Change Primary domain controller from a non-functioning server to a secondary functioning server

I have a primary domain controller that is broke and not bootable at the moment.

I have a secondary controller that is not configured properly.

Both servers have windows server 2008 standard, 32 bit.  They are NOT the r2 version.

I thought running dcpromo would allow me to promote the  server to a primary controller.

When I run dcpromo I get the following information:

1. Active Directory Domains Services Installation wizard: "This computer is already an active directory domain controller.  You can use this wizard to uninstall active directory domain services on this server."

I don't really want to uninstall active directory, but when I click on active directory user and computers I get a message box that says:

2. "Naming information cannot be located because: The specified domain either does not exist or could not be contacted.  Contact your system admin to verify that your domain is properly configured and is currently on line."

So it is looking to the non-working primary domain controller.

After clicking OK, AD opens but it is empty and has a red circle with an X thru the Active Directory users and Computers in the tree.

I was able export the active directory settings before the primary computer became unbootable.

I hoped to import the settings into this second server, but with it looking elsewhere for the information, I hesitate to try.


How do I get it to point to itself as the primary controller?

What else do I need to consider to set the server as the primary domain controller?

Thank you
Jerry ThompsonNetwork AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Before I suggest anything, could you provide the output for a DCDIAG on the working DC?

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
The results were too long for the normal window, I could not select all and copy and get everything.  I sent the output to a file. Here is what the file contents listed:

NOTE: ADC3 is the broke server.

----------------------------------------------------------------------
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = adc4

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\ADC4

      Starting test: Connectivity

         ......................... ADC4 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\ADC4

      Starting test: Advertising

         Fatal Error:DsGetDcName (ADC4) call failed, error 1355

         The Locator could not find the server.

         ......................... ADC4 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ADC4 passed test FrsEvent

      Starting test: DFSREvent

         ......................... ADC4 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... ADC4 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ADC4 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         [ADC3] DsBindWithSpnEx() failed with error -2146893022,

         The target principal name is incorrect..
         Warning: ADC3 is the Schema Owner, but is not responding to DS RPC

         Bind.

         [ADC3] LDAP bind failed with error 8341,

         A directory service error has occurred..
         Warning: ADC3 is the Schema Owner, but is not responding to LDAP Bind.

         Warning: ADC3 is the Domain Owner, but is not responding to DS RPC

         Bind.

         Warning: ADC3 is the Domain Owner, but is not responding to LDAP Bind.

         Warning: ADC3 is the PDC Owner, but is not responding to DS RPC Bind.

         Warning: ADC3 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: ADC3 is the Rid Owner, but is not responding to DS RPC Bind.

         Warning: ADC3 is the Rid Owner, but is not responding to LDAP Bind.

         Warning: ADC3 is the Infrastructure Update Owner, but is not

         responding to DS RPC Bind.

         Warning: ADC3 is the Infrastructure Update Owner, but is not

         responding to LDAP Bind.

         ......................... ADC4 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ADC4 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ADC4 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\ADC4\netlogon)

         [ADC4] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... ADC4 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ADC4 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,ADC4] A recent replication attempt failed:

            From ADC3 to ADC4

            Naming Context: DC=ForestDnsZones,DC=LCS,DC=org

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2015-03-27 09:55:42.

            The last success occurred at 2015-03-26 10:55:41.

            23 failures have occurred since the last success.

         [Replications Check,ADC4] A recent replication attempt failed:

            From ADC3 to ADC4

            Naming Context: DC=DomainDnsZones,DC=LCS,DC=org

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2015-03-27 09:55:42.

            The last success occurred at 2015-03-26 10:55:41.

            23 failures have occurred since the last success.

         [Replications Check,ADC4] A recent replication attempt failed:

            From ADC3 to ADC4

            Naming Context: CN=Schema,CN=Configuration,DC=LCS,DC=org

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-03-27 09:55:42.

            The last success occurred at 2015-03-26 10:55:41.

            23 failures have occurred since the last success.

         [Replications Check,ADC4] A recent replication attempt failed:

            From ADC3 to ADC4

            Naming Context: CN=Configuration,DC=LCS,DC=org

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-03-27 09:55:42.

            The last success occurred at 2015-03-26 10:55:41.

            23 failures have occurred since the last success.

         [Replications Check,ADC4] A recent replication attempt failed:

            From ADC3 to ADC4

            Naming Context: DC=LCS,DC=org

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-03-27 09:55:41.

            The last success occurred at 2015-03-26 10:55:41.

            23 failures have occurred since the last success.

         ......................... ADC4 failed test Replications

      Starting test: RidManager

         ......................... ADC4 failed test RidManager

      Starting test: Services

         ......................... ADC4 passed test Services

      Starting test: SystemLog

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 03/27/2015   08:57:22

            Event String:

            DCOM was unable to communicate with the computer 208.67.220.220 using any of the configured protocols.

         An Error Event occurred.  EventID: 0xC0002719

            Time Generated: 03/27/2015   08:57:44

            Event String:

            DCOM was unable to communicate with the computer 208.67.222.222 using any of the configured protocols.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   08:59:07

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was LDAP/27d1ebe1-7c79-4a74-83e8-8de5ad46fd16._msdcs.LCS.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   08:59:07

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was ldap/adc3.LCS.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   08:59:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:04:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:09:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:14:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:19:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:24:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:27:56

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:29:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Warning Event occurred.  EventID: 0x825A0018

            Time Generated: 03/27/2015   09:31:48

            Event String:

            Time Provider NtpClient: No valid response has been received from domain controller adc3.LCS.org after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The client fails authenticating a response with a bad signature.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:34:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:39:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   09:41:54

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was cifs/adc3.lcs.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:44:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   09:45:51

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was LCS\ADC3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   09:45:51

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was adc3$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An Warning Event occurred.  EventID: 0x825A0081

            Time Generated: 03/27/2015   09:46:49

            Event String:

            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 30 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:49:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x0000041E

            Time Generated: 03/27/2015   09:54:13

            Event String:

            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name Sysytem (DNS) is configured and working correctly.

