Solved

Domain Controller help

Posted on 2014-01-30
8
313 Views
Last Modified: 2014-02-17
I have two domain controllers, DC (server 2003) and DC02 (server 2008 r2). Recently the management company changed and they came and took their router without giving me opportunity to dcpromo away from the corporate office forest.

I am a local domain admin, but subsequently, I can no longer log onto DC. I tried recovery mode on DC; that password didn't work either. However, DC has a file share which still works normally; all users can access it, etc.

DC02 allows me to logon, create new users in AD, change passwords, and generally be an admin. My recovery mode password for DC02 works. I can log on to all other servers and computers as a domain admin.

I use Dameware. Dameware tells me that DC02 is the PDC (primary) and DC is the BDC (backup).

I also looked a little deeper trying to figure out why I can't log onto DC. Dameware also reported a strange setting:

Under DC > Properties > Network > Logged on users = 1; Max users = -1. (yea, that's negative 1).

For comparison, DC02 > Properties > Network > Logged on = 30; Max = somewhere north of 17 millon users.

Is this a clue that you experts can help figure out why I can't log into DC?
0
Comment
Question by:Elixir2
  • 4
  • 4
8 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39823297
Login as admin onto any other system and use tools there i.e. ADUC, GPMC, etc to manage the AD and correct the issues you have.  IS the DC that is local an RODC?
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39824258
Well, honestly, that's where my knowledge fades out a little. I'm going to need lower level instruction on where to look. I'm familiar with using ADUC and GPMC - and this site has a fairly comprehensive group policy, which I'd like to keep.

As far as I know, no one at the corporate office made "DC" an RODC server. I have not done it. From what I read, only 2008 servers can be RODCs? DC is Server 2003.

But still, I used to be able to log on to DC prior to the management change. Now I can't.

How can I determine what roles each one has DC vs DC02?
0
 
LVL 76

Expert Comment

by:arnold
ID: 39824947
Not an issue with roles.  Login into a system on which you have admin rights.  add GPMC, add the ADUC control.  Using GPMC run the group policy wizard on the DC with you as the user and look at whether there is a GPO that was pushed that prevents you from loging in.
i.e. there is a allow locallogin <Custom_admin_group> of which you are not a member.
Severing your connection from the Main DC, is possible using ntdsutils, but if you ever hope to reconnect the two, you should not proceed along these lines.

It sounds as though what was taken out is a firewall/VPN that was connecting the two locations.  Any plan on reestablish?
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39825613
That, of course, is everyone's first question. Can we reconnect to the AD forest even just for a short time? Short answer - no. There is no chance of reconnection.

However, I have considered everything from completely breaking the AD directory domain and starting from scratch. But I would be OK with demoting DC to just a member server as a first step.

I know that when either DC or DC02 are powered off, users have trouble logging on and accessing the internet. Hence my question about roles.
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 76

Expert Comment

by:arnold
ID: 39825633
Are both DC and DC02 within your location?

You can use ntdsutil assert that DC is now the master by seizing all roles.
But this is a one way trip.  Any changes you make will not propagate.

Depending on what resources you have, there is always a way to connect the two even for a short duration for the purpose of synchronization.  To speed up logins, you need to have the local DC include the GC role.  Your further need to make sure that the local DC is the first one attempted. Your issue might be that a user login attempt is presented with DC and DC02 as Logon Servers.  When the workstation/system picks the DC02 to which to send the authentication request, it will take a timeout possibly 30 seconds, before the authentication is resent to the other DC.

Using Site and service, along with ADUC, and GPMC set forth that the local DC must be tried first which should speed up the process.
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39835963
I'm sorry, I wrote a long reply to this -- and it's gone!
So here goes again:

Both DC and DC02 are at my location. They can no longer communicate with the rest of the forest. There is no possibility of reconnect due to (uncooperative) management change.

I have access to the system logs on DC (even though I cannot log in). See attached.DC-errorlog.txt
I want to make DC02 the GC to stop these 1030 and 1864  errors. I want to dis-join from the forest? I cannot log in to DC and I'm afraid of propagating these login problems so that I can't log in to ANY computer.

I need help with GPMC.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39836199
You have to use sites and services expand until you get to the DC and DC02's NTDSM get properties and tick the GC option.

Your only option is to sieze the roles using ntdsutils.

You need to present to your higher ups the options on what it is you recommend to resolve the issues experienced by your users.  There is little else you can do.

You seem to have a limited delegated administrative role account for some functions.
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39840912
In Sites and Services, DC02 is the GC checkbox, and DC does not. Which is as I want it.
I will open a new thread re: seizing roles. I have already presented a few times to the management.
I am a domain admin, but not an enterprise admin, from what I understand.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now