Alternate way of fixing a broken Win 2003 AD
I'll preface by saying, yes, I'm rolling out a new 2012 based Active Directory, but...
Our FSMO master died in a way that didn't want to be resurrected.
Originally I had, all Win 2003 SBS AD domain controllers, currently running win Windows 2000 native mode:
AD01 - Primary, FSMO master
AD02 - secondary DC
AD03 - Tertiary DC
AD01 died in a way where it was not salvageable.
With AD02, I Seized the FSMO roles, and made it the new "master"
Now, replication between the two are broken. AD02 (new master) has the "DSA Now Writable" Dword (4) in it's registry.
AD03 was up a while when we were configing AD02, so the databases became out of sync.
Most all instructions I see say the only way to fix replication is to demote, remove from domain, rejoin, and promote the "bad" server, in this case, my Master (now AD02).
Currently, I made AD02 as the Master via seized roles from dead AD01.
AD03 is my only other DC, acting as secondary to now-master AD02.
Another method crossed my mind, and wanted to see if anyone has tried this...or, if anyone else has another way out, other than demoting my primary AD02.
What if I were to DCPROMO AD03 (a secondary DC which is not receiving replicated data), and remove it from the domain as as AD server, then re-join as a new secondary server?
Would this also clear the "DSA Not Writable" flag on AD02?
I do not care about the orphaned objects on AD03. If it would simply pick up exactly what my new master has, that would be fine and dandy.
Basically, i'm looking for any way to fix replication without messing with the now-primary DC AD02 much.
Hopefully ya'll followed that. Don't ask questions here too often, usually on the "answer" page, so go easy on me!
:)
Our FSMO master died in a way that didn't want to be resurrected.
Originally I had, all Win 2003 SBS AD domain controllers, currently running win Windows 2000 native mode:
AD01 - Primary, FSMO master
AD02 - secondary DC
AD03 - Tertiary DC
AD01 died in a way where it was not salvageable.
With AD02, I Seized the FSMO roles, and made it the new "master"
Now, replication between the two are broken. AD02 (new master) has the "DSA Now Writable" Dword (4) in it's registry.
AD03 was up a while when we were configing AD02, so the databases became out of sync.
Most all instructions I see say the only way to fix replication is to demote, remove from domain, rejoin, and promote the "bad" server, in this case, my Master (now AD02).
Currently, I made AD02 as the Master via seized roles from dead AD01.
AD03 is my only other DC, acting as secondary to now-master AD02.
Another method crossed my mind, and wanted to see if anyone has tried this...or, if anyone else has another way out, other than demoting my primary AD02.
What if I were to DCPROMO AD03 (a secondary DC which is not receiving replicated data), and remove it from the domain as as AD server, then re-join as a new secondary server?
Would this also clear the "DSA Not Writable" flag on AD02?
I do not care about the orphaned objects on AD03. If it would simply pick up exactly what my new master has, that would be fine and dandy.
Basically, i'm looking for any way to fix replication without messing with the now-primary DC AD02 much.
Hopefully ya'll followed that. Don't ask questions here too often, usually on the "answer" page, so go easy on me!
:)
Cliff Galiher
Should work fine. Netlogon does a health check on each boot. So if you clean up the failed object, the DC health check should pass and clear that flag on reboot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My planned method did NOT not fix my AD issue. DCPromo is complaining it can't find the computer account.
So, for testing, I've created an AD LAB with the virtualized counter-parts of both DCs or testing, along with the inherent problem(s).
In my AD lab, I have (starting with the servers in their "corrupt" state) -
Seized FMSO roles, Operations Master, and Global Catalog to AD02. Graceful transferring was not an option.
Set DNS for the domain.local to point only to the "good" AD02 (in order to bypass asking the failing, non-replicating AD01).
I then added a new AD server (AD03), which was successful (after removing the bad server from DNS for the domain name).
AD01 was also running DHCP, DNS, WINS which is easy enough to move to the new AD server.
I'll then have to go about cleaning up the old records, as stated, dcpromo will not allow me to remove any DC as of yet.
At the end of the day, I'm looking to add a new domain via Win 2012 AD, then setup two-way trust relationship between old and new domains, then migrate machines over to the 2012 AD. After migrating, I'll just break the trust and physically remove the old DCs.
Knowing the road I'm taking, any input from AD experts would be much appreciated.
So, for testing, I've created an AD LAB with the virtualized counter-parts of both DCs or testing, along with the inherent problem(s).
In my AD lab, I have (starting with the servers in their "corrupt" state) -
Seized FMSO roles, Operations Master, and Global Catalog to AD02. Graceful transferring was not an option.
Set DNS for the domain.local to point only to the "good" AD02 (in order to bypass asking the failing, non-replicating AD01).
I then added a new AD server (AD03), which was successful (after removing the bad server from DNS for the domain name).
AD01 was also running DHCP, DNS, WINS which is easy enough to move to the new AD server.
I'll then have to go about cleaning up the old records, as stated, dcpromo will not allow me to remove any DC as of yet.
At the end of the day, I'm looking to add a new domain via Win 2012 AD, then setup two-way trust relationship between old and new domains, then migrate machines over to the 2012 AD. After migrating, I'll just break the trust and physically remove the old DCs.
Knowing the road I'm taking, any input from AD experts would be much appreciated.
Pointing towards right direction