Announcement

Collapse
No announcement yet.

Problems after DC Promo

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems after DC Promo

    I have just joined a new company and they have given me this problem.

    They have 8 W2K servers with 4 running AD across one domain. They rebuilt one of the member servers and DC Promo'd it to become a diaster recovery box for the PDC. However, since this has happened, the PDC no longer browses the web, or runs any AD snap in's apart from directly after a reboot. The PDC is not visable on any of the other AD servers either as a DC or as a Computer.

    I can ping the PDC via IP and NetBios name and that's it for accessibilty across the domain.

    The BDC holds all the FMSO rules and it's a global catalog server as are the other AD servers.

    DCDiag fails with numerous errors and thinks the PDC is not a domain controller, but DC Promo does.

    I get all manner of errors on the PDC when I try different things and so far this has lead me to KB887431, 319504, 325465, 323542, 892426 and 328691.

    I have no access to the servers until after Christmas now as the customer is at their busiest time and we have already crashed the system twice trying to solve the problem. I do have various error logs to reference though.

    Any ideas to help me for when we do attack the problem would be helpful

  • #2
    Re: Problems after DC Promo

    Hmm sounds odd. Why are you calling the failing server a PDC? Even though that role doesn't really exist in AD, I asume it was the first DC in the domain. If the 'BDC' has all the FMSO roles then why not sieze remaining roles and demote this problematic server and rebuild.
    Server 2000 MCP
    Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Problems after DC Promo

      Sorry, they have migrated from NT only recently, so the old terminology is hanging over. But yes, the 'PDC' was the first server in Active Directory.
      They have an IT department and we work in partnership, but they have first call on changing anything and do not need to run it past us, so they may have also done something we don't know about.

      They have had an issue with backing up it seems since the problem started, so the backups for the server are not 100%. And they may have 'overwritten the backup we took before adding the new DC. I have tried to do a 'NT Backup' of at least the system state, but this also fails.

      Our plan of action when we can get to the servers is this

      1. Reboot and try and recover Active Directory from the F8 prompt.
      or
      2. Demote and re promte the problem server as we know the roles and Global Catalog are held on other AD servers
      or
      Seize the roles as you suggest and see what happens.

      Comment


      • #4
        Re: Problems after DC Promo

        Originally posted by John Farthing
        Sorry, they have migrated from NT only recently, so the old terminology is hanging over. But yes, the 'PDC' was the first server in Active Directory.
        They have an IT department and we work in partnership, but they have first call on changing anything and do not need to run it past us, so they may have also done something we don't know about.

        They have had an issue with backing up it seems since the problem started, so the backups for the server are not 100%. And they may have 'overwritten the backup we took before adding the new DC. I have tried to do a 'NT Backup' of at least the system state, but this also fails.

        Our plan of action when we can get to the servers is this

        1. Reboot and try and recover Active Directory from the F8 prompt.
        or
        2. Demote and re promte the problem server as we know the roles and Global Catalog are held on other AD servers
        or
        Seize the roles as you suggest and see what happens.
        I would sieze and do number 2 (so to speak!! lol!) The backup would be pretty useless anyway as it was done before the more recent DC was promoted.
        Server 2000 MCP
        Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Problems after DC Promo

          If the PDC is really broken, I would

          1. demote the PDC (if that still works, otherwise dcpromo /forceremoval)
          2. Seize all 5 roles to another DC
          3. Metadata cleanup of the old PDC
          4. promote a new server.

          Comment


          • #6
            Re: Problems after DC Promo

            Thanks for your thoughts.

            I will try them out after Christmas when we have access to the servers again and report back.

            Comment


            • #7
              Re: Problems after DC Promo

              Ok, I have the results of DC Diag and Net Diag on the failing AD server and another AD server.

              The failing server.....

              Domain Controller Diagnosis

              Performing initial setup:
              [marshall-filedc] LDAP connection failed with error 58,
              The specified server cannot perform the requested operation..
              ***Error: The machine, marshall-filedc could not be contacted, because of a
              bad net response. Check to make sure that this machine is a Domain
              Controller.




              Computer Name: MARSHALL-FILEDC
              DNS Host Name: marshall-filedc.Marshalls.com
              System info : Windows 2000 Server (Build 2195)
              Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
              List of installed hotfixes :
              KB822343
              KB823182
              KB823559
              KB824105
              KB825119
              KB826232
              KB828035
              KB828749
              KB832353
              KB832359
              KB841356
              KB842773
              KB883935
              KB885836
              KB890046
              KB893756
              KB893803v2
              KB896358
              KB896422
              KB896423
              KB896424
              KB896688-IE501SP4-20050909.233456
              KB897715-OE55SP2-20050503.113444
              KB899587
              KB899589
              KB899591
              KB900725
              KB901017
              KB901214
              KB902400
              KB904706
              KB905414
              KB905749
              KB905915-IE501SP4-20051122.191609
              KB908523
              Q147222
              Q828026
              Update Rollup 1


