Announcement

Collapse
No announcement yet.

AD Meltdown

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Meltdown

    Bit of a mess here.

    Some background info:

    Very small network - about ten computers, ten users.

    Old server was Server2003 named "SERVER" (I know, not very original.) SERVER ran fine for five years but recently had a drive failure.

    We decided to replace it with a new Server2008R2 Foundation machine, named "SERVER2011" (I know, a little confusing, I decided to use the year installed in the server name.) My plan was to add the new server to the network, move everything, then turn down the old server.

    Now the short version of the story, hopefully I am not leaving out any important details.

    I installed SERVER2011; I migrated the shares using the file server migration tool. I set up AD and did some other tasks - moved a couple apps from the old server to the new server, and in that process, installed SQL server and FirebirdSQL server. I scheduled backups and made sure they were running. Everything was working fine with two servers, for a couple days.

    I ran dcpromo to demote the old SERVER and ran into some trouble. So, I transferred the roles etc. to the new SERVER2011 - I thought this would be safer. I checked everything on SERVER2011 and it looked right. I ran dcpromo again to try to demote the old SERVER. Again, it complained, so I ran
    dcpromo /forceremoval. In hindsight this was probably a BAD MOVE but it is done. I turned off old SERVER.

    AD is a mess on the new SERVER2011. I went through DNS and removed a number of references to SERVER. This corrected some issues but I still can't get through DCDIAG.

    SYSVOL is missing. I have re-created SYSVOL on Server2003 machines on other networks using the Burlfags command but evidently Server2008 is different.

    I have run DCDIAG /fix but to no avail.

    I have not run netdiag /fix as evidently netdiag is gone from Server2008.

    So, can anyone help?

  • #2
    Re: AD Meltdown

    dcdiag results part 1:

    Code:
    Directory Server Diagnosis
    
    
    Performing initial setup:
    
       Trying to find home server...
    
       Home Server = server2011
    
       * Identified AD Forest. 
       Done gathering initial info.
    
    
    Doing initial required tests
    
       
       Testing server: Default-First-Site-Name\SERVER2011
    
          Starting test: Connectivity
    
             ......................... SERVER2011 passed test Connectivity
    
    
    
    Doing primary tests
    
       
       Testing server: Default-First-Site-Name\SERVER2011
    
          Starting test: Advertising
    
             Fatal Error:DsGetDcName (SERVER2011) call failed, error 1355
    
             The Locator could not find the server.
    
             ......................... SERVER2011 failed test Advertising
    
          Starting test: FrsEvent
    
             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
    
             replication problems may cause Group Policy problems. 
             ......................... SERVER2011 passed test FrsEvent
    
          Starting test: DFSREvent
    
             ......................... SERVER2011 passed test DFSREvent
    
          Starting test: SysVolCheck
    
             ......................... SERVER2011 passed test SysVolCheck
    
          Starting test: KccEvent
    
             ......................... SERVER2011 passed test KccEvent
    
          Starting test: KnowsOfRoleHolders
    
             ......................... SERVER2011 passed test KnowsOfRoleHolders
    
          Starting test: MachineAccount
    
             ......................... SERVER2011 passed test MachineAccount
    
          Starting test: NCSecDesc
    
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 
    
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
    
             DC=ForestDnsZones,DC=MyDomainName,DC=local
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 
    
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
    
             DC=DomainDnsZones,DC=MyDomainName,DC=local
             ......................... SERVER2011 failed test NCSecDesc
    
          Starting test: NetLogons
    
             Unable to connect to the NETLOGON share! (\\SERVER2011\netlogon)
    
             [SERVER2011] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
    
             ......................... SERVER2011 failed test NetLogons
    
          Starting test: ObjectsReplicated
    
             ......................... SERVER2011 passed test ObjectsReplicated
    
          Starting test: Replications
    
             ......................... SERVER2011 passed test Replications
    
          Starting test: RidManager
    
             ......................... SERVER2011 passed test RidManager
    
          Starting test: Services
    
             ......................... SERVER2011 passed test Services
    Last edited by admagik; 17th March 2011, 15:09.

    Comment


    • #3
      Re: AD Meltdown

      (dcdiag results continued...)

