Solved

Domain Controller help

Posted on 2014-01-30
8
322 Views
Last Modified: 2014-02-17
I have two domain controllers, DC (server 2003) and DC02 (server 2008 r2). Recently the management company changed and they came and took their router without giving me opportunity to dcpromo away from the corporate office forest.

I am a local domain admin, but subsequently, I can no longer log onto DC. I tried recovery mode on DC; that password didn't work either. However, DC has a file share which still works normally; all users can access it, etc.

DC02 allows me to logon, create new users in AD, change passwords, and generally be an admin. My recovery mode password for DC02 works. I can log on to all other servers and computers as a domain admin.

I use Dameware. Dameware tells me that DC02 is the PDC (primary) and DC is the BDC (backup).

I also looked a little deeper trying to figure out why I can't log onto DC. Dameware also reported a strange setting:

Under DC > Properties > Network > Logged on users = 1; Max users = -1. (yea, that's negative 1).

For comparison, DC02 > Properties > Network > Logged on = 30; Max = somewhere north of 17 millon users.

Is this a clue that you experts can help figure out why I can't log into DC?
0
Comment
Question by:Elixir2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39823297
Login as admin onto any other system and use tools there i.e. ADUC, GPMC, etc to manage the AD and correct the issues you have.  IS the DC that is local an RODC?
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39824258
Well, honestly, that's where my knowledge fades out a little. I'm going to need lower level instruction on where to look. I'm familiar with using ADUC and GPMC - and this site has a fairly comprehensive group policy, which I'd like to keep.

As far as I know, no one at the corporate office made "DC" an RODC server. I have not done it. From what I read, only 2008 servers can be RODCs? DC is Server 2003.

But still, I used to be able to log on to DC prior to the management change. Now I can't.

How can I determine what roles each one has DC vs DC02?
0
 
LVL 78

Expert Comment

by:arnold
ID: 39824947
Not an issue with roles.  Login into a system on which you have admin rights.  add GPMC, add the ADUC control.  Using GPMC run the group policy wizard on the DC with you as the user and look at whether there is a GPO that was pushed that prevents you from loging in.
i.e. there is a allow locallogin <Custom_admin_group> of which you are not a member.
Severing your connection from the Main DC, is possible using ntdsutils, but if you ever hope to reconnect the two, you should not proceed along these lines.

It sounds as though what was taken out is a firewall/VPN that was connecting the two locations.  Any plan on reestablish?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:Elixir2
ID: 39825613
That, of course, is everyone's first question. Can we reconnect to the AD forest even just for a short time? Short answer - no. There is no chance of reconnection.

However, I have considered everything from completely breaking the AD directory domain and starting from scratch. But I would be OK with demoting DC to just a member server as a first step.

I know that when either DC or DC02 are powered off, users have trouble logging on and accessing the internet. Hence my question about roles.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39825633
Are both DC and DC02 within your location?

You can use ntdsutil assert that DC is now the master by seizing all roles.
But this is a one way trip.  Any changes you make will not propagate.

Depending on what resources you have, there is always a way to connect the two even for a short duration for the purpose of synchronization.  To speed up logins, you need to have the local DC include the GC role.  Your further need to make sure that the local DC is the first one attempted. Your issue might be that a user login attempt is presented with DC and DC02 as Logon Servers.  When the workstation/system picks the DC02 to which to send the authentication request, it will take a timeout possibly 30 seconds, before the authentication is resent to the other DC.

Using Site and service, along with ADUC, and GPMC set forth that the local DC must be tried first which should speed up the process.
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39835963
I'm sorry, I wrote a long reply to this -- and it's gone!
So here goes again:

Both DC and DC02 are at my location. They can no longer communicate with the rest of the forest. There is no possibility of reconnect due to (uncooperative) management change.

I have access to the system logs on DC (even though I cannot log in). See attached.DC-errorlog.txt
I want to make DC02 the GC to stop these 1030 and 1864  errors. I want to dis-join from the forest? I cannot log in to DC and I'm afraid of propagating these login problems so that I can't log in to ANY computer.

I need help with GPMC.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 39836199
You have to use sites and services expand until you get to the DC and DC02's NTDSM get properties and tick the GC option.

Your only option is to sieze the roles using ntdsutils.

You need to present to your higher ups the options on what it is you recommend to resolve the issues experienced by your users.  There is little else you can do.

You seem to have a limited delegated administrative role account for some functions.
0
 
LVL 1

Author Comment

by:Elixir2
ID: 39840912
In Sites and Services, DC02 is the GC checkbox, and DC does not. Which is as I want it.
I will open a new thread re: seizing roles. I have already presented a few times to the management.
I am a domain admin, but not an enterprise admin, from what I understand.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question