Domain Controller help

Posted on 2014-01-30
Medium Priority
Last Modified: 2014-02-17
I have two domain controllers, DC (server 2003) and DC02 (server 2008 r2). Recently the management company changed and they came and took their router without giving me opportunity to dcpromo away from the corporate office forest.

I am a local domain admin, but subsequently, I can no longer log onto DC. I tried recovery mode on DC; that password didn't work either. However, DC has a file share which still works normally; all users can access it, etc.

DC02 allows me to logon, create new users in AD, change passwords, and generally be an admin. My recovery mode password for DC02 works. I can log on to all other servers and computers as a domain admin.

I use Dameware. Dameware tells me that DC02 is the PDC (primary) and DC is the BDC (backup).

I also looked a little deeper trying to figure out why I can't log onto DC. Dameware also reported a strange setting:

Under DC > Properties > Network > Logged on users = 1; Max users = -1. (yea, that's negative 1).

For comparison, DC02 > Properties > Network > Logged on = 30; Max = somewhere north of 17 millon users.

Is this a clue that you experts can help figure out why I can't log into DC?
Question by:Elixir2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 79

Expert Comment

ID: 39823297
Login as admin onto any other system and use tools there i.e. ADUC, GPMC, etc to manage the AD and correct the issues you have.  IS the DC that is local an RODC?

Author Comment

ID: 39824258
Well, honestly, that's where my knowledge fades out a little. I'm going to need lower level instruction on where to look. I'm familiar with using ADUC and GPMC - and this site has a fairly comprehensive group policy, which I'd like to keep.

As far as I know, no one at the corporate office made "DC" an RODC server. I have not done it. From what I read, only 2008 servers can be RODCs? DC is Server 2003.

But still, I used to be able to log on to DC prior to the management change. Now I can't.

How can I determine what roles each one has DC vs DC02?
LVL 79

Expert Comment

ID: 39824947
Not an issue with roles.  Login into a system on which you have admin rights.  add GPMC, add the ADUC control.  Using GPMC run the group policy wizard on the DC with you as the user and look at whether there is a GPO that was pushed that prevents you from loging in.
i.e. there is a allow locallogin <Custom_admin_group> of which you are not a member.
Severing your connection from the Main DC, is possible using ntdsutils, but if you ever hope to reconnect the two, you should not proceed along these lines.

It sounds as though what was taken out is a firewall/VPN that was connecting the two locations.  Any plan on reestablish?
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Author Comment

ID: 39825613
That, of course, is everyone's first question. Can we reconnect to the AD forest even just for a short time? Short answer - no. There is no chance of reconnection.

However, I have considered everything from completely breaking the AD directory domain and starting from scratch. But I would be OK with demoting DC to just a member server as a first step.

I know that when either DC or DC02 are powered off, users have trouble logging on and accessing the internet. Hence my question about roles.
LVL 79

Expert Comment

ID: 39825633
Are both DC and DC02 within your location?

You can use ntdsutil assert that DC is now the master by seizing all roles.
But this is a one way trip.  Any changes you make will not propagate.

Depending on what resources you have, there is always a way to connect the two even for a short duration for the purpose of synchronization.  To speed up logins, you need to have the local DC include the GC role.  Your further need to make sure that the local DC is the first one attempted. Your issue might be that a user login attempt is presented with DC and DC02 as Logon Servers.  When the workstation/system picks the DC02 to which to send the authentication request, it will take a timeout possibly 30 seconds, before the authentication is resent to the other DC.

Using Site and service, along with ADUC, and GPMC set forth that the local DC must be tried first which should speed up the process.

Author Comment

ID: 39835963
I'm sorry, I wrote a long reply to this -- and it's gone!
So here goes again:

Both DC and DC02 are at my location. They can no longer communicate with the rest of the forest. There is no possibility of reconnect due to (uncooperative) management change.

I have access to the system logs on DC (even though I cannot log in). See attached.DC-errorlog.txt
I want to make DC02 the GC to stop these 1030 and 1864  errors. I want to dis-join from the forest? I cannot log in to DC and I'm afraid of propagating these login problems so that I can't log in to ANY computer.

I need help with GPMC.
LVL 79

Accepted Solution

arnold earned 2000 total points
ID: 39836199
You have to use sites and services expand until you get to the DC and DC02's NTDSM get properties and tick the GC option.

Your only option is to sieze the roles using ntdsutils.

You need to present to your higher ups the options on what it is you recommend to resolve the issues experienced by your users.  There is little else you can do.

You seem to have a limited delegated administrative role account for some functions.

Author Comment

ID: 39840912
In Sites and Services, DC02 is the GC checkbox, and DC does not. Which is as I want it.
I will open a new thread re: seizing roles. I have already presented a few times to the management.
I am a domain admin, but not an enterprise admin, from what I understand.

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question