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 07/24/2013   17:02:12
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 07/24/2013   17:02:12
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 07/24/2013   17:02:12
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 07/24/2013   17:02:12
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport a
re currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 07/24/2013   17:02:12
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         ......................... DC2 failed test KccEvent
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=ALLONE,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=ALLONE,DC=local
         ......................... DC2 failed test NCSecDesc
         [DC2] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... DC2 failed test NetLogons
         [Replications Check,DC2] A recent replication attempt failed:
            From SALES-SERVER to DC2
            Naming Context: DC=DomainDnsZones,DC=ALLONE,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-07-24 16:57:12.
            The last success occurred at 2013-07-24 11:38:04.
            23 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From SALES-SERVER to DC2
            Naming Context: DC=ForestDnsZones,DC=ALLONE,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-07-24 16:57:12.
            The last success occurred at 2013-07-24 11:38:04.
            23 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From SALES-SERVER to DC2
            Naming Context: CN=Schema,CN=Configuration,DC=ALLONE,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-07-24 16:57:12.
            The last success occurred at 2013-07-24 11:38:03.
            24 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From SALES-SERVER to DC2
            Naming Context: CN=Configuration,DC=ALLONE,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-07-24 16:57:12.
            The last success occurred at 2013-07-24 11:38:03.
            24 failures have occurred since the last success.
         [Replications Check,DC2] A recent replication attempt failed:
            From SALES-SERVER to DC2
            Naming Context: DC=ALLONE,DC=local
            The replication generated an error (-2146893022):
            The target principal name is incorrect.
            The failure occurred at 2013-07-24 16:57:12.
            The last success occurred at 2013-07-24 11:38:03.
            24 failures have occurred since the last success.
         ......................... DC2 failed test Replications
            Could not open NTDS Service on DC2, error 0x5 "Access is denied."
         ......................... DC2 failed test Services
         An error event occurred.  EventID: 0x40000004
            Time Generated: 07/24/2013   16:10:36
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.local. The
 target name used was cifs/SALES-SERVER.ALLONE.local. This indicates that the target server failed to decrypt the ticket
 provided by the client. This can occur when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Please ensure that the target SPN is registered on, and only registered on,
the account used by the server. This error can also happen when the target service is using a different password for the
 target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please
ensure that the service on the server and the KDC are both updated to use the current password. If the server name is no
t fully qualified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if the
re are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 07/24/2013   16:12:12
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.local. The
 target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/01100e28-6589-4040-8504-0e556c129e8f/ALLONE.local@ALLONE.loca
l. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the ta
rget server principal name (SPN) is registered on an account other than the account the target service is using. Please
ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also
 happen when the target service is using a different password for the target service account than what the Kerberos Key
Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC a
re both updated to use the current password. If the server name is not fully qualified, and the target domain (ALLONE.LO
CAL) is different from the client domain (ALLONE.LOCAL), check if there are identically named server accounts in these t
wo domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 07/24/2013   16:15:14
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sales-server.allone.local. The
 target name used was ALLONE\SALES-SERVER$. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the acc
ount the target service is using. Please ensure that the target SPN is registered on, and only registered on, the accoun
t used by the server. This error can also happen when the target service is using a different password for the target se
rvice account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure tha
t the service on the server and the KDC are both updated to use the current password. If the server name is not fully qu
alified, and the target domain (ALLONE.LOCAL) is different from the client domain (ALLONE.LOCAL), check if there are ide
ntically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         ......................... DC2 failed test SystemLog


Repadmin /replsum

PS C:\Users\techadmin2> repadmin /relsum
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:<retries>][:<delay>]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:<cmd>    Displays the list of possible arguments <args>, appropriate
            syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.


Supported <cmd> commands (use /?<cmd> for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp


Note: Most commands take their parameters in the order of "Destination or
      Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
      NC or Object DN if required.

        <DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
        string. For Active Directory Domain Services, this is simply a network
        label (such as a DNS, NetBios, or IP address) of a Domain Controller.
        For Active Directory Lightweight Directory Services, this must be a
        network label of the AD LDS server followed by a colon and the LDAP
        port of the AD LDS instance
            Examples (AD DS):  dc-01
                               dc-01.microsoft.com
            Examples (AD LDS): ad-am-01:2000
                               ad-am-01.microsoft.com:2000

      <Naming Context> is the Distinguished Name of the root of the NC
            Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
      Unicode characters will only display correctly if appropriate fonts and
      language support are loaded.
PS C:\Users\techadmin2> min to view or
sorry replsum here

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 SALES-SERVER          05h:37m:59s    5 /   5  100  (2148074274) The target principal name is incorrect.


Destination DSA     largest delta    fails/total %%   error
 DC2                   05h:37m:59s    5 /   5  100  (2148074274) The target principal name is incorrect.


Experienced the following operational errors trying to retrieve replication information:
        8341 - SALES-SERVER.ALLONE.local
dcdiag on the offsite server

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\techadmin2>dcdiag /q
         The host 01100e28-6589-4040-8504-0e556c129e8f._msdcs.ALLONE.local could
 not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (01100e28-6589-4040-8504-0e556c129e8f._msdcs.ALLONE.local) couldn't be
         resolved, the server name (SALES-SERVER.ALLONE.local) resolved to the
         IP address (10.10.0.2) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... SALES-SERVER failed test Connectivity
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
         A Good Time Server could not be located.
         ......................... ALLONE.local failed test FsmoCheck

C:\Documents and Settings\techadmin2>


looks like the dns got Haxed somehow...
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
C:\Documents and Settings\techadmin2>netdom /resetpwd /server:sales-server /user
d:xxxx.local\xxxxx /passwordd:xxxxxx
The machine account password for the local machine could not be reset.

Logon failure: unknown user name or bad password.

The command failed to complete successfully.


C:\Documents and Settings\techadmin2>repadmin /syncall
CALLBACK MESSAGE: Error contacting server 01100e28-6589-4040-8504-0e556c129e8f._
msdcs.ALLONE.local (network error): -2146893022 (0x80090322):
    The target principal name is incorrect.

SyncAll exited with fatal Win32 error: 8440 (0x20f8):
    The naming context specified for this replication operation is invalid.

C:\Documents and Settings\xxxxxx>
Awesome, it was the secure channel, I was using the command wrong.


Everything is working now Thanks to all !!
Again Experts-Exchange saves the day!