Solved

Netlogin incorrect AD

Posted on 2014-04-02
12
550 Views
Last Modified: 2014-04-20
I  getting the following error. Does anyone know how to fix this?

Last Status Message:      Error detected in Windows Active Directory configuration. The Domain GUID {E62D9AE3-8490-4C97-8BA1-8D391A445D52} reported by Netlogon is incorrect. It should be equal to the Domain GUID {BD25D7DA-B35F-4240-B687-C0AC71DA8421} read directly from Active Directory. This Windows Active Directory issue must be fixed before this domain can be synced correctly. Please contact support for assistance.
0
Comment
Question by:WIZU2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39972911
You should disjoin and rejoin the domain. This error most often occurs when a sysadmin chooses to build a new domain instead of migrating and chooses to use the same domain name. Since AD uses DNS, queries using that domain name succeed, but then attempting to establish a connection reveals that the domain has a new GUID because of the rebuild.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39972923
Hi,

1. when did you start getting these errors ?
2. run DCDIAG /V and see the errors.
3. run \\domainname and see the sysvol share.
0
 

Author Comment

by:WIZU2
ID: 39972937
I migrated this domain from a 2003 SBS into a 2012/2008 DC environment. So your saying I would have to demote these DCs and then re-join them? Seems like there should be an easier way.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39972954
How did you migrate?
0
 

Author Comment

by:WIZU2
ID: 39972982
I put a 2008 DC on network. Then demoted SBS and forced it to be a member server.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39973003
SBS doesn't support being a member server. Ao that'll be a problem. And did you join the 2008 machine to the SBS domain and let it fully replicate? Or did you just make it a new DC? If you didn't verify replication, that'll be another problem.

While you can take steps during a migration to make things easier, you are already beyond that point because of choices or steps made (forcing SBS to be a member serve is a BIG one of those choices.) Your looking at disjoining and rejoining, and removing SBS altogether.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39973105
Now where your FSMO roles exists ?

If its already migrated to 2008 DC, then shutdown SBS server and check if you are able to logon to domain, domain controller and your application servers are working

Needless to mention that please point network card dns on all servers and 2008 DC also to 2008 domain controller only and check if it works

Mahesh.
0
 

Author Comment

by:WIZU2
ID: 39973571
Getting all kind of errors when I run dcdiag about not being able to process group policy and netlogon. There were no script or policy folders in the sysvol folder under domains. I think I need to run a non-authoritative restore.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39973779
pls share the output so that we can suggest some solution.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39974313
How many domain controllers do you have now

I guess only one

if you have only one DC, sysvol authoritative and non authoritative restore will not help as there is no data to restore since SBS server is already decommissioned.

What happened here is, you have promoted new 2008 ADC , you have not cross checked that sysvol is replicated or not and you have forcefully decommissioned SBS server
Now there is no GPOs in sysvol, am I correct ?

In that case I only seen two options
Shutdown 2008 ADC server 1st
Just make authoritative restore of AD system state on SBS server if you already have
Upon restoration check if FSMO roles are found on SBS, if not seize the same on SBS
Then remove 2008 ADC from active directory manually and remove any metadata for that

Format your 2008ADC in isolated network and promote it as ADC properly, check if everything is working and then transfer FSMO on to 2008 ADC and simply demote SBS

OR

If you don't have system state backup, you need to follow below article and rebuild sysvol from scratch on 2008 ADC
http://searchwindowsserver.techtarget.com/tip/How-to-rebuild-the-SYSVOL-tree-when-none-exists-in-Active-Directory

Mahesh.
0
 

Accepted Solution

by:
WIZU2 earned 0 total points
ID: 40002562
I copied the folders from the decommissioned SBS that were thin the sysvol\domains\ folder to the new server and did a non-authoritve restore and everything is working now.
0
 

Author Closing Comment

by:WIZU2
ID: 40011177
Because it fixed solution
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question