         An Error Event occurred.  EventID: 0x40000004

            Time Generated: 03/27/2015   09:55:41

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adc4$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/27d1ebe1-7c79-4a74-83e8-8de5ad46fd16/LCS.org@LCS.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LCS.ORG) is different from the client domain (LCS.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... ADC4 failed test SystemLog

      Starting test: VerifyReferences

         ......................... ADC4 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : LCS

      Starting test: CheckSDRefDom

         ......................... LCS passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... LCS passed test CrossRefValidation

   
   Running enterprise tests on : LCS.org

      Starting test: LocatorCheck

         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

         A Global Catalog Server could not be located - All GC's are down.

         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

         A Primary Domain Controller could not be located.

         The server holding the PDC role is down.

         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

         A Time Server could not be located.

         The server holding the PDC role is down.

         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

         1355

         A Good Time Server could not be located.

         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

         A KDC could not be located - All the KDCs are down.

         ......................... LCS.org failed test LocatorCheck

      Starting test: Intersite

         ......................... LCS.org passed test Intersite

--------------------------------------------------------------------------


Please let me know if there is anything else.

Jerry
0
it_saigeDeveloperCommented:
Since the online DC is failing the Advertising test that means that it never completed the process of becoming a Domain Controller.  This means that you essentially have a DC with a blank database an not a replicated copy.  

Normally, you would do a non-authoritative restore of the FRS database to correct the advertising problem, but this requires an authoritative FRS database to be online and accessible.

You mentioned that you saved the settings from the failed DC.  How did you save these settings?

-saige-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jerry ThompsonNetwork AdminAuthor Commented:
Using CSVDE I exported the settings into a .csv file.
0
it_saigeDeveloperCommented:
Do you recall the command line you used for CSVDE?

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
CSVDE -f adusers.csv
0
Jerry ThompsonNetwork AdminAuthor Commented:
I looked at the file afterwords and it seemed like it had all the information.
0
it_saigeDeveloperCommented:
Well the good news is that you do potentially have all the relevant information to recreate the objects in the online DC's database.  The bad news is that CSVDE does not set passwords.

But we may be in better shape than I first thought.  If you run CSVDE -f [give a new filename] on the online server, do you have the same number of records?

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
They are similar:

Rows:  Export file = 1709,   ADC4 = 1703

Columns:  Export File = Col A- Col HK,  ADC4 = Col. A - Col. HG

But I suspect the information on ADC4 is likely out of date.

Thank you for your responsiveness.  I really appreciate it.
Jerlo
0
it_saigeDeveloperCommented:
Yes, it does appear out of date.  Ok, so first, lets do an Authoritative Restore of the FRS database.

http:/Q_28591065.html#a40532465

Just perform the first three steps outlined as you only have one DC.

Also, is the original DC ever going to come back online?

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
Done.

Yes, I think it will be back on line after a complete wipe.  I am trying to re-install the OS and then restore from a backup but I had a raid 5, I have removed the drives and added a single 1 TB drive and it is not recognizing the new drive.  I suspect the raid 5 controller is affecting that.

Regardless, Yes, I think I will be re-adding the original server, but the timing is highly questionable at this point.
0
it_saigeDeveloperCommented:
Ok.  Then what you want to do now is seize the FSMO roles and then perform a metadata cleanup so that you can remove the old server.

Seizing the FSMO roles
How to remove data in Active Directory after an unsuccessful domain controller demotion

Once you do this, rerun a DCDIAG and post the results so that we can compare.

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
Saige,

I appreciate all your help today and I intend to follow through.  The reason for this post is to let you know I am done for today. Other obligations call.  I hope to seize the roles tomorrow.  I will post the dcdiag as soon as available.

Thank you.
0
it_saigeDeveloperCommented:
Not a problem.  Keep me posted.

-saige-
0
Jerry ThompsonNetwork AdminAuthor Commented:
Hi Saige,

Sorry for the long delay and silence for the last several days.

The server you were helping me is about 17 years old.  The server that got corrupted is about 8 years old.  I had already intended to purchase a new server this summer, but decided I did not want to tackle purchasing and setting up a brand new server.

I got to the point where it really bothered me to get this ancient server set up, then get the newer one running and then reverse the process to make the newer one the primary server again.

I shifted my efforts on getting the corrupted server working again.  Sadly after several attempts at restoring the server from backups, I gave up.  I basically wiped and have been rebuilding the server.  New drive, new OS install, import user data using csvde and ldifde and now I am putting back the user created files.  It is almost to the point where it will be useable again.

The ancient server is not likely properly configured to be a part of this domain.

I think I am going to to finish the restoration of the newer server, close this ticket later, and create a new ticket when I am ready to join the ancient one to the domain properly.

I really appreciated your willingness to help and your concise and accurate instructions.
0
Jerry ThompsonNetwork AdminAuthor Commented:
Thanks again for all the help.

Jerlo
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.