              Netcard queries test . . . . . . . : Passed



              Per interface results:

              Adapter : Local Area Connection

              Netcard queries test . . . : Passed

              Host Name. . . . . . . . . : marshall-filedc
              IP Address . . . . . . . . : 10.10.10.1
              Subnet Mask. . . . . . . . : 255.255.255.0
              Default Gateway. . . . . . : 10.10.10.5
              Primary WINS Server. . . . : 10.10.10.51
              Dns Servers. . . . . . . . : 10.10.10.1
              10.10.10.51


              AutoConfiguration results. . . . . . : Passed

              Default gateway test . . . : Passed

              NetBT name test. . . . . . : Passed

              WINS service test. . . . . : Failed
              The test failed. We were unable to query the WINS servers.


              Global results:


              Domain membership test . . . . . . : Passed


              NetBT transports test. . . . . . . : Passed
              List of NetBt transports currently configured:
              NetBT_Tcpip_{9816599E-E003-4F82-A8A4-AFB8278AA1A5}
              1 NetBt transport currently configured.


              Autonet address test . . . . . . . : Passed


              IP loopback ping test. . . . . . . : Passed


              Default gateway test . . . . . . . : Passed


              NetBT name test. . . . . . . . . . : Passed


              Winsock test . . . . . . . . . . . : Passed


              DNS test . . . . . . . . . . . . . : Passed
              PASS - All the DNS entries for DC are registered on DNS server '10.10.10.1' and other DCs also have some of the names registered.
              PASS - All the DNS entries for DC are registered on DNS server '10.10.10.51' and other DCs also have some of the names registered.


              Redir and Browser test . . . . . . : Passed
              List of NetBt transports currently bound to the Redir
              NetBT_Tcpip_{9816599E-E003-4F82-A8A4-AFB8278AA1A5}
              The redir is bound to 1 NetBt transport.

              List of NetBt transports currently bound to the browser
              NetBT_Tcpip_{9816599E-E003-4F82-A8A4-AFB8278AA1A5}
              The browser is bound to 1 NetBt transport.


              DC discovery test. . . . . . . . . : Passed


              DC list test . . . . . . . . . . . : Failed
              [WARNING] Cannot call DsBind to marshall-filedc.Marshalls.com (10.10.10.1). [ERROR_OUTOFMEMORY]


              Trust relationship test. . . . . . : Skipped


              Kerberos test. . . . . . . . . . . : Failed
              [FATAL] Kerberos does not have a ticket for MARSHALL-FILEDC$.


              LDAP test. . . . . . . . . . . . . : Passed
              [WARNING] Failed to query SPN registration on DC 'marshall-filedr.Marshalls.com'.
              [FATAL] Cannot open an LDAP session to 'marshall-filedc.Marshalls.com' at '10.10.10.1'.
              [WARNING] Failed to query SPN registration on DC 'marshall-filedc.Marshalls.com'.
              [WARNING] Failed to query SPN registration on DC 'marshall-kir.Marshalls.com'.


              Bindings test. . . . . . . . . . . : Passed


              WAN configuration test . . . . . . : Skipped
              No active remote access connections.


              Modem diagnostics test . . . . . . : Passed

              IP Security test . . . . . . . . . : Passed
              IPSec policy service is active, but no policy is assigned.


              The command completed successfully

              Comment


              • #8
                Re: Problems after DC Promo

                Another Server on the same domain


                Domain Controller Diagnosis

                Performing initial setup:
                Done gathering initial info.

                Doing initial required tests

                Testing server: Butterwick\MARSHALL-FILEDR
                Starting test: Connectivity
                ......................... MARSHALL-FILEDR passed test Connectivity

