sti007
asked on
DNS Problems and Active Directory Problem
I had a Windows 2003 server as my primary domain controller with all the FSMO roles. Three months ago, I purchased a new server with Windows 2016. I made it a secondary domain controller. Both servers were successfully running as Domain Controllers with Global Catalogs. I transferred FSMO roles to the new domain controller successfully. I was getting ready to demote the Windows 2003 server but it crashed two days ago. Now my ONLY domain controller says that Active Directory is not functioning properly. I am unable to add a new user, printers or even look at the Active Directory information.
What is the best way to recover my AD. I have a backup that can go back as far as 90 days. Is there any known utilities to fix/repair AD?
Thanks for your help.
What is the best way to recover my AD. I have a backup that can go back as far as 90 days. Is there any known utilities to fix/repair AD?
Thanks for your help.
You mus remove the Orphaned Domain Controller Windows Server 2003 for you AD do severl steps:
1 Run a Metadata Cleanup.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Manually-Removing-A-Domain-Controller-Server/ba-p/280564
2. Remove the old computer in “Active Directory Sites and Services.”
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Manually-Removing-A-Domain-Controller-Server/ba-p/280564
3. Remove old DNS and WINS records of the orphaned Domain Controller.
https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
4 Seize the FSMO roles on the Orphaned Domain Controller Windows Server 2003
https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
5. Force or wait an Active Directory replication
Before start read all the post https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
1 Run a Metadata Cleanup.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Manually-Removing-A-Domain-Controller-Server/ba-p/280564
2. Remove the old computer in “Active Directory Sites and Services.”
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Manually-Removing-A-Domain-Controller-Server/ba-p/280564
3. Remove old DNS and WINS records of the orphaned Domain Controller.
https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
4 Seize the FSMO roles on the Orphaned Domain Controller Windows Server 2003
https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
5. Force or wait an Active Directory replication
Before start read all the post https://blogs.msmvps.com/acefekay/2010/10/04/complete-step-by-step-to-remove-an-orphaned-domain-controller/
Sounds like your 2016 dc is not a writeable secondary.
Backup of DC, crashed how, hardware failure. You might be able to get components to bring the 2003 back but make sure you gave a system (even a virtual one within hyper-v on the 2016) possibly running Windows 2012 to join as another DC, transfer roles after DCdiag, repladm are clear.
Demote the 2003, raise functional level.
Seizing roles with a Jon-writeable DC I do not think would be a course of action to take.
Backup of DC, crashed how, hardware failure. You might be able to get components to bring the 2003 back but make sure you gave a system (even a virtual one within hyper-v on the 2016) possibly running Windows 2012 to join as another DC, transfer roles after DCdiag, repladm are clear.
Demote the 2003, raise functional level.
Seizing roles with a Jon-writeable DC I do not think would be a course of action to take.
ASKER
Why is my 2016 DC not writable? Anyhow, the Windows 2003 DC crashed; the volume would not boot; no bootable device device.
I rebooted the 2016 DC and it booted OK. I was able to login. It is still at 2003 functional level and it has all the FSMO roles; but the AD is not available. The workstations are still able to access their shared folders but AD is not functional.
How can I make the 2016 DC writable? Thanks for your expertise.
I rebooted the 2016 DC and it booted OK. I was able to login. It is still at 2003 functional level and it has all the FSMO roles; but the AD is not available. The workstations are still able to access their shared folders but AD is not functional.
How can I make the 2016 DC writable? Thanks for your expertise.
Run dcdiag to see the status, double check DNS settings on the 2016 to see where it points, in case it points at the failed DC, place its lan ip as the name server and see if that makes a difference
Which system is/was the DHCP server?
in a command window
nslookup -q=SRV _ldap._tcp.dc._msdcs.youra
If you get no response, switch the
nslookup -q=SRV _tcp._ldap.dc._msdcs.youra
Check which system is queried.
Net share, us sysvol shared, event log ?
Which system is/was the DHCP server?
in a command window
nslookup -q=SRV _ldap._tcp.dc._msdcs.youra
If you get no response, switch the
nslookup -q=SRV _tcp._ldap.dc._msdcs.youra
Check which system is queried.
Net share, us sysvol shared, event log ?
ASKER
I just ran the command; it returned a response
Server: Unknown
Address: :1
When I go to Server Manager and chose "Active Directory Users and Computers", I get the following error:
--------------------------
Active Directory Domain Services
--------------------------
Naming information cannot be located for the following reason:
The server is not operational.
If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the DC, or use the Windows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support.
--------------------------
OK
--------------------------
Server: Unknown
Address: :1
When I go to Server Manager and chose "Active Directory Users and Computers", I get the following error:
--------------------------
Active Directory Domain Services
--------------------------
Naming information cannot be located for the following reason:
The server is not operational.
