Active Directory woes... please help!

[spectdev]

Well, I have just restored my PDC and BDC from North Ghost disk backups made late last year (so more than 6 months ago).

Now, the DCs won't replicate.

repadmin /options [PDC_Host_Name]
Current DC Options: IS_GC

repadmin /options [BDC_Host_Name]
Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

When I run repadmin /options [BDC_Host_Name] -DISABLE_OUTBOUND_REPL -DISABLE_INBOUND_REPL, replication fails and the BDC goes back to being IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL.

I tried removing the BDC, but that fails because the DCs cannot replicate.
Talk about an impass!

What can I do to fix this?

Thanks.

[Amadeus]

It was bit surprising and confusing as well what makes you restore Two DCs at the same time. Anyways, I can suggest you to better run dcdiag /v and netdiag /v. This will analyze all problems and fix it automatically.

If you face any problem during this process or need any more help, reply back with the results.

[Mr Frances]

Most probably the cause of the problem is USN rollback. As per my experience your netlogon service is disable and hence replication is not working. Apart from this lingering objects are most likely on either DC because the "backup" is too old. So as a troubleshooting you should never restore or backup your DCs using images. Simply force demote the "BDC" using DCPROMO /FORCEREMOVAL Cleanup the AD metadata of the "BDC" on the PDC repromote the BDC back to a DC again.

[spectdev]

I was having issues with the BDC that I did not take care of until it became too late.
The original problem was: "...KDC certificate was once valid, but now is invalid..."

Am I going to lose all my DNS, DHCP, WINS, DFS, and others load balancing configurations once I force demote the BDC?

Is it best for me to create a new BDC from scratch or will it be ok to re-promote the BDC?

I certainly wish I had known not to rely on the backups made by Norton Ghost for DCs.

Anyways, this is the output of dcdiag /v:

Code:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine srv1, is a DC. 
   * Connecting to directory service on server srv1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SRV1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SRV1 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SRV1
      Starting test: Replications
         * Replications Check
         [Replications Check,SRV1] A recent replication attempt failed:
            From SRV1B to SRV1
            Naming Context: DC=ForestDnsZones,DC=Tchegbe,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2008-06-15 23:46:17.
            The last success occurred at 2007-07-04 23:02:47.
            25 failures have occurred since the last success.
         [SRV1B] DsBindWithSpnEx() failed with error 1753,
         There are no more endpoints available from the endpoint mapper..
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 1524 (DcDiag)         
            System Time is: 6/16/2008 4:53:23:937
            Generating component is 2 (RPC runtime)
            Status is 1753: There are no more endpoints available from the endpoint mapper.
            Detection location is 501
            NumberOfParameters is 4
            Unicode string: ncacn_ip_tcp
            Unicode string: 3583f317-0caa-4426-9428-b4f2ca743341._msdcs.Tchegbe.com
            Long val: -481213899
            Pointer val: 629352
         [Replications Check,SRV1] A recent replication attempt failed:
            From SRV1B to SRV1
            Naming Context: DC=DomainDnsZones,DC=Tchegbe,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2008-06-15 23:46:17.
            The last success occurred at 2007-07-04 23:02:50.
            31 failures have occurred since the last success.
         [Replications Check,SRV1] A recent replication attempt failed:
            From SRV1B to SRV1
            Naming Context: CN=Schema,CN=Configuration,DC=Tchegbe,DC=com
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2008-06-15 23:46:17.
            The last success occurred at 2007-07-04 22:53:36.
            26 failures have occurred since the last success.
            The directory on SRV1B is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,SRV1] A recent replication attempt failed:
            From SRV1B to SRV1
            Naming Context: CN=Configuration,DC=Tchegbe,DC=com
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2008-06-15 23:46:17.
            The last success occurred at 2007-07-04 22:57:41.
            63 failures have occurred since the last success.
            The directory on SRV1B is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.

Ok, guys.
I have got the two DCs to replicate by forcing replication.

However, I still have the issue that all of my domain computers are failing to authenticate with the DCs.

This is not really a big problem. However, the BDC is not able to properly authenticate with the PDC.
Since, I cannot demote the BDC or remove it from the domain and then re-add it, I am stuck.

Any tip on how to get the BDC account to re-validate on the PDC?
Basically, I am getting errors of this type:

Code:

Pre-authentication failed:
 	User Name:	SRV1B$
 	User ID:		TCHEGBE\SRV1B$
 	Service Name:	krbtgt/TCHEGBE.COM
 	Pre-Authentication Type:	0x2
 	Failure Code:	0x18
 	Client Address:	127.0.0.1


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

FYI, I fixed my issue by forcing replication on the DCs.

First, I restored both the PDC and BDC from the Ghost images.
Second, I set the PDC to allow replication with partners in inconsistent state and disabled strict replication.

I let a few replications take place, then I did the same on the BDC.
Also, I had to remove the BDC certificate as it had become invalid.
Removing it forced it to go get a new one.

All of the domain computers had to be removed and then re-added to the domain.

I think the order (PDC first then BDC) was important as it looked like the BDC had newer info than the PDC.

[NikTheGreek]

I did encounter similar problems few week ago, here is the way I solved it

1- restored my PDC from ghost, not connected to the network
2- make a system state backup
3- boot in active directory restore mode
4- restored the system stae previously backep up in step 2
5- reboot connected to the network.

And it worked OK

I checked with dcdiag, repadmin and replmon

I tried it several times