Announcement

Collapse
No announcement yet.

DC offline, online again and not taking new changes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DC offline, online again and not taking new changes

    Hello,

    For one month or so a branch office (lab environment) was offline from the main office.

    Now up again, DC3 (the DC in the branch office) is not aware of the changes in Active Directory and specially a very important change that took place:

    While offline, I set up in the main office a DC, called DC1-new, and then I removed the old DC1, so that DC1-new took all the 5 FSMOs , and it was fine.

    However, DC3 does not get any changes as stated above and thinks that DC1 is the DC and does not see DC1-New anywhere.

    Thanks in advance! .
    -
    Madrid (Spain).

  • #2
    Re: DC offline, online again and not taking new changes

    Hi Loureed,

    You can try resetting the DC's password using the netdom resetpwd command.
    Use this article for reference - kb325850

    Comment


    • #3
      Re: DC offline, online again and not taking new changes

      Originally posted by loureed4 View Post
      Hello,

      For one month or so a branch office (lab environment) was offline from the main office.

      Now up again, DC3 (the DC in the branch office) is not aware of the changes in Active Directory and specially a very important change that took place:

      While offline, I set up in the main office a DC, called DC1-new, and then I removed the old DC1, so that DC1-new took all the 5 FSMOs , and it was fine.

      However, DC3 does not get any changes as stated above and thinks that DC1 is the DC and does not see DC1-New anywhere.

      Thanks in advance! .
      Was it offline for more than 60 days?
      It might be easier to demote and repromote the DC than to troubleshoot the issues. If it's more than 60 days offline (by default) you'll need to rebuild anyways.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: DC offline, online again and not taking new changes

        Originally posted by JeremyW
        If it's more than 60 days offline (by default) you'll need to rebuild anyways
        Not necessarily. Tombstone

        Turn Tombstone off
        Code:
         
        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
        "Allow Replication With Divergent and Corrupt Partner"=dword:00000001
        Renable Tombstone. Is important to turn it back on (enable it) as it is a security issue with it disabled.

        Code:
         
        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
        "Allow Replication With Divergent and Corrupt Partner"=dword:00000000
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2

        Comment


        • #5
          Re: DC offline, online again and not taking new changes

          Thanks! .

          1-It is not a tombstone issue , it was offline one month, at the most.

          2- Brendon, why reseting passwords ?, I don't see the connection.

          3- If I demote the DC, would it not send wrong information to Active directory while demoting ?.
          -
          Madrid (Spain).

          Comment


          • #6
            Re: DC offline, online again and not taking new changes

            These 2 articles may explain the reason for the machine password to be reset.

            Machine Account Password Process

            Maximum machine account password age
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Re: DC offline, online again and not taking new changes

              loureed4, I was upgrading a Domain in early 2008 from 2003 to 2003 R2 (64 bit version) and it had a 2000 DC that had been disconnected from the Domain for about 18 months. ADPrep would not run without the 2000 DC replicating on the Domain. I may have been able to ADSIEdit the damn thing out but running the Tombstone reg hack was a lot easier and less potential mess plus Google supplied it as the alternate and who argues with them. Once run, the DCs replicated and ADPrep worked.

              Have you ever seen a workstation lose the trust Relationship with the Domain? Often it is caused by the Machine Account Password not synchronising between the workstation and the DC. This can happen with additional DCs as well and this is likely what has happened to you. The DC was offline for more than the 30 days the password expired, the Trust Relationship was broken and the Password needs to be resynced.

              From memory (I need to add a DC to my VMs) there is an option in ADUC where you can right click on the offline DC (in the Domain Controller OU) and Reset or similar and that may resync the password. Have had that work infrequently when I have lost a workstation off the Domain but have never tried it with a DC.

              Look at the link brendon.lieberz supplied for resetting the Machine Password and try that. You need to run it from the previously offline DC.

              HTHs to make a bit more sense of it all and please ask if there is anything you aren't sure of or I have cocked up.
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment


              • #8
                Re: DC offline, online again and not taking new changes

                Thanks !! .

                1- I have performed this command: netdom resetpwd /s:dc1-new /ud:mydomain\administrator /pd:* , from dc3 , being dc1-new the 5 FSMO holder and dc3 the dc in the branch office (the one offline for a month).

                A success message showed up, but things remain the same.

                I have waited for some time in case these changes take time, and I restarted dc3, after some minutes too, for the same reason. It didn't work.

                --

                2- I deleted DC1 from DC3 , since DC1 was demoted and removed from Active Directory in the main office as exposed in the first post. I deleted it following all the directions: ntdsutil metadata cleanup, then sites and services, then dns A hosts and one in the mcsc.domain zone, following again a technet document.

