Solved

2003 R2 Domain issue.

Posted on 2013-11-06
17
360 Views
Last Modified: 2013-11-11
Hello I have  two Domain controller  running 2003 R2 (yes I know I have to migrate, and I 'll do when I repair it).

today I meet "DC2" without free disk space, then I expand the disk (solved) but the problem is that the Domain controllers don't replicate to the other.

DC2 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

 -System: event Id 4  source Kerberos -->  kerberos client received an error .... the password is different ...

and a lot of events showing NTDS replication, DNS, ...

DC1 event log:
- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

and a lot of events showing NTDS replication, DNS, ...


I have done a "dcpromo /force removed" in DC2 (because the kerveros event sound bad) , and in DC 1 seize the 5 roles, en the DNS by hand I cleaned all the DC2 items.

If I look in "user and Active Directory computers" I can see all the computers and user of the Active Directory.

But in the DC1 events I found:

- Application : event Id 1030 source Userenv -->  Windows can not query for the list of Group Policy objects

-System: event Id 5774 source NETLOGON --> there has been an error in recording dynamic DNS registration:
"DomainDnsZones.CLIENT.local 600 IN A 169 254 101 244" on the following DNS server

For computers and users to locate this domain controller, this record must register in DNS


I think the problem Is in the DNS server.

Can I repair the DNS server?

Thanks.
0
Comment
Question by:limmontreefree
  • 10
  • 7
17 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39627668
If you seized the roles to DC1, then you have to perform a metadata cleanup for DC2.

Run the following and post back.
dcdiag /v
dcdiag /v /test:dns
0
 

Author Comment

by:limmontreefree
ID: 39627678
thanks, yes I know, actually I'm working with the DC1 and DC2 (restored from backup) and in another VM I have (without NET)  DC1 as unique domain controller.

I'll send you the log.
0
 

Author Comment

by:limmontreefree
ID: 39627795
Here you are.

thanks
logs.zip
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:limmontreefree
ID: 39627908
If you prefer I can stop DC1 and DC2 and start the new DC1 (alone as Domain controller) and send the logs form it.

Really my idea is leave a 2003 R2 DC and attach a new 2012 DC to the system, pass all the roles to the new 2012 DC and then shut down the old 2003 R2.

Thanks.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 39627930
What is 3DC.Client.local?  Check to make sure there aren't any DNS records for DC1 that point to it or records for 3DC that point to the IP for DC1 (remember to check PTR records).

Can you start the Netlogon service on DC1?

I'm unclear what you've done.  You said you removed DC2, but then you said you restored it from backup.  I'll ignore the separate/duplicate DC1 that's not connected to anything.

From the DC2 results, it looks like replication hasn't worked since the beginning of the year and has now gone beyond the tombstone lifetime.  With all the rest I would just demote it (forcefully if necessary), do the metadata cleanup, get DC1 healthy, and after that's all done, repromote DC2 (or whatever other machine).   I wouldn't promote a new DC until DC1 is working correctly.
0
 

Author Comment

by:limmontreefree
ID: 39627968
The server DC2 is named 3DC y rewrite it in the logs to make easier for you.

All the server are VM, after trying to shut down DC2 and because DC1 didn't goes  fine, I renamed the DC1's VHD and restored the DC1 and DC2, so now I can use both DC1 DC2 and the new alone DC1.

I think may be is better work with the alone DC1, and try repair the DNS.

I'll review the DNS configuration but I don't know much about DNS records.

I don't understand Why do you want to repromote DC2, I prefer attach a new 2012 server.

Thanks
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 39628260
How did you restore the DCs?  If they were restored from snapshots, and taken at different times, there could be all sorts or problems with them, i.e. USN rollback, broken secure channel with domain members, etc.
This is turning into a mess.

If you want to work with the standalone DC1, get rid of the others.  Connect the DC1 to the network so that machines can use it.  There's little point in trying to repair a DC that other machines can't communicate with, as information can get out of sync, etc.

I don't care if you repromote DC2 or put in a new 2012 server.  I wrote that before I saw any mention of 2012.  So whichever way you want to proceed after DC1 is repaired is fine.

I'd like to see the current dcdiag results for whichever machine we're trying to repair.
0
 

Author Comment

by:limmontreefree
ID: 39628470
Hello Footech.

The backup and restore was made with servers stopped (so I think it's alright)

I will to depromote one DC and leave only one as DC (at the momento) but I don't know what server is better keep running as DC.

Can you help me? Reading the logs what is the best candidate?  or Is better use the tool replmon to force the replication?

Thanks for your help.
0
 
LVL 39

Expert Comment

by:footech
ID: 39628566
I would say it's better to demote DC2 because it hasn't had a successful inbound replication with DC1 since January.

With that said, please make up your mind which you want to work on:  the standalone DC or the currently connected one.
0
 

Author Comment

by:limmontreefree
ID: 39635876
I took the VMs and I'll do the tests in myserver.

I'll post the resoults.

Thanks
0
 

Author Comment

by:limmontreefree
ID: 39637476
Hello,

I do the following:

In dc2 dcpromo /forceremoval
dc2 shutdown definitely

In dc1 (named DC)
seize all roles
metadatacleanup
with adsiedit.msc
configuration --> CN=Sites--> CN=servers -->delete  entry CN=DC2

run dcdiag and  dcdiag /dns:test
and send the files to you.

in the dns I  can see many entrys pointing to DC2, but At the momento I don't delete it or change the value DC2 for DC.


Thanks
dcdiag.txt
dcdiag-dns.txt
0
 
LVL 39

Assisted Solution

by:footech
footech earned 500 total points
ID: 39637969
Can you start the Netlogon service?

If not, follow the steps in http://support.microsoft.com/kb/290762 to perform an authoritative restore.
0
 

Author Comment

by:limmontreefree
ID: 39638035
I don't know how to try start the netlogon service, I can't see in the services.

Thanks.

Have I to perform your link?

Thanks again for your patience.
0
 

Author Comment

by:limmontreefree
ID: 39638139
Ok I do it, and in the event Files Replication Service I get three event:

1.-
 Id 13501  the Files Replication Service is starting.

2.-
Id  135212
Warning The files replication service has detected a disk write cache in the unit containing  c:\windows\ntfrs\jet in the computer DC. It possible ......

3.-
Id 13516
The Files Replication Service no longer prevents that DC computer be a Domain Controller. ..

But If I do dcdiag /v in the services paragraph I get NETLOGON services is paused on DC.

also in the event viewer I get an NTDS  general event 1126  and  NTDS  general event 2103.

May be the server is in a USB rollback....

Please tell me your opinion to try to recover the Domain from the the other server.

Thanks again
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39639369
I'm unclear, did you do the authoritative restore?

Try running the command
repadmin /options yourDCname -disable_inbound_repl
I don't think this is set, but I want to make sure.

You can start and stop the netlogon service with
net start netlogon
net stop netlogon


With DC2 removed, I believe when you run repadmin /showreps there shouldn't be any connections.  Is this what you're seeing?

Follow these steps:
Check the registry key “HKLM\System\CurrentControlSet\Services\NTDS\Parameters" for a REG_DWORD entry “DSA Not Writable” set to "0×4".
Delete the “DSA Not Writable” entry and reboot the server.
0
 

Author Comment

by:limmontreefree
ID: 39640160
yes I did the authoritative restore,

And after your last orders it seem to run correctly.

Many thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 39640232
Glad to hear it.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn about cloud computing and its benefits for small business owners.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question