Domain Controller help

I have two domain controllers, DC (server 2003) and DC02 (server 2008 r2). Recently the management company changed and they came and took their router without giving me opportunity to dcpromo away from the corporate office forest.

I am a local domain admin, but subsequently, I can no longer log onto DC. I tried recovery mode on DC; that password didn't work either. However, DC has a file share which still works normally; all users can access it, etc.

DC02 allows me to logon, create new users in AD, change passwords, and generally be an admin. My recovery mode password for DC02 works. I can log on to all other servers and computers as a domain admin.

I use Dameware. Dameware tells me that DC02 is the PDC (primary) and DC is the BDC (backup).

I also looked a little deeper trying to figure out why I can't log onto DC. Dameware also reported a strange setting:

Under DC > Properties > Network > Logged on users = 1; Max users = -1. (yea, that's negative 1).

For comparison, DC02 > Properties > Network > Logged on = 30; Max = somewhere north of 17 millon users.

Is this a clue that you experts can help figure out why I can't log into DC?
Who is Participating?
arnoldConnect With a Mentor Commented:
You have to use sites and services expand until you get to the DC and DC02's NTDSM get properties and tick the GC option.

Your only option is to sieze the roles using ntdsutils.

You need to present to your higher ups the options on what it is you recommend to resolve the issues experienced by your users.  There is little else you can do.

You seem to have a limited delegated administrative role account for some functions.
Login as admin onto any other system and use tools there i.e. ADUC, GPMC, etc to manage the AD and correct the issues you have.  IS the DC that is local an RODC?
Elixir2Author Commented:
Well, honestly, that's where my knowledge fades out a little. I'm going to need lower level instruction on where to look. I'm familiar with using ADUC and GPMC - and this site has a fairly comprehensive group policy, which I'd like to keep.

As far as I know, no one at the corporate office made "DC" an RODC server. I have not done it. From what I read, only 2008 servers can be RODCs? DC is Server 2003.

But still, I used to be able to log on to DC prior to the management change. Now I can't.

How can I determine what roles each one has DC vs DC02?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Not an issue with roles.  Login into a system on which you have admin rights.  add GPMC, add the ADUC control.  Using GPMC run the group policy wizard on the DC with you as the user and look at whether there is a GPO that was pushed that prevents you from loging in.
i.e. there is a allow locallogin <Custom_admin_group> of which you are not a member.
Severing your connection from the Main DC, is possible using ntdsutils, but if you ever hope to reconnect the two, you should not proceed along these lines.

It sounds as though what was taken out is a firewall/VPN that was connecting the two locations.  Any plan on reestablish?
Elixir2Author Commented:
That, of course, is everyone's first question. Can we reconnect to the AD forest even just for a short time? Short answer - no. There is no chance of reconnection.

However, I have considered everything from completely breaking the AD directory domain and starting from scratch. But I would be OK with demoting DC to just a member server as a first step.

I know that when either DC or DC02 are powered off, users have trouble logging on and accessing the internet. Hence my question about roles.
Are both DC and DC02 within your location?

You can use ntdsutil assert that DC is now the master by seizing all roles.
But this is a one way trip.  Any changes you make will not propagate.

Depending on what resources you have, there is always a way to connect the two even for a short duration for the purpose of synchronization.  To speed up logins, you need to have the local DC include the GC role.  Your further need to make sure that the local DC is the first one attempted. Your issue might be that a user login attempt is presented with DC and DC02 as Logon Servers.  When the workstation/system picks the DC02 to which to send the authentication request, it will take a timeout possibly 30 seconds, before the authentication is resent to the other DC.

Using Site and service, along with ADUC, and GPMC set forth that the local DC must be tried first which should speed up the process.
Elixir2Author Commented:
I'm sorry, I wrote a long reply to this -- and it's gone!
So here goes again:

Both DC and DC02 are at my location. They can no longer communicate with the rest of the forest. There is no possibility of reconnect due to (uncooperative) management change.

I have access to the system logs on DC (even though I cannot log in). See attached.DC-errorlog.txt
I want to make DC02 the GC to stop these 1030 and 1864  errors. I want to dis-join from the forest? I cannot log in to DC and I'm afraid of propagating these login problems so that I can't log in to ANY computer.

I need help with GPMC.
Elixir2Author Commented:
In Sites and Services, DC02 is the GC checkbox, and DC does not. Which is as I want it.
I will open a new thread re: seizing roles. I have already presented a few times to the management.
I am a domain admin, but not an enterprise admin, from what I understand.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.