                I am still digging in.

                THANKS A LOT !!
                -
                Madrid (Spain).

                Comment


                • #9
                  Re: DC offline, online again and not taking new changes

                  If you have removed a DC using metadata cleanup, make sure it is formatted and the OS reinstalled before bringing it back into the domain
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: DC offline, online again and not taking new changes

                    Thanks Ossian.

                    I dont want it back into the domain, I removed dc1, as exposed in the first post of this thread.
                    -
                    Madrid (Spain).

                    Comment


                    • #11
                      Re: DC offline, online again and not taking new changes

                      Hello again, I feel sort of annoying by posting so many things.

                      I created a user in DC3 and it was replicated to DC1-New. If I do it the other way around, it does not work. In other words, the replication process only works this way DC3 --> DC1-New.

                      If I run repadmin /showrepl in DC1-New , it sees DC3 and all success messages regarding the replication.

                      If I run repadmin /showrepl in DC3, it just sees nothing.

                      I also run dcdiag /test:knowsofroleholders in DC3 and there is this message: The holder of the Schema master is a deleted DC (DC1) . The same of all the 5 FSMOs.

                      I am trying to find a way to tell DC3 that the FSMOs holder is not DC1, but DC1-New.

                      I reset the password of DC3 as I said in my previous post, then I restarted the server and waited for a while to see if changes took place, but they don't.

                      Thanks for your support.
                      -
                      Madrid (Spain).

                      Comment


                      • #12
                        Re: DC offline, online again and not taking new changes

                        Check DC1-New for the Netlogon and Sysvol SHAREs. If they are missing, try this (you will need to register, FREE, before you can view a possible solution)
                        Last edited by biggles77; 29th October 2014, 20:00. Reason: Typo
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Re: DC offline, online again and not taking new changes

                          Is replication working properly?

                          dcdiag
                          repadmin
                          netdiag

                          This is on the same domain and not a new domain that you created when the server went offline?

                          Have you tried to create a manual connection from DC1-New to DC3 in Sites and Services?

                          What is DC3 using as DNS server?

                          Have you tried to ping the new server by IP and name?

                          Comment


                          • #14
                            Re: DC offline, online again and not taking new changes

                            Thanks for your replies!.

                            1-Sysvol and netlogon shares appear when I run "net view dc1-new"


                            2-No, replication is not working properly at all, this all comes down to it, I think. The funny thing is that changes go like this : DC3 --> DC1-new , but not the other way around. Testing, yesterday I created an object in DC3 and I forced a replication from Sites and services and the change propagated in minutes. I created a user un Dc1-new and did not propagate to DC3.

                            3- I created a manual connection in DC1-new pointing to DC3 (Console Sites and Services) , but I could not do the same in DC3 because DC3 is not aware of DC1-new. DC3 does not see DC1-new in Active Directory Users and Computers, nor in the Site and Services console, nor in ADSIEdit, although it is registered in the DNS console.
                            EDITION: When I manually for a replication from DC1-new to DC3 in the Site and Services console within DC1-New, I get this error message:

                            "...The following error occurred during the attempt to synchronize naming context limoreed.eu from Domain Controller DC1-New to Domain Controller DC3:
                            The naming context is in the process of being removed or is not replicated from the specified server.

                            The operation will not continue
                            Buttons in Dialog: OK ..."


                            4- If I run dcdiag /test:Knowsoffsmoholders in DC3, it says that the holder of the 5 FSMO is missing, because I removed DC1 (as explain belove ) in DC3 with ntdsutil tool, then Sites, and then DNS console (following a Microsoft article). DC3 just does not see DC1-New anywhere.

                            5-Firewalls are all off.

                            6- DC3 is using the IP of DC1-new as the main DNS Server, and 127.0.0.1 as the backup DNS Server .

                            7-I can ping (with IP and with names) in both directions : DC1-new - > DC3 ; and DC3 -> DC1-new. I always try this at first, it is the logical first thing to do.

                            THANKS AGAIN !!
                            Last edited by loureed4; 30th October 2014, 09:25.
                            -
                            Madrid (Spain).

                            Comment


                            • #15
                              Re: DC offline, online again and not taking new changes

                              Hi Luis,

                              1 more thing you can check - not sure if relevant to your issue. Do you use custom port assignments for AD replication. It might be set on 1 DC but not the other:
                              Should be the following locations:
                              LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NT DS\Parameters TCP/IP Port
                              LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NT FRS\Parameters RPC TCP/IP Port Assignment

                              KB319553 and KB224196 for references.

                              Comment

                              Working...
                              X