Solved

Windows 2003 pdc (and gc) crashed, how to get other dc to authenicate network servers

Posted on 2014-01-06
18
346 Views
Last Modified: 2014-01-07
We have a very old windows 2003 network that we are in the process of upgrading.  However, our PDC crashed.  It also was the GC.  Now half of my users and servers can authenticate, but others can't access any network services.  The exchange 2003 server we have can't start the exchange services.  It gives us a Servier is not Operational error, which I looked up and is related to naming.  

We only have one additional dc.  I'm going to add another, but for right now, I have to get everyone operational.  Can I seize the roles, even though I only have one remaining dc?  I read to not seize them to the same server as the gc.  Right now, there is no gc.  Can I go ahead and seize them, and then add another dc afterwards and make it the GC.  Or do I have to have the GC right now?  Any advice would be greatly apprectiated.
0
Comment
Question by:TOHIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +2
18 Comments
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 125 total points
ID: 39759848
Make the DC a GC now.

If the crashed DC will never be restored and brought online then you should seize the roles. No issues doing it on a GC.

Seizing roles: http://www.petri.co.il/seizing_fsmo_roles.htm
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 125 total points
ID: 39759849
The short answer is yes... if you know for a fact that the original DC is dead and will never be on the network again then sieze the roles... all of them. Get everything up and running again, and then build and promote a second DC so you have redundancy.

The information about not having a GC on the same machine as an Infrastructure master is what you are referring to... and that information is not entirely concrete.

The reason the GC should not be on the IM is in situations where you have multiple DCs, and not all of them are GCs. In that instance, you specifically do not want the GC to be on the IM because then only the GCs will get information about newly created/deleted objects and replication will not sync properly. HOWEVER.... If ALL of your DCs are also GCs, then it is acceptable to have the GC on the IM.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759857
I should also note that the main issue with authentication and functionality is not having a GC available. The FSMO roles could be offline for a bit and no one would notice unless someone did a task that required one of the roles. The most notable would be changing a user password.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 125 total points
ID: 39759868
What I would recommend is if you have an additonal DC make sure that you enable it as a GC (from sites and services). Once that is done do the following...
- Seize the roles to your additional DC
- Make sure that all of your servers and clients and pointing to the ADC for DNS
- Power off your old PDC server (do not power back on after seizer)
- Set the new PDC server as the authoriative time source
- Restart the Exchange services (may require a full reboot)
- Delete the computer account of the old DC
- Perform metadata cleanup after the DC has been removed

Seizing the Roles - https://support.microsoft.com/kb/255504
Set PDC Time Source - http://technet.microsoft.com/en-us/library/cc794823(v=ws.10).aspx
Metadata cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Notes: Your Exchange server will not function without a GC so that is the first step. If some clients are authenticating make sure others are point DNS to the addtional DC you have in your environment.

Will.
0
 

Author Comment

by:TOHIT
ID: 39759881
Thanks, this is all very helpful.  Will the fact that the original dc with the roles and the gc crashed affect my ability to make the other dc a gc?  I just went into the sites and servers and selected gc for the remaining dc.  I can open the users and computers.  Is that all I need?  I'm still having trouble with my exchange server seeing the domain controller.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 39759882
No... you can make it a GC without issue... but you also want to seize the roles so the remaining DC can take over as the master for each role.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 39759888
And AFTER you have the roles and the GC sorted out, and have given enough time for the DC to realize the old machine is no longer there (See the link earlier about metadata cleanup). You'll want to reboot your exchange server so it can re-establish it's connection and start up properly.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759921
On the Exchange server make sure it's DNS is configured correctly and then reboot.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759932
Use the link below which illustrats exactly where to make this change in Sites and Services.

Exchange WILL NOT WORK if your GC is offline. Once you have enabled the additional DC as a GC you will probably need to reboot your Exchange server anyways. Make sure that your Exchange server is only pointing to the additional DC and remove the DNS entry for the old PDC that failed.

Promote DC to GC - http://support.microsoft.com/kb/296882

Will.
0
 

Author Comment

by:TOHIT
ID: 39760444
I have demoted the old server.  However, when we try to log the exchange server on after a reboot, i get the following errors:

I get an event id 1053 and a description of - Windows cannot determine the user or computer name.  

I also get a dnsapi error id 11166 which is described as the system not being able to register host (a) resource records (RR) for adapter.  

Any ideas?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39760508
It sounds like it's pointing to the wrong DNS server. Is the working DC a DNS server too?
0
 

Author Comment

by:TOHIT
ID: 39760639
No, but I'm thinking of making it one.
0
 

Author Comment

by:TOHIT
ID: 39760663
Also, I have a lot of errors pertaining to opening the group policy.  When I go into the Domain Security Settings, it says it can't find the network path.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39760694
You said you demoted the DC were you able to transfer the FSMO roles to the other DC first?

If the additional DC does have the FSMO roles and it's the only DC left in the environment you need to seize all of the roles to the DC that is still active. Also making this DC a GC as I suggested earlier. Your DC need to be A DNS server as well and have your clients and other server point to it for DNS.

Will.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39761225
Will, TOHIT already made the DC a GC, at least according to this post.

TOHIT, do you have any DNS server in the environment or was it just the failed DC? If the failed DC is the only DNS server, then you need to install DNS. This is first priority since so much is dependent on it (Exchange, a lot of aspects of AD, authentication, etc). You then need to make sure all computers are pointed to the DC for DNS.

Once you have a GC (which I believe you already took care of) and a DNS server, that will get you back to 99% functional.
0
 

Author Comment

by:TOHIT
ID: 39762457
Thanks for all the help.  I found the main problem was that the dns server we were using temporarily had an incorrect entry for the dc I seized the roles with .  One last question.  I have now the dc running with the fsmo roles and as a gc, and I set up dns on it.  I am now bringing up another dc so that we have some backup.  I am also making it another dns server.  Should I also also make it a gc?  It is a single site, with about 240 users.  That will make two dc's, two dns's, and two gc's total.
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 125 total points
ID: 39762491
i would suggest making it a gc, particularly because of exchange
if you have maintenance on the first box and have to reboot, exchange will need that other gc or will have issues.  two of each is perfect
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39762569
Yes, make it a GC.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question