Si_Pe

Forum Replies Created

Viewing 18 posts - 211 through 228 (of 228 total)
  • Author
    Posts
  • Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278076

    Re: Sezing FSMO roles

    JeremyW wrote:
    If transferring is not working and you’re going to seize the roles, you must take the current role holder offline and then seize all the roles with the other DC. Then, when you’ve seized the roles, DO NOT BRING THE OTHER COMPUTER BACK ONLINE. It MUST reformatted before introducing it back into the network.

    Ok Jeremy,

    Thanks very much.

    The server that needs the roles to be seized has only just been rebuilt. Thats where the whole issue has come from I think because it wasn’t demoted first.

    Thanks very much!
    Simon

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278075

    Re: Sezing FSMO roles

    Just to add to this, I intend to seize the roles on my server soon and the other server will then be the known role holder. I don’t want to take the current role holder offline and rebuild it. Can I just do a meta cleanup on it?

    Many thanks
    Simon

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278074

    Re: Sezing FSMO roles

    JeremyW wrote:
    The DC that seizes the roles will assume the responsibility of those roles. That means if you seize, let’s say, the PDC emulator role with “server1” anything requiring the use of the PDC emulator will be serviced by “server1”.

    Excllent, thats what I wanted to know!

    Thanks very very much!

    You have been very helpful!

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278073

    Re: Sezing FSMO roles

    JeremyW wrote:
    In theory. But if you think that someone incorrectly remove a DC from the network that should probably be address first. I think we’re getting beyond my knowledge here. I don’t know how one would handle an improper removal and then reinstalling without cleaning AD.

    Ok thanks for your help so far!

    Last question though, I cant get around in my head what happens to the remaning dc once i have sezied the roles on the current DC that holds them? Are they re created or do you need to start again.

    Could someone clear this up for me?

    Thanks very.

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278072

    Re: Sezing FSMO roles

    Hello me again,

    I have tried to transfer the roles but has come up with the following error when trying to transfer.

    E:Documents and Settingslocaladmin>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server endscs1
    Binding to endscs1 …
    Connected to endscs1 using credentials of locally logged on user
    server connections: q
    fsmo maintenance: transfer domain naming master
    ldap_modify_sW error 0x34(52 (Unavailable).
    Ldap extended error message is 000020AF: SvcErr: DSID-03210227, problem 5002 (UN
    AVAILABLE), data 8

    Win32 error returned is 0x20af(The requested FSMO operation failed. The current
    FSMO holder could not be contacted.)
    )
    Depending on the error code this may indicate a connection,
    ldap, or role transfer error.
    Server “endscs1” knows about 5 roles
    Schema – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Domain – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    PDC – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    RID – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Infrastructure – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    fsmo maintenance:

    Looks like a seize is the only way to go? Can I have some help and some suggestions on the next step please?

    Thanks again!

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278071

    Re: Sezing FSMO roles

    JeremyW wrote:
    Transferring is definitely the way to go. Seizing is when all else fails.

    I did a quick google search on the error and didn’t find anything. Maybe someone more experienced had come across this before…?

    I would determine if ntdsutil can see which server is holding which role. If it can then my guess would be that you’d be able to use ntdsutil to transfer the roles. These are only guesses and and it may make matters worse so make sure you have a current backup of all the servers.

    Thanks,

    So I guess in theory what I should be able to do seeing as NTDSUTIL has come back knowing of the 5 roles that I should be able to transfer them using NTDSUTIL to server2 and then transfer them back to server1?

    Thanks
    Si

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278070

    Re: Sezing FSMO roles

    Si_Pe wrote:
    I have looked there and checked DNS and it seems to be working ok, I would like to transfer the roles or seize them and then rebuild this server. Is transfering the best option then?

    If I use NTDSUTIL to transfer the roles is it more likely to work even though it has the error and the GUI wont move them?

    I will check the logs again now to see what new items are in there.

    Thanks again! Your helping me on the road to recovery.