      Code:
      Starting test: SystemLog
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   08:48:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   08:53:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   08:58:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:03:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:08:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0xC00038D6
      
                  Time Generated: 03/17/2011   09:12:45
      
                  Event String:
      
                  The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:13:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:18:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:23:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:28:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:33:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:38:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               An error event occurred.  EventID: 0x0000041E
      
                  Time Generated: 03/17/2011   09:43:50
      
                  Event String:
      
                  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
      
               ......................... SERVER2011 failed test SystemLog
      
            Starting test: VerifyReferences
      
               ......................... SERVER2011 passed test VerifyReferences
      
         
         
         Running partition tests on : ForestDnsZones
      
            Starting test: CheckSDRefDom
      
               ......................... ForestDnsZones passed test CheckSDRefDom
      
            Starting test: CrossRefValidation
      
               ......................... ForestDnsZones passed test CrossRefValidation
      
         
         Running partition tests on : DomainDnsZones
      
            Starting test: CheckSDRefDom
      
               ......................... DomainDnsZones passed test CheckSDRefDom
      
            Starting test: CrossRefValidation
      
               ......................... DomainDnsZones passed test CrossRefValidation
      
         
         Running partition tests on : Schema
      
            Starting test: CheckSDRefDom
      
               ......................... Schema passed test CheckSDRefDom
      
            Starting test: CrossRefValidation
      
               ......................... Schema passed test CrossRefValidation
      
         
         Running partition tests on : Configuration
      
            Starting test: CheckSDRefDom
      
               ......................... Configuration passed test CheckSDRefDom
      
            Starting test: CrossRefValidation
      
               ......................... Configuration passed test CrossRefValidation
      
         
         Running partition tests on : MyDomainName
      
            Starting test: CheckSDRefDom
      
               ......................... MyDomainName passed test CheckSDRefDom
      
            Starting test: CrossRefValidation
      
               ......................... MyDomainName passed test CrossRefValidation
      
         
         Running enterprise tests on : MyDomainName.local
      
            Starting test: LocatorCheck
      
               Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
      
               A Global Catalog Server could not be located - All GC's are down.
      
               Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
      
               A Time Server could not be located.
      
               The server holding the PDC role is down.
      
               Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
      
               A Good Time Server could not be located.
      
               Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
      
               A KDC could not be located - All the KDCs are down.
      
               ......................... MyDomainName.local failed test LocatorCheck
      
            Starting test: Intersite
      
               ......................... MyDomainName.local passed test Intersite
      Last edited by admagik; 17th March 2011, 15:10.

      Comment


      • #4
        Re: AD Meltdown

        I have briefly reviewed the below.

        First of all, have you a system state backup of the old server or the new?

        Furthermore, Windows 2008 R2 generally enforces NTLM v2 only authentication.

        Also, as you forcibly removed the old DC, you will need to remove its metadata using NTDSUTIL, removing any DNS entiries left behind and then the relevant server object in Sites and Services.

        Have you checked the DNS server settings and ensure that nothing is pointing at the old server?
        Last edited by Virtual; 17th March 2011, 15:18.

        Comment


        • #5
          Re: AD Meltdown

          Thank you for your response.

          I am familiar with this:

          "How to remove data in Active Directory after an unsuccessful domain controller demotion"
          Microsoft kb216498

          (Does that article apply to Server2008?) In ntsutil, the old server is already gone. Maybe the dcpromo /forceremoval did that much.

          I definitely have system state backups of the new server on an external hard drive.

          The system state backups of the old server would be available from tapes. The tapes were not 100% reliable (one of our motives to replace the server.) Not sure how recent the most recent system state backup will be. I will begin a restore anyhow.

          I have gone through the DNS and removed everything that was pointing to the old DNS server.

          Neither AD Sites and Services nor AD Users and Computers are accessible in the Server2008 Server Manager GUI.

          Comment


          • #6
            Re: AD Meltdown

            System state backup from old server is not available; a restore of the NTDS folder may be possible but so much trouble I don't think I'd do it.

            Worst case I guess I'm looking at

            uninstall / re-install AD
            re-creating users and groups
            re-creating file shares
            join each workstation to new domain
            on each workstation, assign old profile to new domain user

            Then of course patch up the inevitable gaps and oversights for a week.

            Ugh.

            Comment


            • #7
              Re: AD Meltdown

              Just a little more info - from the event viewer - no surprise given the dcdiag above...

              Code:
              Log Name:      System
              Source:        Microsoft-Windows-DfsSvc
              Date:          3/17/2011 11:12:45 AM
              Event ID:      14550
              Task Category: None
              Level:         Error
              Keywords:      Classic
              User:          N/A
              Computer:      server2011.MyDomainName.local
              Description:
              The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
              Event Xml:
              <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
                <System>
                  <Provider Name="Microsoft-Windows-DfsSvc" Guid="{7DA4FE0E-FD42-4708-9AA5-89B77A224885}" EventSourceName="DfsSvc" />
                  <EventID Qualifiers="49152">14550</EventID>
                  <Version>0</Version>
                  <Level>2</Level>
                  <Task>0</Task>
                  <Opcode>0</Opcode>
                  <Keywords>0x80000000000000</Keywords>
                  <TimeCreated SystemTime="2011-03-17T15:12:45.000000000Z" />
                  <EventRecordID>3587</EventRecordID>
                  <Correlation />
                  <Execution ProcessID="0" ThreadID="0" />
                  <Channel>System</Channel>
                  <Computer>server2011.MyDomainName.local</Computer>
                  <Security />
                </System>
                <EventData Name="DfsNoXForestInfo">
                  <Binary>4B050000</Binary>
                </EventData>
              </Event>

              Comment


              • #8
                Re: AD Meltdown

                Not to spam up the board, but an update ...