                Doing primary tests

                Testing server: Butterwick\MARSHALL-FILEDR
                Starting test: Replications
                ......................... MARSHALL-FILEDR passed test Replications
                Starting test: Topology
                ......................... MARSHALL-FILEDR passed test Topology
                Starting test: CutoffServers
                ......................... MARSHALL-FILEDR passed test CutoffServers
                Starting test: NCSecDesc
                ......................... MARSHALL-FILEDR passed test NCSecDesc
                Starting test: NetLogons
                ......................... MARSHALL-FILEDR passed test NetLogons
                Starting test: Advertising
                ......................... MARSHALL-FILEDR passed test Advertising
                Starting test: KnowsOfRoleHolders
                Warning: CN="NTDS Settings
                DEL:9870573b-923c-4b1c-b8e7-ea9f941bbe61",CN="MARSHALL-DC-DR
                DEL:a5232c8c-e180-4345-b1f7-7736f73a0256",CN=Servers,CN=Butterwick,CN=Sites,CN =Configuration,DC=Marshalls,DC=com is the Schema Owner, but is deleted.
                ......................... MARSHALL-FILEDR failed test KnowsOfRoleHolders
                Starting test: RidManager
                No rids allocated -- please check eventlog.
                ......................... MARSHALL-FILEDR passed test RidManager
                Starting test: MachineAccount
                ......................... MARSHALL-FILEDR passed test MachineAccount
                Starting test: Services
                ......................... MARSHALL-FILEDR passed test Services
                Starting test: OutboundSecureChannels
                ** Did not run Outbound Secure Channels test
                because /testdomain: was not entered
                ......................... MARSHALL-FILEDR passed test OutboundSecureChannels
                Starting test: ObjectsReplicated
                ......................... MARSHALL-FILEDR passed test ObjectsReplicated
                Starting test: frssysvol
                There are errors after the SYSVOL has been shared.
                The SYSVOL can prevent the AD from starting.
                ......................... MARSHALL-FILEDR passed test frssysvol
                Starting test: kccevent
                An Error Event occured. EventID: 0xC000066D
                Time Generated: 01/05/2006 13:57:03
                (Event String could not be retrieved)
                An Error Event occured. EventID: 0xC000066D
                Time Generated: 01/05/2006 13:57:33
                (Event String could not be retrieved)
                An Error Event occured. EventID: 0xC000066D
                Time Generated: 01/05/2006 13:58:03
                (Event String could not be retrieved)
                An Warning Event occured. EventID: 0x800004F1
                Time Generated: 01/05/2006 14:01:04
                (Event String could not be retrieved)
                An Warning Event occured. EventID: 0x800004F1
                Time Generated: 01/05/2006 14:01:04
                (Event String could not be retrieved)
                An Warning Event occured. EventID: 0x800004F1
                Time Generated: 01/05/2006 14:01:04
                (Event String could not be retrieved)
                ......................... MARSHALL-FILEDR failed test kccevent
                Starting test: systemlog
                An Error Event occured. EventID: 0x0000410A
                Time Generated: 01/05/2006 13:27:03
                (Event String could not be retrieved)
                An Error Event occured. EventID: 0x0000410A
                Time Generated: 01/05/2006 13:58:03
                (Event String could not be retrieved)
                ......................... MARSHALL-FILEDR failed test systemlog

                Running enterprise tests on : Marshalls.com
                Starting test: Intersite
                ......................... Marshalls.com passed test Intersite
                Starting test: FsmoCheck
                Error: The server returned by DsGetDcName() did not match DsListRoles() for the PDC
                ......................... Marshalls.com passed test FsmoCheck




                Computer Name: MARSHALL-FILEDR
                DNS Host Name: marshall-filedr.Marshalls.com
                System info : Windows 2000 Server (Build 2195)
                Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
                List of installed hotfixes :
                KB822343
                KB823182
                KB823559
                KB824105
                KB825119
                KB826232
                KB828035
                KB828749
                KB832353
                KB832359
                KB841356
                KB842773
                KB885836
                KB890046
                KB893756
                KB893803v2
                KB896358
                KB896422
                KB896423
                KB896424
                KB896688-IE501SP4-20050909.233456
                KB899587
                KB899589
                KB899591
                KB900725
                KB901017
                KB901214
                KB902400
                KB904706
                KB905414
                KB905749
                Q147222
                Q828026
                Update Rollup 1


                Netcard queries test . . . . . . . : Passed



                Per interface results:

                Adapter : Local Area Connection

                Netcard queries test . . . : Passed

                Host Name. . . . . . . . . : marshall-filedr
                IP Address . . . . . . . . : 10.10.10.51
                Subnet Mask. . . . . . . . : 255.255.255.0
                Default Gateway. . . . . . : 10.10.10.5
                Primary WINS Server. . . . : 10.10.10.1
                Dns Servers. . . . . . . . : 10.10.10.51
                10.10.10.1


                AutoConfiguration results. . . . . . : Passed

                Default gateway test . . . : Passed

                NetBT name test. . . . . . : Passed

                WINS service test. . . . . : Passed


                Global results:


                Domain membership test . . . . . . : Passed


                NetBT transports test. . . . . . . : Passed
                List of NetBt transports currently configured:
                NetBT_Tcpip_{D73E9A49-AE86-4710-8636-3F96387983E2}
                1 NetBt transport currently configured.


                Autonet address test . . . . . . . : Passed


                IP loopback ping test. . . . . . . : Passed


                Default gateway test . . . . . . . : Passed


                NetBT name test. . . . . . . . . . : Passed


                Winsock test . . . . . . . . . . . : Passed


                DNS test . . . . . . . . . . . . . : Passed
                PASS - All the DNS entries for DC are registered on DNS server '10.10.10.51' and other DCs also have some of the names registered.
                PASS - All the DNS entries for DC are registered on DNS server '10.10.10.1' and other DCs also have some of the names registered.