    Cheers

    Hello again,

    I have used NTDSUTIL To see what server holds the roles and it has come back with the following results which I am cofused by as the roles seem to be held on the other dc.

    E:Documents and Settingslocaladmin>netdom query /domain:endsnet fsmo
    The system cannot find the file specified.

    The command failed to complete successfully.

    E:Documents and Settingslocaladmin>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server endscs1
    Binding to endscs1 …
    Connected to endscs1 using credentials of locally logged on user
    server connections: q
    fsmo maintenance: select operation target
    select operation target: list roles for connected server
    Server “endscs1” knows about 5 roles
    Schema – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Domain – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    PDC – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    RID – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Infrastructure – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    select operation target:

    The server we are having problems with is Endscs2.

    So I am guessing that along the way Endscs1 has been rebuilt and AD wasnt removed correctly.

    What do I need to do next.

    Thanks very much.

    Si

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278069

    Re: Sezing FSMO roles

    JeremyW wrote:
    Have you checked the Event logs to see if there’s any errors there?
    You could also try transfering the roles (not seizing) using ntdsutil.
    See:
    http://www.petri.com/transferring_fsmo_roles.htm
    http://www.petri.com/determining_fsmo_role_holders.htm

    I have looked there and checked DNS and it seems to be working ok, I would like to transfer the roles or seize them and then rebuild this server. Is transfering the best option then?

    If I use NTDSUTIL to transfer the roles is it more likely to work even though it has the error and the GUI wont move them?

    I will check the logs again now to see what new items are in there.

    Thanks again! Your helping me on the road to recovery.

    Cheers

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278068

    Re: Sezing FSMO roles

    JeremyW wrote:
    You need the roles for full functionality and no, you won’t need to restore from backup.

    The best way is to transfer the roles so lets get back to my earlier question; are you getting the error on all DCs or just the one that’s failing?

    Ok sorry,

    Yeah I am getting the error on all roles in AD on Both DC’s

    Thanks for your help this has been a issue for a while now and with your help I think I may come to the correct way of fixing it.

    Thanks

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278067

    Re: Sezing FSMO roles

    wullieb1 wrote:
    You would actually seize them if the server is unavailable.

    If the serve is online you can transfer the roles to a new server.

    Thanks

    Sorry I am being stupid I think. What about the other dc. Will Ad no longer work without these roles. So would it be a restore from backup for ad?

    Thanks again

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278066

    Re: Sezing FSMO roles

    JeremyW wrote:
    Do you get this on all your DCs or just the one that’s failing?

    It shows on the two dc’s.

    I believe so, its account will need to be reset and because it was a DC you’ll need to clean up AD (’cause if you seize the role you won’t be able to bring it back online to uninstall AD) ok brilliant so looks like this is my only option.

    I’m not as familiar with 2k as I am with 2k3 but you should be able to use ntdsutil. You can also clean up you AD with ntdsutil. (note the different link)

    Do I use to create new roles or to force them to a new server?

    You have been very helpful!

    Thanks

    Avatar
    Si_Pe
    Member
    in reply to: Sezing FSMO roles #278065

    Re: Sezing FSMO roles

    JeremyW wrote:
    What is the “ERROR” you’re getting?
    Seizing roles is never ideal but if you do, make sure the server you’re seizing the role from is offline and NEVER comes back online. (meaning if you want to use that server again it will need to be reformatted)

    many thanks for your reply,

    When you look at the FSMO roles within Active Directory all it says where it should list the server name is “ERROR”

    When I rebuild the server can it be called the same name then?

    So will another dc be forced to create the roles?

    Thanks again

    Avatar
    Si_Pe
    Member
    in reply to: Active Directory problems in Advance server #278064

    Re: Active Directory problems in Advance server

    Thanks for that, I have read it but I don’t understand what happens to AD after you seize the role? Will AD still work on the server until its demoted?

    Thanks for reply

    Si

    Avatar
    Si_Pe
    Member
    in reply to: AD Advice needed please #278063

    Re: AD Advice needed please

    Dumber wrote:

    Thanks, can user logons be processed still while I do this?

