Announcement

Collapse
No announcement yet.

AD replication with 3 children

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD replication with 3 children

    Hi,
    I'm trying to setup this environment :


    I need a two-way trust relationship so that i can login in a child domain with an account registered in another child.

    Those 4 servers are installed on a VMWare ESX environment.
    They are all talking to each other (ping & sharing OK).

    The children (Paris, Lyon, Tokyo) comes from a copy of the AD DC root server. Here are the differents steps i made :

    1. copy AD DC root VM to a new VM called AD Paris
    2. dcpromo AD Paris to uninstall domain controller
    3. put a valid name & IP adress on AD Paris
    4. dcpromo again to reinstall AD Paris as a child

    And same for AD Lyon & AD Tokyo.

    Now i encounter some DNS issues - i assume - because i'm not able to replicate.

    I'm not very familiar to AD configuration, so i tried to google some informations, and i found that to be able to communicate in forums, i should post some dcdiag, netdiag & repadmin logs.

    Here they are :

    on AD DC root >
    http://ct0s.free.fr/dcdiag.txt
    http://ct0s.free.fr/NetDiag.txt
    http://ct0s.free.fr/repadmin.txt

    on AD Paris >
    http://ct0s.free.fr/dcdiag_child.txt
    http://ct0s.free.fr/NetDiag_child.txt
    http://ct0s.free.fr/repadmin_child.txt

    Hope someone can help

    Thx a lot

    Charly
    Last edited by charlysquare; 1st December 2008, 19:39.

  • #2
    Re: AD replication with 3 children

    Personally I would start again.
    Create a clean windows 2003 member server. Copy it and sysprep the copies.
    Then build the root dc with DNS. check it is working then create the child domains using the root dc as primary DNS for them.
    You only need to create sites if you have different subnets. If they are all on the same subnet then leave them in the same site for this example.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: AD replication with 3 children

      Hi,
      I cannot copy & sysprep anymore because i've re-activated my windows 2003 two many times...

      So i'm obliged to use the actual config..

      Next what do you mean by "build the root dc with DNS" ? I'm not familiar with DNS configuration, sorry if it's a newby question ^^

      Thx for your answer,

      Comment


      • #4
        Re: AD replication with 3 children

        I meant start from scratch with the root DC and make sure the DNS service is functioning correctly.

        Microsoft will allow you to re-activate after the limit if you can prove or at least explain why. I have done this before. Obviously you need to make sure you are legally entitled to have that many running.

        When you image a machine you take its SID over so you have to sysprep it. My knowledge becomes a little light here but even promoting /demoting it doesn't change this. (Advice from others welcomed!)
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: AD replication with 3 children

          Promoting and demoting will not change the SID.
          I am even suprised you managed to promote it.
          You will have several issue's as all these computers use the same SID.
          You have to change the sid with newsid.exe. Or redo the installation with SISPREP.
          http://technet.microsoft.com/en-us/s.../bb897418.aspx

          I would recommend to start all over again, in which you will be sure of a clean environment. If you are unable to start all over again, it is still adviced to recreate the child domains as you will need to demote the DC's.
          Demote DC, take it out of the domain. Run Newsid.exe, reboot. Bring it back in the domain. Promote again (with posible new dc in new domain, but existing forest).
          [Powershell]
          Start-DayDream
          Set-Location Malibu Beach
          Get-Drink
          Lay-Back
          Start-Sleep
          ....
          Wake-Up!
          Resume-Service
          Write-Warning
          [/Powershell]

          BLOG: Therealshrimp.blogspot.com

          Comment


          • #6
            Re: AD replication with 3 children

            Originally posted by AndyJG247 View Post
            I meant start from scratch with the root DC and make sure the DNS service is functioning correctly.

            Microsoft will allow you to re-activate after the limit if you can prove or at least explain why. I have done this before. Obviously you need to make sure you are legally entitled to have that many running.

