No announcement yet.

Cracked Domain

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cracked Domain

    When I run "NTFRSUTL DS DC-A" on one of my DCs, there is this entry for all three of the DCs on my network-

    DN : cn=DC-B,cn=domain system volume (sysvol share),cn=file repli
    cation service,cn=system,dc=DOMAIN,dc=NAME,dc=org
    Guid : 888888b7-3333-42df-9995d713de9fa427
    Server Ref : CN=NTDS Settings,CN=DC-B,CN=Servers,CN=Default-Fir
    st-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=NAME,D C=org
    Computer Ref : cn=DC-B,ou=domain controllers,dc=DOMAIN,dc=NAME,dc=org
    Cracked Domain :
    Cracked Name : 00000002 DOMAIN\DC-B$
    Cracked Domain :
    Cracked Name : fffffff4 S-1-5-21-2123784817-1111111119-313599999-3999

    Computer's DNS :
    WhenCreated : 2/9/2006 15:38:40 Central Standard Time Central Daylight
    Time [360]
    WhenChanged : 2/9/2006 15:40:7 Central Standard Time Central Daylight
    Time [360]

    I found a w32tm issue with DC-Old, that is scheduled to get demoted and taken out of the network. I was part of a migration from NT to 2003. Once I fixed that, it is now pointing to DC-A, I was not able to find any other indications that there is a problem.

    Warning: DC-OLD is not advertising as a time server.
    The DS DC-OLD is advertising as a GC.
    ......................... DC-OLD failed test Advertising

    * Checking Service: w32time
    Could not open w32time Service on [DC-OLD]:failed with 1060: The specified service does not exist as an installed service.
    * Checking Service: NETLOGON
    ......................... DC-OLD failed test Services


    If I turn off DC-Old, my users can no longer access files over the network, their PCs lock up and have to be rebooted. As soon as they attempt to access a file, they lock up again.

    When making changes in the SYSVOL folder, I get an error that the path is not correct. I have to switch DCs until I find one that will let me make the change. This change was a simple update to a startup .BAT file.

    With DC-Old off, I am not able to run a Network PC restart.bat routine which restarts all of the PCs listed in the BAT routine on DC-A. I receive Access Denied for each PC. DC-A is the FSMO holder...

    We were also having Outbound Mail issues, Exchange 2003, but I believe that was due to a setting in SMTP virtual server - Delivery - Advanced Settings - Configure. It was set to DC-Old.

    I am attempting to detect any missing Server Reference Attributes and/or Member Objects in the SYSVOL replica sets now.

    All DCs are GCs, and all have DNS running.

    Single site- Single Domain, approx 50 users with a mix of 2000 Pro and XP SP2.

    DNSDIAG - all pass
    NETDIAG - all pass
    DNSLINT - all pass
    REPLMON - all pass

    FRSDIAG - Showing Sharing Violation and Access Denied errors in the Debug Log.

    Any thoughts or suggestions will be appreciated.