    Thanks

    Avatar
    Si_Pe
    Member
    in reply to: AD Advice needed please #278062

    Re: AD Advice needed please

    Excellent, Seeing as the server is up and running at the moment is there a way of trying to fix the current issues and removing ad to another DC?

    Just trying to find the best route for this really, and work out whats the worst case senario.

    Thanks

    Avatar
    Si_Pe
    Member
    in reply to: AD Advice needed please #278061

    Re: AD Advice needed please

    m80arm wrote:
    Perhaps one of the old servers that you removed held all of the FSMO roles. The first DC in a new forest holds all of the FSMO roles.

    If this is the case then you may need to seize the FSMO roles onto one of the existing DC’s

    http://www.petri.com/seizing_fsmo_roles.htm

    Hope this helps

    Michael

    Thanks for your reply, What happens if I do this?

    The one server that is running processing logons needs to be rebuilt but called the same server name etc as its a main till server.

    I have read about sezing the roles etc but I wanted to know what major impact it would have if I done this?

    Thanks again!

    Avatar
    Si_Pe
    Member
    in reply to: Urgent Help Needed with DCPROMO #278060

    Re: Urgent Help Needed with DCPROMO

    Sorry I noticed I haven’t followed the posting rules correctly.

    I am running one domain controller using 2000 advance server.

    DCdiag has come back ok. I seem to be having problems when running a few snap in’s on the Current dc with permission denied errors. I guess this is why I can’t promote the new server as the administraor account is happy. I have tried to create a new account and give them the same permissons but that hasn’t worked either.

    All help would be greatly appreciated!

    Thanks

    Avatar
    Si_Pe
    Member
    in reply to: Urgent Help Needed with DCPROMO #278059

    Re: Urgent Help Needed with DCPROMO

    Thanks for your very quick response.

    On the dc that is slowly failing i have tried to go in to local domain security policy and its has come up with a permmisons error.

    Its seems that the administrator has no access? but everything else is running ok?

    Dciag comes back with the following:

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine gardserv01, is a DC.
    * Connecting to directory service on server gardserv01.
    * Collecting site info.
    * Identifying all servers.
    * Found 1 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-SiteGARDSERV01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    ……………………. GARDSERV01 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-SiteGARDSERV01
    Starting test: Replications
    * Replications Check
    ……………………. GARDSERV01 passed test Replications
    Starting test: Topology
    * Configuration Topology Integrity Check
    * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the connection topology for DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ……………………. GARDSERV01 passed test Topology
    Starting test: CutoffServers
    * Configuration Topology Aliveness Check
    * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for CN=Configuration,DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    * Analyzing the alive system replication topology for DC=GARDNET,DC=local.
    * Performing upstream (of target) analysis.
    * Performing downstream (of target) analysis.
    ……………………. GARDSERV01 passed test CutoffServers
    Starting test: NCSecDesc
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=GARDNET,DC=local
    * Security Permissions Check for
    CN=Configuration,DC=GARDNET,DC=local
    * Security Permissions Check for
    DC=GARDNET,DC=local
    ……………………. GARDSERV01 passed test NCSecDesc
    Starting test: NetLogons
    * Network Logons Privileges Check
    ……………………. GARDSERV01 passed test NetLogons
    Starting test: Advertising
    The DC GARDSERV01 is advertising itself as a DC and having a DS.
    The DC GARDSERV01 is advertising as an LDAP server
    The DC GARDSERV01 is advertising as having a writeable directory
    The DC GARDSERV01 is advertising as a Key Distribution Center
    The DC GARDSERV01 is advertising as a time server
    The DS GARDSERV01 is advertising as a GC.
    ……………………. GARDSERV01 passed test Advertising
    Starting test: KnowsOfRoleHolders
    Role Schema Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Domain Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role PDC Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Rid Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    Role Infrastructure Update Owner = CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local
    ……………………. GARDSERV01 passed test KnowsOfRoleHolders
    Starting test: RidManager
    * Available RID Pool for the Domain is 1605 to 1073741823
    * gardserv01.GARDNET.local is the RID Master
    * DsBind with RID Master was successful
    * rIDAllocationPool is 1105 to 1604
    * rIDNextRID: 1158
    * rIDPreviousAllocationPool is 1105 to 1604
    ……………………. GARDSERV01 passed test RidManager
    Starting test: MachineAccount
    * SPN found :LDAP/gardserv01.GARDNET.local/GARDNET.local
    * SPN found :LDAP/gardserv01.GARDNET.local
    * SPN found :LDAP/GARDSERV01
    * SPN found :LDAP/gardserv01.GARDNET.local/GARDNET
    * SPN found :LDAP/2b38c396-dd29-4336-8689-8caf719bb41e._msdcs.GARDNET.local
    * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2b38c396-dd29-4336-8689-8caf719bb41e/GARDNET.local
    * SPN found :HOST/gardserv01.GARDNET.local/GARDNET.local
    * SPN found :HOST/gardserv01.GARDNET.local
    * SPN found :HOST/GARDSERV01
    * SPN found :HOST/gardserv01.GARDNET.local/GARDNET
    * SPN found :GC/gardserv01.GARDNET.local/GARDNET.local
    ……………………. GARDSERV01 passed test MachineAccount
    Starting test: Services
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    * Checking Service: IsmServ
    * Checking Service: kdc
    * Checking Service: SamSs
    * Checking Service: LanmanServer
    * Checking Service: LanmanWorkstation
    * Checking Service: RpcSs
    * Checking Service: RPCLOCATOR
    * Checking Service: w32time
    * Checking Service: TrkWks
    * Checking Service: TrkSvr
    * Checking Service: NETLOGON
    * Checking Service: Dnscache
    * Checking Service: NtFrs
    ……………………. GARDSERV01 passed test Services
    Starting test: OutboundSecureChannels
    * The Outbound Secure Channels test
    ** Did not run Outbound Secure Channels test
    because /testdomain: was not entered
    ……………………. GARDSERV01 passed test OutboundSecureChannels
    Starting test: ObjectsReplicated
    GARDSERV01 is in domain DC=GARDNET,DC=local
    Checking for CN=GARDSERV01,OU=Domain Controllers,DC=GARDNET,DC=local in domain DC=GARDNET,DC=local on 1 servers
    Object is up-to-date on all servers.
    Checking for CN=NTDS Settings,CN=GARDSERV01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=GARDNET,DC=local in domain CN=Configuration,DC=GARDNET,DC=local on 1 servers
    Object is up-to-date on all servers.
    ……………………. GARDSERV01 passed test ObjectsReplicated
    Starting test: frssysvol
    * The File Replication Service Event log test
    The SYSVOL has been shared, and the AD is no longer
    prevented from starting by the File Replication Service.
    ……………………. GARDSERV01 passed test frssysvol
    Starting test: kccevent
    * The KCC Event log test
    Found no KCC errors in Directory Service Event log in the last 15 minutes.
    ……………………. GARDSERV01 passed test kccevent
    Starting test: systemlog
    * The System Event log test
    An Error Event occured. EventID: 0xC0040009
    Time Generated: 06/12/2006 16:40:13
    Event String: The device, DeviceIdeIdePort0, did not respond
    within the timeout period.
    ……………………. GARDSERV01 failed test systemlog

    Running enterprise tests on : GARDNET.local
    Starting test: Intersite
    Skipping site Default-First-Site, this site is outside the scope
    provided by the command line arguments provided.
    ……………………. GARDNET.local passed test Intersite
    Starting test: FsmoCheck
    GC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    PDC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    Time Server Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    Preferred Time Server Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    KDC Name: \gardserv01.GARDNET.local
    Locator Flags: 0xe00001fd
    ……………………. GARDNET.local passed test FsmoCheck

    Thanks for your help!

Viewing 18 posts - 211 through 228 (of 228 total)