                Redir and Browser test . . . . . . : Passed
                List of NetBt transports currently bound to the Redir
                NetBT_Tcpip_{D73E9A49-AE86-4710-8636-3F96387983E2}
                The redir is bound to 1 NetBt transport.

                List of NetBt transports currently bound to the browser
                NetBT_Tcpip_{D73E9A49-AE86-4710-8636-3F96387983E2}
                The browser is bound to 1 NetBt transport.


                DC discovery test. . . . . . . . . : Passed


                DC list test . . . . . . . . . . . : Passed


                Trust relationship test. . . . . . : Passed
                Secure channel for domain 'MARSHALLSVEG' is to '\\marshall-filedc.Marshalls.com'.


                Kerberos test. . . . . . . . . . . : Passed


                LDAP test. . . . . . . . . . . . . : Passed
                [WARNING] Failed to query SPN registration on DC 'marshall-kir.Marshalls.com'.
                [WARNING] Failed to query SPN registration on DC 'marshall-filedr.Marshalls.com'.
                [WARNING] Failed to query SPN registration on DC 'marshall-filedc.Marshalls.com'.
                [WARNING] Failed to query SPN registration on DC 'marshall-mail.Marshalls.com'.


                Bindings test. . . . . . . . . . . : Passed


                WAN configuration test . . . . . . : Skipped
                No active remote access connections.


                Modem diagnostics test . . . . . . : Passed

                IP Security test . . . . . . . . . : Passed
                IPSec policy service is active, but no policy is assigned.


                The command completed successfully

                Comment


                • #9
                  Re: Problems after DC Promo

                  Hey, John, if it makes you feel any better, I'm on the phone with PSS right now trying to sort out the exact same issue on a 2k3 box... This is the second call I've done with them on the matter. Let me know how your plans proceed--I'll let you know if PSS pulls out any magic on the second go-round.

                  Cheers!

                  (j)
                  James

                  Comment


                  • #10
                    Re: Problems after DC Promo

                    Well, we now know that a server was added and removed incorrectly from AD leaving metadata everywhere. Then another server was added which then fought with the existing FSMO role holder to be top of the tree !!

                    As the newer server is stable, it now has all the FSMO roles and it the only Master Browser on the domain. I had three !!!

                    All I have left is setting DNS to just the new server and running a couple more DCDiag routines, which all depend reboots that have to be planned far in advance, before the Seattle Monster gets a call and robs me of 250 at least

                    Any more ideas to stop me from not lining Mr Gates pockets any more

                    Comment


                    • #11
                      Re: Problems after DC Promo

                      Ok, an update.

                      'FILEDC' was not running any AD snap in's or accessing the web except after a reboot. It also 'disappeared from AD on my other servers. This has now been resolved at last by some DNS changes. I has also allowed me to finally move the GC to another server as well.

                      I am however still not happy that FILEDC is completly stable with regards to its AD.

                      'FILEDR' currently holds all the FSMO roles, but now I am able to run AD utilities on 'FILEDC' this also show that this server holds all the FSMO roles (except the Schema, which I had to seize from a no longer connected server to FILEDR')

                      If I seize the roles to FILEDR from DC it reports this has completed, but 'netdom query FSMO' on either server says otherwise.

                      Can I seize the roles all back to FILEDC and then seize them back to FILEDR and will I need to reboot. Only my customer hates rebooting his servers !!

                      Does it want the problem fixed or not. !!!

                      Comment


                      • #12
                        Re: Problems after DC Promo

                        Sorry for my one-post-and-go-hide routine, but that's exactly what I was doing till I figured my problem out. My problem turned out to be completely non-AD related (though I did run a successful, if not helpful DCPROMO to demote the DC). I run a network fax program that was leaking handles and threads and causing the System process to do likewise. Restarting that one service allowed me to get outbound connectivity, but then I was able to get other services up with a simple service restart--no box reboot required.

                        I would recommend that when the box is failed, you go into Task Manager, and add the columns Threads and Handles. If any of them are high (over 7,500), they're good suspects.

                        As a side note on your DC issues, I would probably recommend that you dcpromo FILEDC out, reboot it, sieze the roles on FILEDR, repromo FILEDC, and reboot it again. It takes two reboots, but that whole process shouldn't take much more than an hour unless your AD is enormous. I think getting AD off of FILEDC may be a good thing--there's just too much confusion inside that domain. It may be wise, depending on the risk/reward you and your customer determine, to add a 12 or 24 hour hold after demoting and rebooting FILEDC. Just to let the dust settle on the AD. I've seen this work some kinks out.

                        Let us know how it continues to go for you!

                        (j)
                        James

                        Comment

                        Working...
                        X