+ Post New Thread
Results 1 to 12 of 12
Windows Server 2000/2003 Thread, Problem with DC in Technical; Hi, Bit of a headache this one and I've not a clue how to correct it properly. We have a ...
  1. #1

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    98
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Problem with DC

    Hi,

    Bit of a headache this one and I've not a clue how to correct it properly.

    We have a parent domain with two child domains, I have a separate thread open regarding the issues I am experiencing with this. Anyway to cut a long story short, our admin domain that handles staff logons has two domain controllers. The operations master and an additional DC.

    Last week the main domain controller for our admin domain failed and the backups were shot so it needed a rebuild. As the other DC held a full copy of AD for the admin domain, I promoted the newly rebuilt DC as an additional DC for the admin domain. The problem is I don't believe it has configured itself correctly. AD still had a record of the failed server holding all of the FSMO roles and these were not seized to the remaining DC as the main one was not going to be offline permanently.

    Everything seems to be running right apart from I cannot access GP's for the admin domain correctly and there are some SAM errors.

    Is there an easy way to correct this and re-instate the now rebuilt DC as the operations master for the admin domain? I have tried to force transfer the FSMO roles to the other DC to then try and transfer back to correct any issues but it won't let me.

    Ideally I would have transferred the FSMO roles to the other DC when the first one failed but I couldn't get access to do this and I did not want to seize the roles as the original DC would eventually be rebuilt and put back online with the same server name.

    So to confirm the server that held all the FSMO roles for the admin domain failed and needed a reinstall once back online I ran dcpromo and made it an additional dc for the admin domain and ad updated to show the rebuilt dc as holding all the fsmo roles because the server name was the same but it had failed since it held the FSMO roles so it's not accurate and it's causing problems. The FSMO roles were never transferred or seized to another server when the 1st dc failed.

    Please help.... lol
    Last edited by Badaz52; 12th April 2012 at 10:42 PM.

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    It sounds as though you have two DCs in the admin child domain, but no FSMO roles. It's no surprise you're getting errors. Ideally you should try everything to try and bring the failed DC back online, but failing that you can seize FSMO roles as described here.

  3. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,786
    Thank Post
    272
    Thanked 1,129 Times in 1,025 Posts
    Rep Power
    348
    You will need to forciibly seize the roles from the failed domain controller and then remove from the AD (via ADSI edit).

    More info here or google Remove Failed Domain Controller.

    Remember doing this can be risky but should be ok just read through all the stages before you touch anything! I've only ever done this in a single domain enviroment but it should be the same just less roles to seize (i.e not forest master etc)

    EDIT: too slow at typing!!

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    I agree with glenda, you just need to transfer these three roles in your child domain:

    - RID master
    - PDC
    - Infrastructure master

    The other two roles are going to be higher up the chain in your parent domain.

  5. #5

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    98
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    If I check operation masters in AD the failed DC which is now rebuilt is shown in the relevant fields. Based on past information it believes nothing has changed but it has.

    So yeah your right even though the fields are populated neither DC is holding the 3 FSMO roles required for the admin domain.

    Do you think it's worth on the now rebuilt dc seizing the roles? Would this work even though AD thinks it already has the roles?
    Last edited by Badaz52; 12th April 2012 at 11:15 PM.

  6. #6

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,786
    Thank Post
    272
    Thanked 1,129 Times in 1,025 Posts
    Rep Power
    348
    I would seize them to the non faild DC - they can always be moved back after to the other DC.

  7. #7

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    98
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    What if the non failed dc is a global catalog server also?

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    Quote Originally Posted by Badaz52 View Post
    What if the non failed dc is a global catalog server also?
    That's fine, DCs should be GCs, otherwise they wouldn't be able to process logons at all.

    Before you do anything though, take an appropriate backup of the System State of the DC before you seize the roles to it.

  9. #9

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    98
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    So to recap, I need to seize the FSMO roles to the DC that didn't fail, then demote and remove the failed server which has been rebuilt from AD? then rebuild the failed server once more, promote as a DC and move the roles back?
    Last edited by Badaz52; 13th April 2012 at 09:46 AM.

  10. #10

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,786
    Thank Post
    272
    Thanked 1,129 Times in 1,025 Posts
    Rep Power
    348
    Quote Originally Posted by Badaz52 View Post
    So to recap, I need to seize the FSMO roles to the DC that didn't fail, then demote and remove the failed server which has been rebuilt from AD? then rebuild the failed server once more, promote as a DC and move the roles back?
    Personally I would, Demote the server you rebuilt (to remove complication).

    Seize roles to non-failed DC. Then create a new DC (you can leave the roles on the other it doesn't make much difference). Personally I wouldn't call it the same as the one that failed because you can then go through and make sure there is no traces of that servers name in AD.

  11. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    Glenda's spot on, I agree this is what I would do too.

    Of course when you've seized the roles to the remaining DC, you can then re-promote the new DC and transfer all FSMO roles to that.

    Both DCs should be GCs. When setting up 2008/2008 R2, by default, it is recommended both are DNS and GCs and I would say the same for 2003 too.

    I can't remember (top of my head) whether 2003 makes itself a GC when adding additional DCs, but certainly worth checking.

  12. #12

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    98
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by Michael View Post
    Glenda's spot on, I agree this is what I would do too.

    Of course when you've seized the roles to the remaining DC, you can then re-promote the new DC and transfer all FSMO roles to that.

    Both DCs should be GCs. When setting up 2008/2008 R2, by default, it is recommended both are DNS and GCs and I would say the same for 2003 too.

    I can't remember (top of my head) whether 2003 makes itself a GC when adding additional DCs, but certainly worth checking.
    This worked fantastically well. Everything is back up and running as it was.

    Cheers for all your help guys!

SHARE:
+ Post New Thread

Similar Threads

  1. Big Problems with Clients contacting DCs
    By Crispin in forum Windows
    Replies: 6
    Last Post: 15th September 2009, 10:18 PM
  2. Slight problem with NT machines network
    By Pear in forum Windows
    Replies: 2
    Last Post: 3rd November 2005, 05:02 PM
  3. Replies: 4
    Last Post: 10th October 2005, 10:12 AM
  4. Intermitent problems with logging on
    By alexknight in forum Wireless Networks
    Replies: 27
    Last Post: 22nd August 2005, 04:01 AM
  5. Problems with Google Earth
    By Dos_Box in forum Educational Software
    Replies: 8
    Last Post: 19th August 2005, 02:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •