Member
3-4 months ago I upgraded our domain controller from nt 4 to 2003 by doing a fresh install. Because I was not having a backup domain controller I decided to promote the backup server, Windows 2000 server to a BDC. All the things were working properly, but recently I checked replication stopped working and machines that were authenticating agaisnt the backup domain controller were using an older logon script. Can anyone tell me how to fix this?
Member
You should demote and try running some diagnostics against the current DC. Try to run Diagnostics against your Active Directory domain. Incase you dont have the tools installed, then install them from your server install disk. After that run dcdiag and netdiag in verbose mode.
Member
Have you ever lost a dc in this network and just rebuild it without cleaning up the AD metadata? I was thinking if you can demote and go through a cleanup process then it would be good? Also, if there is any old data residing in your directory services it might wont know how to talk to your DC partners.
http://support.microsoft.com/Default.aspx?id=216498
Another way you need to have to rebuild your sysvol. You might have to stop the FRS service, clean up sysvol and restore, change a registry setting and then restart the service.
http://support.microsoft.com/kb/315457/
Member
I have a good one for you. Please keep in mind I am new at this so please assume I just bought an AD for Dummies book (not really)
I work at a Public Library and this place is a mess. In short we had a Mail server crash, I was able to recover it and I setup a software RAID for some protection. At the time, I was unaware it was a backup DC
Not I am starting to implement Group Policies, but the are not replicating. Our mail DC is a new install Win2003 and is ok. But some clients are still authenticating to the mail server. However the NTFRS service is missing. DCPROMO fails. Posted below is the DCDIAG results
DC Diagnosis
Performing initial setup:
* Verifing that the local machine mail, is a DC.
* Connecting to directory service on server mail.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial non skippeable tests
Testing server: APL-Main\MAIL
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MAIL passed test Connectivity
Doing primary tests
Testing server: APL-Main\MAIL
Starting test: Replications
* Replications Check
......................... MAIL passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
* Security Permissions Check for
CN=Configuration,DC=and,DC=lib,DC=in,DC=us
* Security Permissions Check for
DC=and,DC=lib,DC=in,DC=us
......................... MAIL passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
[MAIL] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... MAIL failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\backup.and.lib.in.us, when we were trying to reach MAIL.
Server is not responding or is not considered suitable.
The DC MAIL is advertising itself as a DC and having a DS.
The DC MAIL is advertising as an LDAP server
The DC MAIL is advertising as having a writeable directory
The DC MAIL is advertising as a Key Distribution Center
The DC MAIL is advertising as a time server
......................... MAIL failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:b0d0c901-74ba-4c57-855c-2fccc4923ce2",CN="APL-ARIEL
DEL:9d5203d9-df05-4e71-9f5a-dd0e116538cf",CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
Warning: CN="NTDS Settings
DEL:b0d0c901-74ba-4c57-855c-2fccc4923ce2",CN="APL-ARIEL
DEL:9d5203d9-df05-4e71-9f5a-dd0e116538cf",CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us is the Schema Owner, but is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:b0d0c901-74ba-4c57-855c-2fccc4923ce2",CN="APL-ARIEL
DEL:9d5203d9-df05-4e71-9f5a-dd0e116538cf",CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
Warning: CN="NTDS Settings
DEL:b0d0c901-74ba-4c57-855c-2fccc4923ce2",CN="APL-ARIEL
DEL:9d5203d9-df05-4e71-9f5a-dd0e116538cf",CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us is the Domain Owner, but is deleted.
Role PDC Owner = CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
Role Rid Owner = CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
Role Infrastructure Update Owner = CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us
......................... MAIL failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 5517 to 1073741823
* backup.and.lib.in.us is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4017 to 4516
* rIDNextRID: 4064
* rIDPreviousAllocationPool is 4017 to 4516
......................... MAIL passed test RidManager
Starting test: MachineAccount
Could not open pipe with [MAIL]:failed with 67: The network name cannot be found.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* SPN found :LDAP/mail.and.lib.in.us/and.lib.in.us
* SPN found :LDAP/mail.and.lib.in.us
* SPN found :LDAP/MAIL
* Missing SPN :(null)
* SPN found :LDAP/156335b5-ac26-4bd3-943a-5686a5d216bc._msdcs.and.lib.in.us
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/156335b5-ac26-4bd3-943a-5686a5d216bc/and.lib.in.us
* SPN found :HOST/mail.and.lib.in.us/and.lib.in.us
* SPN found :HOST/mail.and.lib.in.us
* SPN found :HOST/MAIL
* Missing SPN :(null)
* SPN found :GC/mail.and.lib.in.us/and.lib.in.us
......................... MAIL failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [MAIL]:failed with 67: The network name cannot be found.
......................... MAIL failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MAIL is in domain DC=and,DC=lib,DC=in,DC=us
Checking for CN=MAIL,OU=Domain Controllers,DC=and,DC=lib,DC=in,DC=us in domain DC=and,DC=lib,DC=in,DC=us on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MAIL,CN=Servers,CN=APL-Main,CN=Sites,CN=Configuration,DC=and,DC=lib,DC=in,DC=us in domain CN=Configuration,DC=and,DC=lib,DC=in,DC=us on 1 servers
Object is up-to-date on all servers.
......................... MAIL passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
[MAIL] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... MAIL failed test frssysvol
Starting test: kccevent
* The KCC Event log test
Failed to enumerate event log records, error The network name cannot be found.
......................... MAIL failed test kccevent
Starting test: systemlog
* The System Event log test
Failed to enumerate event log records, error The network name cannot be found.
......................... MAIL failed test systemlog
Running enterprise tests on : and.lib.in.us
Starting test: Intersite
Skipping site APL-Main, this site is outside the scope provided by the
command line arguments provided.
......................... and.lib.in.us passed test Intersite
Starting test: FsmoCheck
GC Name: \\backup.and.lib.in.us
Locator Flags: 0xe00001fd
PDC Name: \\backup.and.lib.in.us
Locator Flags: 0xe00001fd
Time Server Name: \\backup.and.lib.in.us
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\backup.and.lib.in.us
Locator Flags: 0xe00001fd
KDC Name: \\backup.and.lib.in.us
Locator Flags: 0xe00001fd
......................... and.lib.in.us passed test FsmoCheck
Please help if you can!
Tony
Member
Could you please let us know the process you followed when recovering the backup DC? Also, the NTFRS is usually responsible for file replicating the actual GPT folders that AD points to, so AD replication will work, the Sysvol if not replicated is an issue.
Member
Currently there are only two Domain controllers, BACKUP and MAIL. The recovery process on the MAIL server (which happened over two years ago) was simple. The drive failed and I was able to recover the email datastor (which was of primary concern) using Ontrack Software and ghost. In fact I was able to retrieve 99% of the data and ghost it to another drive. But now while trying to setup Group Policy the errors became apparent. If I can manually reinstall NTFRS, the the DCPROMO won't fail and I can demote it to a member server. Then we can proceed. I will post any other data you need later today.
Member
You will have to describe in more details what you have done to restore the crashed machine, especially about the DC part. That might be the reason for getting the issue I think so.
Member
I have done nothing, save the ghost recovery, toward fixing the DC. At the time I was unaware it was a DC. If there were any repairs done, they were not done by me. But I believe nothing has been done. I have run DCPROMO to demote the server, but it stops and errors because NTFRS service cannot be found. I would like to demote it and then promote it back to keep it as a DC until we replace it.
Posting Permissions
Reply With Quote
Bookmarks