Solved

2003 R2 Domain issue.

Posted on 2013-11-06
17
358 Views
Last Modified: 2013-11-11
Hello I have  two Domain controller  running 2003 R2 (yes I know I have to migrate, and I 'll do when I repair it).

today I meet "DC2" without free disk space, then I expand the disk (solved) but the problem is that the Domain controllers don't replicate to the other.

DC2 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

 -System: event Id 4  source Kerberos -->  kerberos client received an error .... the password is different ...

and a lot of events showing NTDS replication, DNS, ...

DC1 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

and a lot of events showing NTDS replication, DNS, ...


I have done a "dcpromo /force removed" in DC2 (because the kerveros event sound bad) , and in DC 1 seize the 5 roles, en the DNS by hand I cleaned all the DC2 items.

If I look in "user and Active Directory computers" I can see all the computers and user of the Active Directory.

But in the DC1 events I found:

- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

-System: event Id 5774 source NETLOGON --> there has been an error in recording dynamic DNS registration:
"DomainDnsZones.CLIENT.local 600 IN A 169 254 101 244" on the following DNS server

For computers and users to locate this domain controller, this record must register in DNS


I think the problem Is in the DNS server.

Can I repair the DNS server?

Thanks.
0
Comment
Question by:limmontreefree
  • 10
  • 7
17 Comments
 
LVL 39

Expert Comment

by:footech
Comment Utility
If you seized the roles to DC1, then you have to perform a metadata cleanup for DC2.

Run the following and post back.
dcdiag /v
dcdiag /v /test:dns
0
 

Author Comment

by:limmontreefree
Comment Utility
thanks, yes I know, actually I'm working with the DC1 and DC2 (restored from backup) and in another VM I have (without NET)  DC1 as unique domain controller.

I'll send you the log.
0
 

Author Comment

by:limmontreefree
Comment Utility
Here you are.

thanks
logs.zip
0
 

Author Comment

by:limmontreefree
Comment Utility
If you prefer I can stop DC1 and DC2 and start the new DC1 (alone as Domain controller) and send the logs form it.

Really my idea is leave a 2003 R2 DC and attach a new 2012 DC to the system, pass all the roles to the new 2012 DC and then shut down the old 2003 R2.

Thanks.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
Comment Utility
What is 3DC.Client.local?  Check to make sure there aren't any DNS records for DC1 that point to it or records for 3DC that point to the IP for DC1 (remember to check PTR records).

Can you start the Netlogon service on DC1?

I'm unclear what you've done.  You said you removed DC2, but then you said you restored it from backup.  I'll ignore the separate/duplicate DC1 that's not connected to anything.

From the DC2 results, it looks like replication hasn't worked since the beginning of the year and has now gone beyond the tombstone lifetime.  With all the rest I would just demote it (forcefully if necessary), do the metadata cleanup, get DC1 healthy, and after that's all done, repromote DC2 (or whatever other machine).   I wouldn't promote a new DC until DC1 is working correctly.
0
 

Author Comment

by:limmontreefree
Comment Utility
The server DC2 is named 3DC y rewrite it in the logs to make easier for you.

All the server are VM, after trying to shut down DC2 and because DC1 didn't goes  fine, I renamed the DC1's VHD and restored the DC1 and DC2, so now I can use both DC1 DC2 and the new alone DC1.

I think may be is better work with the alone DC1, and try repair the DNS.

I'll review the DNS configuration but I don't know much about DNS records.

I don't understand Why do you want to repromote DC2, I prefer attach a new 2012 server.

Thanks
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
Comment Utility
How did you restore the DCs?  If they were restored from snapshots, and taken at different times, there could be all sorts or problems with them, i.e. USN rollback, broken secure channel with domain members, etc.
This is turning into a mess.

If you want to work with the standalone DC1, get rid of the others.  Connect the DC1 to the network so that machines can use it.  There's little point in trying to repair a DC that other machines can't communicate with, as information can get out of sync, etc.

I don't care if you repromote DC2 or put in a new 2012 server.  I wrote that before I saw any mention of 2012.  So whichever way you want to proceed after DC1 is repaired is fine.

I'd like to see the current dcdiag results for whichever machine we're trying to repair.
0
 

Author Comment

by:limmontreefree
Comment Utility
Hello Footech.

The backup and restore was made with servers stopped (so I think it's alright)

I will to depromote one DC and leave only one as DC (at the momento) but I don't know what server is better keep running as DC.

Can you help me? Reading the logs what is the best candidate?  or Is better use the tool replmon to force the replication?

Thanks for your help.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 39

Expert Comment

by:footech
Comment Utility
I would say it's better to demote DC2 because it hasn't had a successful inbound replication with DC1 since January.

With that said, please make up your mind which you want to work on:  the standalone DC or the currently connected one.
0
 

Author Comment

by:limmontreefree
Comment Utility
I took the VMs and I'll do the tests in myserver.

I'll post the resoults.

Thanks
0
 

Author Comment

by:limmontreefree
Comment Utility
Hello,

I do the following:

In dc2 dcpromo /forceremoval
dc2 shutdown definitely

In dc1 (named DC)
seize all roles
metadatacleanup
with adsiedit.msc
configuration --> CN=Sites--> CN=servers -->delete  entry CN=DC2

run dcdiag and  dcdiag /dns:test
and send the files to you.

in the dns I  can see many entrys pointing to DC2, but At the momento I don't delete it or change the value DC2 for DC.


Thanks
dcdiag.txt
dcdiag-dns.txt
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
Comment Utility
Can you start the Netlogon service?

If not, follow the steps in http://support.microsoft.com/kb/290762 to perform an authoritative restore.
0
 

Author Comment

by:limmontreefree
Comment Utility
I don't know how to try start the netlogon service, I can't see in the services.

Thanks.

Have I to perform your link?

Thanks again for your patience.
0
 

Author Comment

by:limmontreefree
Comment Utility
Ok I do it, and in the event Files Replication Service I get three event:

1.-
 Id 13501  the Files Replication Service is starting.

2.-
Id  135212
Warning The files replication service has detected a disk write cache in the unit containing  c:\windows\ntfrs\jet in the computer DC. It possible ......

3.-
Id 13516
The Files Replication Service no longer prevents that DC computer be a Domain Controller. ..

But If I do dcdiag /v in the services paragraph I get NETLOGON services is paused on DC.

also in the event viewer I get an NTDS  general event 1126  and  NTDS  general event 2103.

May be the server is in a USB rollback....

Please tell me your opinion to try to recover the Domain from the the other server.

Thanks again
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
I'm unclear, did you do the authoritative restore?

Try running the command
repadmin /options yourDCname -disable_inbound_repl
I don't think this is set, but I want to make sure.

You can start and stop the netlogon service with
net start netlogon
net stop netlogon


With DC2 removed, I believe when you run repadmin /showreps there shouldn't be any connections.  Is this what you're seeing?

Follow these steps:
Check the registry key “HKLM\System\CurrentControlSet\Services\NTDS\Parameters" for a REG_DWORD entry “DSA Not Writable” set to "0×4".
Delete the “DSA Not Writable” entry and reboot the server.
0
 

Author Comment

by:limmontreefree
Comment Utility
yes I did the authoritative restore,

And after your last orders it seem to run correctly.

Many thanks.
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Glad to hear it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now