Announcement

Collapse
No announcement yet.

Old win 2000 sp4 domain controller contacted after shutting it down

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Old win 2000 sp4 domain controller contacted after shutting it down

    hi people !!!

    i encountered the most bisare problem in my career until today.
    please, someone help me, before i completely go mad.

    I'll try to explain as much as possible what is happening :

    Last year I decided to install windows 2003 r2 domain controller (DC2) in windows 2000 domain
    in order to migrate existing win 2000 sp4 dc (DC1) system which btw is still in business but very old (hardware).

    I found solution on this web site, and everything went ok, replmon tool gave me report with no errors whatsoever, so on the active directory perspective it seems that everything is ok !!!

    After successful replication, and moving all FSMO roles from DC1 to DC2 I decided to create identical file structure on the new server - DC2 with all permissions both on share and security level !

    I did that with Total Commander, which created identical file structure on the new server - DC2 with identical permissions on all subdirectories !!! I do regular xcopy from old one win 2000 (production) -DC1 to new one win 2003 (backup) - DC2, so I have identical files on both servers !!!

    In order to transfer current business to the DC2 server, I needed to adopt group policy rules, so I did that too, and now, I have OU for new system - DC2 and in its identical active directory structure which mirrors current but, group policy rules are adopted to the new system.

    I tested in production environment some real users, and everything went ok, in that way, that I moved real user and his real computer into mirrored OU !!!

    But when I turn off win 2000 server - DC1, it takes 5-6 minutes to log on , with no desktop (folder redirectetd through GP)
    and further more, small notice windows appears with message, that IT CAN'T FIND \\DC1\Users\<username>\Desktop folder ?!?!?!?!?!!
    but through GP it provides \\DC2\ Users\<username>\Desktop, not \\DC1 \Users\<username>\Desktop, because the goal is to redirect to DC2

    One another strange problem arose : I wanted to check sysvol folder, and I tried to open it, but it opened i very slow. Just to mention that I opened GP on the first server - DC2 !!!!

    I used command prompt to see if all network disk were mounted, and THEY WERE , but for some reason, instad to show up \\DC2 \Users\<username>\Desktop, it complains that it can' find \\DC1\Users\<username>\Desktop folder !

    Than I did this :

    1. I created brand new test user,
    2. Then, like with real production user, put him in identically in the sam OU for the new system,
    3. And log him in.

    THE NEW USER CORRECTLY LOGGED IN WITH DESKTOP, ICONS, AND EVERYTHING

    After that action, I am so confused and desperate, I simply don't know what to do.

    1. Main domain controller is a windows 2003 r2 server which is GC, and has all 5 FSMO roles
    on it.

    2. Second dc is the old windows 2000 dc which has :
    2.1. GC, DNS, DHCP and shares needed for busines.
    2.2. DHCP is configured to point to a new server, meaning that all clients receive DNS ip address
    of the new win 2003
    2.3. DNS server : active directory domain points to new win 2003


    I'll try to explain again what was the main idea for this migration :

    1. to migrate obsolete windows 2000 sp4 (DC1) to win 2003 r2 server (DC2)
    2. to make new win 2003 r2 (DC2) first dc, and the old one which
    is still main for buisness (file share programs,...) the second dc - i did that
    3. to mirror current shares from DC1 to DC2 (i did that successfully
    with total commander preserving existing permissions on all directories
    from DC1 to DC2) - i did that
    4. to transfer all 5 fsmo roles from dc1 to dc2 - i did that
    5. to make mirror active directory OUs where existing OUs are intact, and gp
    linked to them, because business needs them to the time where dc1 is completely shut down, hence, to make exactly the same AD OU structure INSIDE new system OU which contains exactly the same structure BUT GPs ADOPTED TO THE NEW SYSTEM (DC2) where NO REFERENCE TO THE DC1 EXISTS
    5.1. For example : Current situation is that firm uses share \\DC1\programs, where through
    gp rule is defined that network disk G points to \\DC1\programs, so on the new sistem
    i must defined slightly different gp rule where after moving object to new sistem OU
    G points to \\DC2\programs, and so on and on,...

