• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 76
  • Last Modified:

Cannot remove server meta data or access domain controller after role seizure

Hi all,

Had to seize roles from a bust DC. When i now try to connect to Users and computers or sites and services, server says no domain exist or not available. When i try and connect to it by selecting change domain controller i can type in the name, it says that the server is online, however when i click connect it says it is not available. I then ran dcdiag and it says that replication is not happening. I tried to remove the old DC using command line as i cannot access it via the GUI, however it does not want to remove it giving the error following error:
ntdsutil: metadata cleanup
metadata cleanup: remove selected server <xx-xx-xxxxxxx>
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-03100225, problem 2006 (B
AD_NAME), data 8350, best match of:
        'CN=Ntds Settings,<xx-xx-xxxxxxx>'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.

I also tried to access my other DC's however they give me the same error of not being able to connect.

Any would be appreciated.

Thanks
Bernard
0
burny1
Asked:
burny1
  • 8
  • 3
  • 3
1 Solution
 
burny1Author Commented:
Update: Also the DNS server is working fine and you can send queries that is resolved successfully.
0
 
Randy DownsOWNERCommented:
How difficult is it to rebuild the DC? Maybe take the busted DC server offline and build a new DC?
0
 
DrDave242Commented:
If you go through the metadata cleanup procedure the old way, how far do you get before you encounter an error, and what error is it?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
burny1Author Commented:
Hi,

Here is what i get when i run dcdiag - i have removed some non-important data:

PS C:\Users\administrator> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CT-SERVER
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CT-SERVER
      Starting test: Connectivity
         ......................... CT-SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CT-SERVER
      Starting test: Advertising
         Fatal Error:DsGetDcName (CT-SERVER) call failed, error 1355
         The Locator could not find the server.
         ......................... CT-SERVER failed test Advertising
      Starting test: FrsEvent
         ......................... CT-SERVER passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... CT-SERVER failed test DFSREvent
      Starting test: SysVolCheck
         ......................... CT-SERVER passed test SysVolCheck
      Starting test: KccEvent
         ......................... CT-SERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CT-SERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CT-SERVER passed test MachineAccount
      Starting test: NCSecDesc
         ......................... CT-SERVER passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\CT-SERVER\netlogon)
         [CT-SERVER] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... CT-SERVER failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CT-SERVER passed test ObjectsReplicated
      Starting test: Replications
         ......................... CT-SERVER passed test Replications
      Starting test: RidManager
         ......................... CT-SERVER passed test RidManager
      Starting test: Services
         ......................... CT-SERVER passed test Services
      Starting test: VerifyReferences
         ......................... CT-SERVER passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ils
      Starting test: CheckSDRefDom
         ......................... ils passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ils passed test CrossRefValidation

   Running enterprise tests on : ils.co.za
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... ils.co.za failed test LocatorCheck
      Starting test: Intersite
         ......................... ils.co.za passed test Intersite

So what i do not understand is that when i go to users and computers it says the domain controller is not available, however when i select to go to another DC and enter the main DC in it says that it is online in the status, however the same message pops up that it is not available or the domain is not valid.
0
 
Randy DownsOWNERCommented:
Maybe this will help.

You must designate one domain controller as being authoritative for the Sysvol replica set. If all of the domain controllers in the domain have been restored, select the primary domain controller emulator flexible single master operations (FSMO) role holder:
Stop the File Replication service on the domain controller.
Start Registry Editor (Regedt32.exe).
Locate and then click the BurFlags value under the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
On the Edit menu, click DWORD, click Hex, type D4, and then click OK.
Quit Registry Editor.
Move data out of the PreExisting folder.
Restart the File Replication Service.
Note This registry value marks the FRS replica as authoritative for the whole replica set. Set this value on only one replica, and only to resolve this specific issue. If you configure multiple replicas as authoritative, conflicts and collisions may occur in the replica set.

When you set the D4 registry setting on one domain controller, you must set the D2 registry setting on every other domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
315457 How to Rebuild SYSVOL and Its Content in a Domain
0
 
burny1Author Commented:
The registry entry does not exist and also the article  refers to Server 2000.
0
 
Randy DownsOWNERCommented:
Sorry didn't notice the server 2000 reference. See if this applies to you.

1) Stop ntfrs service on both domain controllers (issue net stop ntfrs command from command line, don't forget to run as administrator)

2) On your pimary domain controller set registry key HKLM\System\CurrentControlSet\services\NtFrs\Backup/Restore\Process at Startup\BurFlags to D4 and on your secondary domain controller to D2.

3) Start ntfrs service on your primary DC and then on your secondary DC.  (issue net start ntfrs command from command line, don't forget to run as administrator)%uFEFF

4) Wait few minutes and watch event log.


5) Issue net share command to check if NETLOGON and SYSVOL folders are shared correctrly.%uFEFF
0
 
burny1Author Commented:
Hi there,
When I went to go stop the service it was already stopped. I then entered the registry entries and then tried to start the service and it says that it is disabled. After changing it to automatic I once again tried to start it and got the following error: Windows could not start the file replication service on the local computer. Error 1053: The service did not respond to the start or control request in a timely fashion.
Under event viewer I get an event ID of 7009 with the following: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.

Any ideas?
0
 
DrDave242Commented:
If this is a relatively new domain with relatively new DCs (running 2008R2 or later versions), FRS is no longer used to replicate SYSVOL; Distributed File Service Replication (DFSR) is used instead. This is most likely why the service is disabled (and should remain so). There is an equivalent procedure when dealing with DFSR-replicated SYSVOL. It's a little more involved, and it can be found here. Please read the article carefully before beginning the procedure, as it is important to designate the correct domain controller as authoritative.
0
 
burny1Author Commented:
Hi there,
I have looked at this article, however the string that they refer to : CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
does not exist. It seems that the seizure process never finalised so the server is in "limbo". I cannot find anything on the net where I can tell the system to not do the initial synchronization. All information wants me to have an active domain and every time I try to open something the system says the domain does not exists or is not available.
0
 
burny1Author Commented:
If this was a new domain I would have just reloaded the server, however it has been running for the last 3 years and I have 30 staff members on it who I would have to set up again on their workstations.
0
 
burny1Author Commented:
In the end I could not wait for any further help so deleted the server and set everything up from scratch.
0
 
DrDave242Commented:
Sorry for the lack of response on my part; I had to travel out of state unexpectedly on 9/22 and didn't return until late last night.
0
 
burny1Author Commented:
no further response from experts exchange
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 8
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now