            When you image a machine you take its SID over so you have to sysprep it. My knowledge becomes a little light here but even promoting /demoting it doesn't change this. (Advice from others welcomed!)
            Joining a domain does change the SID I'll be suprised if a promotion didn't do the same.

            Comment


            • #7
              Re: AD replication with 3 children

              Maybe we can get charlysquare to run this
              http://technet.microsoft.com/en-us/s.../bb897417.aspx
              to see what he has?

              Isn't it SID plus RID therefore the SID will be the same but the RID could be different depending on what you are doing?

              Garen, would be interested in your feedback along with Killerbe
              Do you believe there shouldn't be an issue with how this was setup?
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: AD replication with 3 children

                Hi, running the tool shows me differents SID >

                SID for \\AD3:
                S-1-5-21-4236332005-2214100995-484857576

                SID for \\AD:
                S-1-5-21-1978346505-866182352-1378948524

                I'm trying to reinstall from scratch right now.

                Originally posted by AndyJG247 View Post
                Maybe we can get charlysquare to run this
                http://technet.microsoft.com/en-us/s.../bb897417.aspx
                to see what he has?

                Isn't it SID plus RID therefore the SID will be the same but the RID could be different depending on what you are doing?

                Garen, would be interested in your feedback along with Killerbe
                Do you believe there shouldn't be an issue with how this was setup?

                Comment


                • #9
                  Re: AD replication with 3 children

                  I don't think SIDs are an issue in here unless I am missing something. When a computer is joined to the domain it queries the RID master which issues a unique Domain SID.
                  Local SIDs can cause problems if in workgroups.

                  I would however agree with cloning only the root DC and then creating fresh images for the child domains.

                  Ta
                  Last edited by L4ndy; 3rd December 2008, 10:57.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: AD replication with 3 children

                    I've re-generated SID with the useful 'NewSID' tool Killerbe provided.

                    The installation of the Root DC was succesful, as well as the installation of the child. (only tested with the first one child)

                    BUT i still encounter replication problems.

                    Here is the repadmin /showreps log :

                    Code:
                    C:\Documents and Settings\Administrator>repadmin /showreps
                    Default-First-Site-Name\AD0
                    DC Options: IS_GC
                    Site Options: (none)
                    DC object GUID: b909679b-5ee0-42f4-b4fc-e8ddfe262baf
                    DC invocationID: b909679b-5ee0-42f4-b4fc-e8ddfe262baf
                    
                    
                    Source: Default-First-Site-Name\AD1
                    ******* 2 CONSECUTIVE FAILURES since 2008-12-03 14:41:26
                    Last error: 8524 (0x214c):
                                The DSA operation is unable to proceed because of a DNS lookup failu
                    re.
                    
                    Naming Context: DC=paris,DC=security,DC=demo
                    Source: Default-First-Site-Name\AD1
                    ******* WARNING: KCC could not add this REPLICA LINK due to error.
                    
                    Naming Context: CN=Schema,CN=Configuration,DC=security,DC=demo
                    Source: Default-First-Site-Name\AD1
                    ******* WARNING: KCC could not add this REPLICA LINK due to error.
                    
                    Naming Context: CN=Configuration,DC=security,DC=demo
                    Source: Default-First-Site-Name\AD1
                    ******* WARNING: KCC could not add this REPLICA LINK due to error.
                    Next, when i'm trying to check the properties of my child in the AD domain & trusts window, it's saying that error message >



                    Is it normal ?

                    Besides, at the installation of the root DC, i got that message :



                    What's a "delegation", and where i have to create it ? on the Root DC itself ?


                    Many thanks for your help all of you

                    Comment


                    • #11
                      Re: AD replication with 3 children

                      Does the Paris DC have the ROOT dcs DNS as primary?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: AD replication with 3 children

                        Originally posted by AndyJG247 View Post
                        Does the Paris DC have the ROOT dcs DNS as primary?
                        Yes, paris.security.demo is configured with root as the preferred DNS server in TCP/IP properties.
                        There is no DNS server on paris.

