Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Domain Controller help

Posted on 2014-01-30
Medium Priority
Last Modified: 2014-02-17
I have two domain controllers, DC (server 2003) and DC02 (server 2008 r2). Recently the management company changed and they came and took their router without giving me opportunity to dcpromo away from the corporate office forest.

I am a local domain admin, but subsequently, I can no longer log onto DC. I tried recovery mode on DC; that password didn't work either. However, DC has a file share which still works normally; all users can access it, etc.

DC02 allows me to logon, create new users in AD, change passwords, and generally be an admin. My recovery mode password for DC02 works. I can log on to all other servers and computers as a domain admin.

I use Dameware. Dameware tells me that DC02 is the PDC (primary) and DC is the BDC (backup).

I also looked a little deeper trying to figure out why I can't log onto DC. Dameware also reported a strange setting:

Under DC > Properties > Network > Logged on users = 1; Max users = -1. (yea, that's negative 1).

For comparison, DC02 > Properties > Network > Logged on = 30; Max = somewhere north of 17 millon users.

Is this a clue that you experts can help figure out why I can't log into DC?
Question by:Elixir2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 80

Expert Comment

ID: 39823297
Login as admin onto any other system and use tools there i.e. ADUC, GPMC, etc to manage the AD and correct the issues you have.  IS the DC that is local an RODC?

Author Comment

ID: 39824258
Well, honestly, that's where my knowledge fades out a little. I'm going to need lower level instruction on where to look. I'm familiar with using ADUC and GPMC - and this site has a fairly comprehensive group policy, which I'd like to keep.

As far as I know, no one at the corporate office made "DC" an RODC server. I have not done it. From what I read, only 2008 servers can be RODCs? DC is Server 2003.

But still, I used to be able to log on to DC prior to the management change. Now I can't.

How can I determine what roles each one has DC vs DC02?
LVL 80

Expert Comment

ID: 39824947
Not an issue with roles.  Login into a system on which you have admin rights.  add GPMC, add the ADUC control.  Using GPMC run the group policy wizard on the DC with you as the user and look at whether there is a GPO that was pushed that prevents you from loging in.
i.e. there is a allow locallogin <Custom_admin_group> of which you are not a member.
Severing your connection from the Main DC, is possible using ntdsutils, but if you ever hope to reconnect the two, you should not proceed along these lines.

It sounds as though what was taken out is a firewall/VPN that was connecting the two locations.  Any plan on reestablish?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39825613
That, of course, is everyone's first question. Can we reconnect to the AD forest even just for a short time? Short answer - no. There is no chance of reconnection.

However, I have considered everything from completely breaking the AD directory domain and starting from scratch. But I would be OK with demoting DC to just a member server as a first step.

I know that when either DC or DC02 are powered off, users have trouble logging on and accessing the internet. Hence my question about roles.
LVL 80

Expert Comment

ID: 39825633
Are both DC and DC02 within your location?

You can use ntdsutil assert that DC is now the master by seizing all roles.
But this is a one way trip.  Any changes you make will not propagate.

Depending on what resources you have, there is always a way to connect the two even for a short duration for the purpose of synchronization.  To speed up logins, you need to have the local DC include the GC role.  Your further need to make sure that the local DC is the first one attempted. Your issue might be that a user login attempt is presented with DC and DC02 as Logon Servers.  When the workstation/system picks the DC02 to which to send the authentication request, it will take a timeout possibly 30 seconds, before the authentication is resent to the other DC.

Using Site and service, along with ADUC, and GPMC set forth that the local DC must be tried first which should speed up the process.

Author Comment

ID: 39835963
I'm sorry, I wrote a long reply to this -- and it's gone!
So here goes again:

Both DC and DC02 are at my location. They can no longer communicate with the rest of the forest. There is no possibility of reconnect due to (uncooperative) management change.

I have access to the system logs on DC (even though I cannot log in). See attached.DC-errorlog.txt
I want to make DC02 the GC to stop these 1030 and 1864  errors. I want to dis-join from the forest? I cannot log in to DC and I'm afraid of propagating these login problems so that I can't log in to ANY computer.

I need help with GPMC.
LVL 80

Accepted Solution

arnold earned 2000 total points
ID: 39836199
You have to use sites and services expand until you get to the DC and DC02's NTDSM get properties and tick the GC option.

Your only option is to sieze the roles using ntdsutils.

You need to present to your higher ups the options on what it is you recommend to resolve the issues experienced by your users.  There is little else you can do.

You seem to have a limited delegated administrative role account for some functions.

Author Comment

ID: 39840912
In Sites and Services, DC02 is the GC checkbox, and DC does not. Which is as I want it.
I will open a new thread re: seizing roles. I have already presented a few times to the management.
I am a domain admin, but not an enterprise admin, from what I understand.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question