                Just did a system state restore from yesterday morning. Old stuff is all there in AD, but I am still not passing DCDIAG. Ack.

                Comment


                • #9
                  Re: AD Meltdown

                  All right at this point I am pretty much talking to myself LOL But if anyone's still reading, I'll update.

                  At this point, with the system state restore, I have the new SERVER2011 up and working, authenticating users etc. The old server is gone, if rebooted, just comes up as a member server.

                  So I can try to seize FSMO roles etc. on the new server and see if I can get AD squared away single server environment;

                  Or, I can restore the old server from tape, and try the process of demoting that server, with dcpromo or by hand, which is how this whole mess started and is not very appealing.

                  So ok, any thoughts would be welcome, else I'll just keep talking to myself, recording my experiences for posterity.

                  Comment


                  • #10
                    Re: AD Meltdown

                    If the old server is coming up as a member, why do you need to sieze FSMO roles? Can you not just transfer them?

                    Please do keep the posts coming, I for one find it interesting!

                    Comment


                    • #11
                      Re: AD Meltdown

                      Thank you Conrad I will.

                      I misspoke, the old server was coming up as a member of WORKGROUP, AD and domain all gone after the dcpromo /forceremoval. To hedge my bets, I decided to disconnected the network cable from the old SERVER and started a restore of the C: partition image from tape. Just so if I need it later, I don't have to wait. No harm in doing this at this point.

                      I went through ntsutil on the new SERVER2011 to seize the five roles.
                      http://support.microsoft.com/kb/255504

                      Then, I went through and deleted the metadata by hand in the GUI tools.
                      http://technet.microsoft.com/en-us/l...bkmk_graphical

                      Then I went through DNS and deleted by hand all references to the old SERVER or its address, including removing it as a name server.

                      Then, I ran dcdiag /fix
                      Skimmed the results, set ntp time servers http://support.microsoft.com/kb/262680

                      And, at the risk of jinxing myself, things seem hopeful. dcdiag is giving me a bunch of the error below but I may be close to out of the woods.

                      Code:
                               An error event occurred.  EventID: 0x0000164A
                                  Time Generated: 03/18/2011   08:55:49
                                  Event String:
                                  The Netlogon service could not create server share C:\Windows\SYSVOL
                      \sysvol\MyDomainName.local\SCRIPTS.  The following error occurred:
                               An error event occurred.  EventID: 0x00000422
                                  Time Generated: 03/18/2011   08:57:22
                                  Event String:
                                  The processing of Group Policy failed. Windows attempted to read the
                       file \\MyDomainName.local\SysVol\MyDomainName.local\Policies\{740FA
                      83A-D898-4FDE-A476-45E5D7CC3201}\gpt.ini from a domain controller and was not su
                      ccessful. Group Policy settings may not be applied until this event is resolved.
                       This issue may be transient and could be caused by one or more of the following
                      :

                      Comment


                      • #12
                        Re: AD Meltdown

                        Also this:

                        Code:
                              Starting test: NCSecDesc
                                 Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                                    Replicating Directory Changes In Filtered Set
                                 access rights for the naming context:
                                 DC=ForestDnsZones,DC=MyDomainName,DC=local
                                 Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                                    Replicating Directory Changes In Filtered Set
                                 access rights for the naming context:
                                 DC=DomainDnsZones,DC=MyDomainName,DC=local
                                 ......................... SERVER2011 failed test NCSecDesc
                              Starting test: NetLogons
                                 Unable to connect to the NETLOGON share! (\\SERVER2011\netlogon)
                                 [SERVER2011] An net use or LsaPolicy operation failed with error 67,
                                 The network name cannot be found..
                                 ......................... SERVER2011 failed test NetLogons

                        Comment


                        • #13
                          Re: AD Meltdown

                          Looks like it still has DNS issues? What's the feasibility of dumping DNS as it stands and letting it all rebuild?

                          Comment


                          • #14
                            Re: AD Meltdown

                            I tried this - the title fits the bill but it didn't seem to do anything:

                            The NETLOGON share is not present after you install Active Directory Domain Services on a new full or read-only Windows Server 2008-based domain controller
                            http://support.microsoft.com/kb/947022

                            Comment


                            • #15
                              Re: AD Meltdown

                              I did

                              ipconfig /flushdns
                              ipconfig /registerdns

                              before ...

                              If I do dcdiag /test:dns it passes without a hitch; what makes you think DNS?

                              Comment

                              Working...
                              X