If you are trying to connect to a Domain Controller running Windows 2000, verify that Windows 2000 Server Service Pack 3 or later is installed on the DC, or use the Windows 2000 administration tools. For more information about connecting to DCs running Windows 2000, see Help and Support.
--------------------------
OK
--------------------------
See if you can access the DNS admin tool
Post output of ipconfig /all
Name server records are of interest.
Netstat -an |find ":53"
To see whether you have a local DNS server running.
Check network settings to which
Try to login onto any system by a user who previously never accessed this system to double check whether everything is working based on saved credentials.
Check the ip on the workstations ...
Post output of ipconfig /all
Name server records are of interest.
Netstat -an |find ":53"
To see whether you have a local DNS server running.
Check network settings to which
Try to login onto any system by a user who previously never accessed this system to double check whether everything is working based on saved credentials.
Check the ip on the workstations ...
Can you post ipconfig /all config of dc?
Also post dcdiag /v output from elevated cmd
Also post dcdiag /v output from elevated cmd
Yours clients use the DC windows server 2016 as unique dns?
Mahesh mentioned this above, but please run net share on the 2016 DC and confirm whether the SYSVOL and NETLOGON shares are listed in the output.
ASKER
I have gone through all the steps given to me by Arnold and sent him screen shots of the errors. One of the errors is "Naming Information cannot be located for the following reason. The server is not operational."
The domain controller use itself as DNS in the config of the network card?
Now you have a unique DNS and all clinet, seevers and DC must use
https://www.dell.com/support/article/us/en/04/sln266126/windows-server-naming-information-cannot-be-located-error-in-active-directory-consoles?lang=en
Now you have a unique DNS and all clinet, seevers and DC must use
https://www.dell.com/support/article/us/en/04/sln266126/windows-server-naming-information-cannot-be-located-error-in-active-directory-consoles?lang=en
Your ipconfig has local IPv6, server ip and what seems to be the other server as nam server records.
On boot did you get an error that a service failed to start?
Use DNS admin, navigate through _msdcs
DC
_ldap
_tcp
At each point see whether thus server is listed as responsible for the domain.
The dcdiag fails to locate ..the SRV records I suspect.
With error 81on trying to see whether server_name has AD.
Your server still refers to the .18 which is presumably the 2003 server.
Was the cause for the crash determined, I.e. Failed component that can be replaced to fix the system?
Try on the 2016 server, run netdom query roles
Is it pointing to this server for all five roles including schema, infrastructure master?
On boot did you get an error that a service failed to start?
Use DNS admin, navigate through _msdcs
DC
_ldap
_tcp
At each point see whether thus server is listed as responsible for the domain.
The dcdiag fails to locate ..the SRV records I suspect.
With error 81on trying to see whether server_name has AD.
Your server still refers to the .18 which is presumably the 2003 server.
Was the cause for the crash determined, I.e. Failed component that can be replaced to fix the system?
Try on the 2016 server, run netdom query roles
Is it pointing to this server for all five roles including schema, infrastructure master?
I still think this might be useful:
Run net share on the 2016 DC and determine whether the SYSVOL and NETLOGON shares are listed in the output. (You can post the output here if you want, but you don't have to.)
Run net share on the 2016 DC and determine whether the SYSVOL and NETLOGON shares are listed in the output. (You can post the output here if you want, but you don't have to.)
@OP:
We don't have any way of identifying your issue unless you post requested commands output here
We don't have any way of identifying your issue unless you post requested commands output here
ASKER
disable IPv6 from network card properties
disable all unwanted NIC son server
Then check if all AD services are running
If yes, restart netlogon service and check if dcdiag /v is successful from elevated command prompt
disable all unwanted NIC son server
Then check if all AD services are running
If yes, restart netlogon service and check if dcdiag /v is successful from elevated command prompt
also I seen that WINS is configured, are you still using WINS?
If not remove checkbox from dns server properties for WINS lookup
and are Sysvol and netlogon are shared? and if all GPOs are listed in GPMCX and in actual Sysvol folder
run netdom query fsmo and check if DC lists all FSMO roles?
If not remove checkbox from dns server properties for WINS lookup
and are Sysvol and netlogon are shared? and if all GPOs are listed in GPMCX and in actual Sysvol folder
run netdom query fsmo and check if DC lists all FSMO roles?
ASKER
Thank you Mahesh. I went through and did as you suggested:
1. Disable IPv6 from network card properties
2. Disable all unwanted NIC from server
3. Checked all AD services and they are running.
4. Restarted netlogon service and checked dcdiag/v successfully.
5. I removed the checkbox for WINS
6. I verified Sysvol and netlogon are shared.
7. I ran netdom query fsmo ; it listed the 5 FSMO roles being on the server.
But, I still don't have my AD when I go to " Active Directory Users and Computers"
Thanks.