    5.2. of course, Domain Controllers REMAIN in the default Domain controllers OU


    ________________
    SUPPLEMENT:



    1. ipconfig /all (KOMERC, DC1, Win2000sp4, 10.145.3.30 ) :

    C:\>ipconfig /all

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : komerc
    Primary DNS Suffix . . . . . . . : akk_domain.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : akk_domain.com

    Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connec
    ion
    Physical Address. . . . . . . . . : 00-C0-9F-1B-40-65
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.145.3.30
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.145.3.1
    DNS Servers . . . . . . . . . . . : 10.145.3.40
    10.145.3.30



    2 . ipconfig /all (TRINITY, DC2, Win2003R2, 10.145.3.40 ) :


    C:\Documents and Settings\dobri>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : trinity
    Primary Dns Suffix . . . . . . . : akk_domain.com
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : akk_domain.com

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
    VBD Client)
    Physical Address. . . . . . . . . : 00-19-B9-C5-88-91
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.145.3.40
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.145.3.1
    DNS Servers . . . . . . . . . . . : 10.145.3.40



    __________________________________________________ ____________________



    1. Assuming that both DCs are also DNS servers, configure both DCs preferred DNS server to the DC that has all FSMO roles (according with the logs that you show before, the TRINITY DC is the owner for the FSMO roles).
    -> Already configured

    2. After that run from cmd the following command without the quotes "ipconfig /flushdns". Then restart the netlogon service in both DCs (Do this during off time business hours).
    -> Already done

    3. Run ipconfig /flushdns again in both DCs and attempt to perform a manuall replication between both servers, you can use the Active Directory Sites and Services, or use the repadmin cmd.

    3.1. ipconfig /flushdns -> DONE
    3.2. replication aleardy works between them
    Last edited by dobri; 11th November 2009, 15:22.

  • #2
    Re: Old win 2000 sp4 domain controller contacted after shutting it down

    Dear all,

    I issued DCDIAG command on the old win 2000 dc server (KOMERC=DC1) and got output below.
    Just to mention that TRINITY (DC2) is win 2003 r2 first dc, and KOMERC is win 2000 dc :



    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\KOMERC
    Starting test: Connectivity
    ......................... KOMERC passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\KOMERC
    Starting test: Replications
    [TRINITY] DsBind() failed with error -2146893006,
    The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation)..
    ......................... KOMERC passed test Replications
    Starting test: NCSecDesc
    ......................... KOMERC passed test NCSecDesc
    Starting test: NetLogons
    ......................... KOMERC passed test NetLogons
    Starting test: Advertising
    ......................... KOMERC passed test Advertising
    Starting test: KnowsOfRoleHolders
    Warning: TRINITY is the Schema Owner, but is not responding to DS RPC Bind.
    Warning: TRINITY is the Domain Owner, but is not responding to DS RPC Bind.
    Warning: TRINITY is the PDC Owner, but is not responding to DS RPC Bind.
    Warning: TRINITY is the Rid Owner, but is not responding to DS RPC Bind.
    Warning: TRINITY is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
    ......................... KOMERC failed test KnowsOfRoleHolders
    Starting test: RidManager
    [KOMERC] DsBindWithCred() failed with error -2146893006. The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation).
    ......................... KOMERC failed test RidManager
    Starting test: MachineAccount
    ......................... KOMERC passed test MachineAccount
    Starting test: Services
    ......................... KOMERC passed test Services
    Starting test: ObjectsReplicated
    ......................... KOMERC passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... KOMERC passed test frssysvol
    Starting test: kccevent
    ......................... KOMERC passed test kccevent
    Starting test: systemlog
    ......................... KOMERC passed test systemlog

    Running enterprise tests on : akk_domain.com
    Starting test: Intersite
    ......................... akk_domain.com passed test Intersite
    Starting test: FsmoCheck
    ......................... akk_domain.com passed test FsmoCheck

    Comment


    • #3
      Re: Old win 2000 sp4 domain controller contacted after shutting it down

      check your user account settings - specifically, the profiles tab and check where their home drive is set to, and their profiles are set to...

      also, make sure that the shares exist and are corectly configured for each profile setting..

      you may also need to try dcdiag /dnstest (or a similar command to that..)
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Old win 2000 sp4 domain controller contacted after shutting it down

        This sounds like a DNS issue.. can you tell us exactly how you configured DNS.. thus DNS settings per NIC per DC...and which servers run DNS Services ?

        bio..

        Comment


        • #5
          Re: Old win 2000 sp4 domain controller contacted after shutting it down

          Dear all,

          Long time ago, I said that the root of all active directory
          problems is the DNS.

          Before this huge problem, I was convinced that 99%
          of all ad related problems are connected to DNS, and
          now, I am pretty sure that 99.99999% is more accurate
          number

          I've deleted old dc record on both dc's, in ad zone, then
          on the test machine issued ipconfig /flushdns , and the
          miracle has happend - everything works great, but not for
          long.

          As soon as Komerc dns record replicated to DNS, everything
          became slow again, so the problem still exists, because the priority for
          dns querying is still assigned to the old dc - Komerc, so the
          solution for this problem is how to setup dns's that Trinity
          become the first dns server.

          I wonder may I change priority in zone sections:
          _msdcs / _sites / _tcp / _udp / _DomainDnsZones / _ForestDnsZones ??? by priority / weight ?

          Comment

          Working...
          X