Solved

need to restore or transfer DC roles - windows 2003

Posted on 2014-01-19
14
351 Views
Last Modified: 2014-01-26
I have a windows 2003 DC that is the schema master, RID, PDC, and Infrastructure.  There are other DCs that I can move roles to.  Below are the AD errors I’m getting.  What happened is the server admin did a restore of the virtual machine back to 1/10/14.  After doing so we're getting the below errors.  I have a system state backup of 1/14/14.  The other DCs have been online the entire time.  The server that was restored from system image of 1/14/14 is NET1.  What should I do?  

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1925
Date:            1/19/2014
Time:            6:15:47 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NET1
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
DC=mydomain,DC=com
Source domain controller:
CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Source domain controller address:
8074f16d-f45c-4dda-90d7-cc17bf8820a7._msdcs.mydomain.com
Intersite transport (if any):
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
User Action
Verify if the source domain controller is accessible or network connectivity is available.
 
Additional Data
Error value:
8457 The destination server is currently rejecting replication requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      NTDS General
Event Category:      Internal Processing
Event ID:      1173
Date:            1/19/2014
Time:            6:08:58 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NET1
Description:
Internal event: Active Directory has encountered the following exception and associated parameters.
 
Exception:
e0010002
Parameter:
0
 
Additional Data
Error value:
8451
Internal ID:
108132e

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      2095
Date:            1/19/2014
Time:            6:08:58 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NET1
Description:
During an Active Directory replication request, the local domain controller (DC) identified a remote DC which has received replication data from the local DC using already-acknowledged USN tracking numbers.
 
 Because the remote DC believes it is has a more up-to-date Active Directory database than the local DC, the remote DC will not apply future changes to its copy of the Active Directory database or replicate them to its direct and transitive replication partners that originate from this local DC.
 
 If not resolved immediately, this scenario will result in inconsistencies in the Active Directory databases of this source DC and one or more direct and transitive replication partners. Specifically the consistency of users, computers and trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data may vary, affecting the ability to log on, find objects of interest and perform other critical operations.
 
 To determine if this misconfiguration exists, query this event ID using http://support.microsoft.com or contact your Microsoft product support.
 
 The most probable cause of this situation is the improper restore of Active Directory on the local domain controller.
 
 User Actions:
 If this situation occurred because of an improper or unintended restore, forcibly demote the DC.
 
Remote DC:
8766be71-6bd6-41b9-8a2c-5a4ce3895ee1
Partition:
CN=Configuration,DC=mydomain,DC=com
USN reported by Remote DC:
13461782
USN reported by Local DC:
13336845


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:gopher_49
  • 5
  • 3
  • 3
  • +2
14 Comments
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 167 total points
Comment Utility
The easiest fix might be to move all the roles.

Then DCPROMO to demote the server and then promote back with DCPROMO again.
0
 

Author Comment

by:gopher_49
Comment Utility
I was thinking that might be the easier direction.  I'll let the server admin know..  I'll have him backup all system state on all other DCs first.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
How did he restore the VM?  Sounds like he used a snapshot which is not supported until 2012.

More on that here     https://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

They go over the steps to fix it (dcpromo /forceremoval then metadata cleanup then add it back and promote.

Please let us know if you have any questions.

Thanks

Mike
0
 

Author Comment

by:gopher_49
Comment Utility
The server admin wants to restore the system state instead of demoting it.. With that said.  Can I do it with normal mode of Windows 2003 or do I need to boot to AD recovery mode?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
Comment Utility
USN's are out of wack and this is why you are having issues replicating. Doing restores incorrectly can cause serious issues. If you can demote this server gracefully I would recommend this. Transfer the roles gracefully if possible decommission and re promote the DC and let it replicate from other DC's online.

If you have to seize the roles you will need to do metadata cleanup, remove onject from sites and services and also remove any SRV records from the _msdcs folder in DNS manager.

If you seize the roles you will need to format this DC, reload the OS and then promote it back. You should not power this DC back on once you have seize the roles from it.

Before promotion of the DC make sure your replication is correctly sorted out.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Have the admin look at the steps outlined here

  https://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

To correct this situation we need to do the following on the DC that has the roll back issue.

1) Forcefully demote the DC by running dcpromo /forceremoval. This will remove AD from the server without attempting to replicate any changes off. Once it is done and you reboot the server and it will be a standalone serve in a workgroup.

2) Run a metadata cleanup of the DC that was demoted per KB article 216498 on one of the replication partners.

3) If the demoted server held any of the FSMO (Flexible Single Master Operations) roles then use the KB article 255504 to seize the roles to another DC.

4) Once replication has occurred end to end in your environment you can rejoin the demoted server back to the domain then promote to a DC.]

Open in new window


Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
Comment Utility
It is not recommended to restore a system state into an environment where you have functioning DC's in your environment. It is better to demote then promote and let it replicate with the other DC's online.

You only need to do a system state restore when you do not have any working DC's in your environment. From there you would add additional DC's and let them replicate accordingly.

You only need to do Authoritative restores when you want to do single item restores like Users or Computer or OU objects.

Demote is what I am recommending. You will run into more issues if you do system state restore.

Will.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
A clean demotion probably won't work which is why the forceremoval will most likely be needed.  It is not as bad as it sounds.

Thanks

Mike
0
 

Author Comment

by:gopher_49
Comment Utility
Okay.  It's also a sharepoint server.   This is why he didn't want to demote.   So,  should transfer roles and then force demote.?
0
 

Author Comment

by:gopher_49
Comment Utility
The server admin chose to restore system state.   I assume he should boot to AD recovery mode?   Anything he needs to do after the restore.   This is the one that has all of the roles
0
 
LVL 30

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 167 total points
Comment Utility
Yes, you will need to boot into DSRM and perform an authoritative restore. Otherwise you will be back where you started. Also, it is not a best practice to have SharePoint running on a DC.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
Comment Utility
You are going to run into issue if you restore the system state as this is a DC as well. AD is more critical than Sharepoint. Personally if he is trying to recover the sharepoint part I would be recovering from backup or an alternate method. Bring the server back online with a system state restore (and this DC is the FSMO holder as well) you are just looking for trouble.

If you can transfer the roles or seize the roles to another DC then power this machine off don't bring it back only after the seize if this is the method you use.

Will.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 83 total points
Comment Utility
I agree with the other experts you admin is making things even harder to other members of your team.

All you have to do to resolve this issue is.
1) Move all FSMO rolls to a health DC
2) Wait for replication
3) Demote / Force Demote with MetaData cleanup the problem DC
4) Wait for replication
5) Promoto old dc again...
0
 

Author Closing Comment

by:gopher_49
Comment Utility
I agree with everyone.  This is what I suggested initially.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now