1. Disable IPv6 from network card properties
2. Disable all unwanted NIC from server
3. Checked all AD services and they are running.
4. Restarted netlogon service and checked dcdiag/v successfully.
5. I removed the checkbox for WINS
6. I verified Sysvol and netlogon are shared.
7. I ran netdom query fsmo ; it listed the 5 FSMO roles being on the server.
But, I still don't have my AD when I go to " Active Directory Users and Computers"
Thanks.
it might have a profile corruption.
try the following, open MMC in elevated. File add/remove Snap in and add the active directory users and computers and see if that changes.
Another option is to re-target the DC ..
try the following, open MMC in elevated. File add/remove Snap in and add the active directory users and computers and see if that changes.
Another option is to re-target the DC ..
Yes
U can install AD rsat on workstation and check if u can connect to aduc and other snap-in
U can install AD rsat on workstation and check if u can connect to aduc and other snap-in
ASKER
Mahesh, I don't understand what you asking me to try. Attached are some of the screenshots of errors. Thanks for all your efforts. Dell Tech Support is telling me that I will have to start over by reinstalling. It's so crazy. I rebooted the server, it took 45 minutes to login. Users can still access their folders. I downloaded my VSS backup of the system state (AD, NTDS folder) from January 3, but don't know how to restore it to the server.
Again, attached are the errors. THANKS FOR TRYING TO HELP!!!
Active-Directory-Users-Error.PNG
AD-Errors.PNG
DNS-errors.PNG
Error-from-AD.PNG
Again, attached are the errors. THANKS FOR TRYING TO HELP!!!
Active-Directory-Users-Error.PNG
AD-Errors.PNG
DNS-errors.PNG
Error-from-AD.PNG
ASKER
Hello, experts. Is there any hope for this server before I have to rebuild from scratch?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have a VSS system state backup; how do I restore it? I'ts currently restored to a folder on the server . I also tried to connect live with Mahesh but the system said he was offline.
ASKER
Mahesh, thanks for your help. Did you see the screenshots of the errors?
Did you tried repairing AD as provided link?
OR
do you have AD system state backup?
U can simply restore it
OR
do you have AD system state backup?
U can simply restore it
Before you attempt to restore systemstate, you have to know whether there is corruption and the system state would fix it versus just restoring in a situation where you are unsure of the cause.
Make sure the backup us not from a point where the other had all roles.
Or you might endup be in a worse position.
Make sure the backup us not from a point where the other had all roles.
Or you might endup be in a worse position.
ASKER
Hello Mahesh. Yes, I mentioned before that I have a VSS backup of the system state now in a folder on the server. HOW DO I RESTORE IT? Can you give me steps to restore it? Thank you.
ASKER
Arnold, thanks for your comment. How can I check for corruption of the AD. Did you look at the screenshots of all the errors?
How did you taken back up?
The same tool should be used for backup
Did you attempted to repair ad as outlined in article earlier
The same tool should be used for backup
Did you attempted to repair ad as outlined in article earlier
ASKER
Yes, I used the instruction to attempt to repair the AD; but still the same problem.
I used Mozy Pro online bakup to do VSS system state backup daily. Since nothing has changed in AD; I restored the system state from two weeks ago to a different drive location and now have it in a folder on the server but Mozy does not run in Server Repair mode to allow me to restore the VSS system state.
I used Mozy Pro online bakup to do VSS system state backup daily. Since nothing has changed in AD; I restored the system state from two weeks ago to a different drive location and now have it in a folder on the server but Mozy does not run in Server Repair mode to allow me to restore the VSS system state.
ASKER
I thank DevAdmin, Arnold and DrDave242 for their contributions and recommendation. But a BIG, BIG THANK YOU goes to Mahesh. I followed every recommendation given by Mahesh and he followed up to make sure I followed the instructions. Mahesh was truly able to resolve my DNS and Active Directory issues. Following Mahesh's instructions helped in: restoring the Bare metal backup of the system state; cleaning the corrupted ntds.dit file, cleaning the metadata, testing DNS, adding rules to the firewall, and changing DNS configuration. I am VERY grateful to see my servers up and running without having to start from scratch as suggested by Dell and Microsoft Technicians.
THANK YOU MAHESH FOR A JOB WELL DONE.
THANK YOU MAHESH FOR A JOB WELL DONE.
netdom query fsmo
If all FSMO roles are on local DC, you should be able to create users, if any FSMO is not present Seize it
Then do metadata clean-up for failed DC, also remove old DC \ DNS entry for NICs
point 2016 DC to itself own IP as preferred dns and restart netlogon service
reboot it and check if you are getting 13516 under file replication service event logs
also check if you are getting 1394 under directory service event logs
on new DC check if Sysvol and netlogon shares are present and all AD services are running (netlogon \ NTFRS \ KDC \ intersite messaging \ AD domain services \ Sam accounts manager etc)
After that check if you can create new users