                        Comment


                        • #13
                          Re: AD replication with 3 children

                          You added PARIS into the AD1 site with root in site AD0 from what I can see.
                          Are they different subnets? Is there a site link?
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment


                          • #14
                            Re: AD replication with 3 children

                            Actually AD0 & AD1 are computers name.

                            Before installing AD, my root name was AD0, and the paris computer name was AD1.

                            1/ i promoted AD0 computer to the new forest 'security.demo' with dcpromo
                            2/ next i promoted AD1 computer to child domain 'paris.security.demo' with dcpromo

                            I didn't configured anything else. Does it creates sites based on computer names ? No subnets are defined.

                            (the repadmin command i pasted was launched from the root dc)
                            Last edited by charlysquare; 3rd December 2008, 17:57.

                            Comment


                            • #15
                              Re: AD replication with 3 children

                              A bit of RTFM is good for me.

                              I've installed DNS on the child, and configured forward & reverse zone on both root & child.

                              I'm able now to ping my child from the root.

                              Let me do this config on all children, and i'll start to test replication.

                              Code:
                              C:\Documents and Settings\Administrator>repadmin /showreps
                              Default-First-Site-Name\AD0
                              DC Options: IS_GC
                              Site Options: (none)
                              DC object GUID: b909679b-5ee0-42f4-b4fc-e8ddfe262baf
                              DC invocationID: b909679b-5ee0-42f4-b4fc-e8ddfe262baf
                              
                              ==== INBOUND NEIGHBORS ======================================
                              
                              CN=Configuration,DC=security,DC=demo
                                  Default-First-Site-Name\AD1 via RPC
                                      DC object GUID: 8f7e1742-7370-4221-9841-a2d69ef11be8
                                      Last attempt @ 2008-12-03 21:39:38 was successful.
                              
                              CN=Schema,CN=Configuration,DC=security,DC=demo
                                  Default-First-Site-Name\AD1 via RPC
                                      DC object GUID: 8f7e1742-7370-4221-9841-a2d69ef11be8
                                      Last attempt @ 2008-12-03 21:38:10 was successful.
                              
                              DC=paris,DC=security,DC=demo
                                  Default-First-Site-Name\AD1 via RPC
                                      DC object GUID: 8f7e1742-7370-4221-9841-a2d69ef11be8
                                      Last attempt @ 2008-12-03 21:39:41 was successful.
                              
                              Source: Default-First-Site-Name\AD3
                              ******* 17 CONSECUTIVE FAILURES since 2008-12-03 20:10:06
                              Last error: 8524 (0x214c):
                                          The DSA operation is unable to proceed because of a DNS lookup failu
                              re.
                              
                              Naming Context: DC=tokyo,DC=security,DC=demo
                              Source: Default-First-Site-Name\AD3
                              ******* WARNING: KCC could not add this REPLICA LINK due to error.
                              
                              Source: Default-First-Site-Name\AD2
                              ******* 15 CONSECUTIVE FAILURES since 2008-12-03 20:35:28
                              Last error: 8524 (0x214c):
                                          The DSA operation is unable to proceed because of a DNS lookup failu
                              re.
                              
                              Naming Context: DC=lyon,DC=security,DC=demo
                              Source: Default-First-Site-Name\AD2
                              ******* WARNING: KCC could not add this REPLICA LINK due to error.
                              
                              Naming Context: CN=Schema,CN=Configuration,DC=security,DC=demo
                              Source: Default-First-Site-Name\AD2
                              ******* WARNING: KCC could not add this REPLICA LINK due to error.
                              
                              Naming Context: CN=Configuration,DC=security,DC=demo
                              Source: Default-First-Site-Name\AD2
                              ******* WARNING: KCC could not add this REPLICA LINK due to error.
                              I keep you informed of my 'learning' ;=)

                              Comment

                              Working...
                              X