Solved

Cannot remove server meta data or access domain controller after role seizure

Posted on 2016-09-19
14
21 Views
Last Modified: 2016-09-28
Hi all,

Had to seize roles from a bust DC. When i now try to connect to Users and computers or sites and services, server says no domain exist or not available. When i try and connect to it by selecting change domain controller i can type in the name, it says that the server is online, however when i click connect it says it is not available. I then ran dcdiag and it says that replication is not happening. I tried to remove the old DC using command line as i cannot access it via the GUI, however it does not want to remove it giving the error following error:
ntdsutil: metadata cleanup
metadata cleanup: remove selected server <xx-xx-xxxxxxx>
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-03100225, problem 2006 (B
AD_NAME), data 8350, best match of:
        'CN=Ntds Settings,<xx-xx-xxxxxxx>'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.

I also tried to access my other DC's however they give me the same error of not being able to connect.

Any would be appreciated.

Thanks
Bernard
0
Comment
Question by:burny1
  • 8
  • 3
  • 3
14 Comments
 

Author Comment

by:burny1
Comment Utility
Update: Also the DNS server is working fine and you can send queries that is resolved successfully.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
How difficult is it to rebuild the DC? Maybe take the busted DC server offline and build a new DC?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
If you go through the metadata cleanup procedure the old way, how far do you get before you encounter an error, and what error is it?
0
 

Author Comment

by:burny1
Comment Utility
Hi,

Here is what i get when i run dcdiag - i have removed some non-important data:

PS C:\Users\administrator> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CT-SERVER
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CT-SERVER
      Starting test: Connectivity
         ......................... CT-SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CT-SERVER
      Starting test: Advertising
         Fatal Error:DsGetDcName (CT-SERVER) call failed, error 1355
         The Locator could not find the server.
         ......................... CT-SERVER failed test Advertising
      Starting test: FrsEvent
         ......................... CT-SERVER passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... CT-SERVER failed test DFSREvent
      Starting test: SysVolCheck
         ......................... CT-SERVER passed test SysVolCheck
      Starting test: KccEvent
         ......................... CT-SERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CT-SERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CT-SERVER passed test MachineAccount
      Starting test: NCSecDesc
         ......................... CT-SERVER passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\CT-SERVER\netlogon)
         [CT-SERVER] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... CT-SERVER failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CT-SERVER passed test ObjectsReplicated
      Starting test: Replications
         ......................... CT-SERVER passed test Replications
      Starting test: RidManager
         ......................... CT-SERVER passed test RidManager
      Starting test: Services
         ......................... CT-SERVER passed test Services
      Starting test: VerifyReferences
         ......................... CT-SERVER passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ils
      Starting test: CheckSDRefDom
         ......................... ils passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ils passed test CrossRefValidation

   Running enterprise tests on : ils.co.za
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... ils.co.za failed test LocatorCheck
      Starting test: Intersite
         ......................... ils.co.za passed test Intersite

So what i do not understand is that when i go to users and computers it says the domain controller is not available, however when i select to go to another DC and enter the main DC in it says that it is online in the status, however the same message pops up that it is not available or the domain is not valid.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Maybe this will help.

You must designate one domain controller as being authoritative for the Sysvol replica set. If all of the domain controllers in the domain have been restored, select the primary domain controller emulator flexible single master operations (FSMO) role holder:
Stop the File Replication service on the domain controller.
Start Registry Editor (Regedt32.exe).
Locate and then click the BurFlags value under the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
On the Edit menu, click DWORD, click Hex, type D4, and then click OK.
Quit Registry Editor.
Move data out of the PreExisting folder.
Restart the File Replication Service.
Note This registry value marks the FRS replica as authoritative for the whole replica set. Set this value on only one replica, and only to resolve this specific issue. If you configure multiple replicas as authoritative, conflicts and collisions may occur in the replica set.

When you set the D4 registry setting on one domain controller, you must set the D2 registry setting on every other domain controller. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
315457 How to Rebuild SYSVOL and Its Content in a Domain
0
 

Author Comment

by:burny1
Comment Utility
The registry entry does not exist and also the article  refers to Server 2000.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Sorry didn't notice the server 2000 reference. See if this applies to you.

1) Stop ntfrs service on both domain controllers (issue net stop ntfrs command from command line, don't forget to run as administrator)

2) On your pimary domain controller set registry key HKLM\System\CurrentControlSet\services\NtFrs\Backup/Restore\Process at Startup\BurFlags to D4 and on your secondary domain controller to D2.

3) Start ntfrs service on your primary DC and then on your secondary DC.  (issue net start ntfrs command from command line, don't forget to run as administrator)%uFEFF

4) Wait few minutes and watch event log.


5) Issue net share command to check if NETLOGON and SYSVOL folders are shared correctrly.%uFEFF
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:burny1
Comment Utility
Hi there,
When I went to go stop the service it was already stopped. I then entered the registry entries and then tried to start the service and it says that it is disabled. After changing it to automatic I once again tried to start it and got the following error: Windows could not start the file replication service on the local computer. Error 1053: The service did not respond to the start or control request in a timely fashion.
Under event viewer I get an event ID of 7009 with the following: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.

Any ideas?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
If this is a relatively new domain with relatively new DCs (running 2008R2 or later versions), FRS is no longer used to replicate SYSVOL; Distributed File Service Replication (DFSR) is used instead. This is most likely why the service is disabled (and should remain so). There is an equivalent procedure when dealing with DFSR-replicated SYSVOL. It's a little more involved, and it can be found here. Please read the article carefully before beginning the procedure, as it is important to designate the correct domain controller as authoritative.
0
 

Author Comment

by:burny1
Comment Utility
Hi there,
I have looked at this article, however the string that they refer to : CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
does not exist. It seems that the seizure process never finalised so the server is in "limbo". I cannot find anything on the net where I can tell the system to not do the initial synchronization. All information wants me to have an active domain and every time I try to open something the system says the domain does not exists or is not available.
0
 

Author Comment

by:burny1
Comment Utility
If this was a new domain I would have just reloaded the server, however it has been running for the last 3 years and I have 30 staff members on it who I would have to set up again on their workstations.
0
 

Accepted Solution

by:
burny1 earned 0 total points
Comment Utility
In the end I could not wait for any further help so deleted the server and set everything up from scratch.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Sorry for the lack of response on my part; I had to travel out of state unexpectedly on 9/22 and didn't return until late last night.
0
 

Author Closing Comment

by:burny1
Comment Utility
no further response from experts exchange
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now