Crashed DC, reinstalled and now server can't find domain - Please help!

  • Thread starter Thread starter Camilo Arango
  • Start date Start date
C

Camilo Arango

Hello everybody!

I have a *tremendous* problem with my current AD configuration:

I have two boxes as follows:
Win 2000 Server SP 4, its a DC
Win 2003 Server, SP 4 its also a DC

I have a single domain. I first installed AD in the Win2000 box, then setup
Win2003 and also installed AD to use it as a backup server so people could
still log in if win2000 was out of service.. I have DNS and DHCP services
running on both machines. In Active Directory Sites and Services, under NTDS
Settings, Win2000 holded the Global Catalog role, while Win2003 did not.

Now here is the situation:
Win2000 died. While dead, everything went fine with Win2003. People could
get IP addressess, login as usual, use DNS, etc. I reinstalled Win2000
completely, same name, same everything. When installing AD, I setup Win2000
to be once again a DC and hold the Global Catalog. Everything seemed fine,
in the Active Directory Users and Computers snap-in in Win2000 I could see
users, computers, etc. Under the Domain controllers, both servers appear.
However, something is wrong because I have several problems:

1.) When creating new user accounts (in any of both machines), it takes a
long time and finally I get this message: "Windows cannot validate the
uniqueness of this proposed user name whith a global catalog because: The
server is not operational.(...). Despite this, accounts work fine, can be
seen in both machines etc.
2.) Win2000 Event Viewer is full with SAM source error messages that read:
"The account-identifier allocator failed to initialize properly. The record
data contains ...etc." Win2003 event viewer does not have any of these
messages.
3.) Both machines also have these warnings under Application Log in Event
Viewer: Event Source: SceCli: "Security policies are propagated with
warning. 0x534 : No mapping between account names and security IDs was
done.(..)" I here omit the rest of the description because its too long.
4.) I can't manage the Domain Controller Secutiry Policy or the Domain
Security Policy. when opening the MMC snap-in, i get the following error:
"Failed to open the Group Policy Object". You may not have appropiate
rights. Details: The specified domain either does not exist or could not be
contacted.
5.) When trying to setup ACL over folders in Win2000, it takes a long time
but it finally shows users fine. In win2003, this process works fast as
normal.

I have read a lot of possible causes for each of these errors in Usenet
groups. There are also a number of possible fixes, some including editing
registry settings, etc. I could not find anything that really matched mi
situation. Any ideas?? Is there at least any "tests" I could do to
troubleshoot and pinpoint my exact problem? AD literature is extense and
complex, and i'm not an expert.

Please help!!

best regards,

Camilo Arango
 
I guess the first question that comes to mind is what has happened to the
FSMO roles, when the 2000 box crashed I'm guessing it had the FSMO roles,
then you rebuilt it and the rebuilt box would not have a clue who has the
FSMO roles. Did you seize these when the original DC broke??
 
Check for fsmo availability
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

GC
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994

Make sure the sysvol is working properly
http://support.microsoft.com/default.aspx?scid=kb;en-us;315457




Try running netdiag, repadmin and dcdiag. Look for fail, error and warning
errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pr...Ref/1d4ce93c-54f2-4069-a708-251509c38837.mspx


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello everybody!

I have a *tremendous* problem with my current AD
configuration:

I have two boxes as follows:
Win 2000 Server SP 4, its a DC
Win 2003 Server, SP 4 its also a DC

I have a single domain. I first installed AD in the Win2000
box, then setup
Win2003 and also installed AD to use it as a backup server so
people could
still log in if win2000 was out of service.. I have DNS and
DHCP services
running on both machines. In Active Directory Sites and
Services, under NTDS
Settings, Win2000 holded the Global Catalog role, while
Win2003 did not.

Now here is the situation:
Win2000 died. While dead, everything went fine with Win2003.
People could
get IP addressess, login as usual, use DNS, etc. I
reinstalled Win2000
completely, same name, same everything. When installing AD, I
setup Win2000
to be once again a DC and hold the Global Catalog. Everything
seemed fine,
in the Active Directory Users and Computers snap-in in Win2000
I could see
users, computers, etc. Under the Domain controllers, both
servers appear.
However, something is wrong because I have several problems:

1.) When creating new user accounts (in any of both machines),
it takes a
long time and finally I get this message: "Windows cannot
validate the
uniqueness of this proposed user name whith a global catalog
because: The
server is not operational.(...). Despite this, accounts work
fine, can be
seen in both machines etc.
2.) Win2000 Event Viewer is full with SAM source error
messages that read:
"The account-identifier allocator failed to initialize
properly. The record
data contains ...etc." Win2003 event viewer does not have any
of these
messages.
3.) Both machines also have these warnings under Application
Log in Event
Viewer: Event Source: SceCli: "Security policies are
propagated with
warning. 0x534 : No mapping between account names and security
IDs was
done.(..)" I here omit the rest of the description because its
too long.
4.) I can't manage the Domain Controller Secutiry Policy or
the Domain
Security Policy. when opening the MMC snap-in, i get the
following error:
"Failed to open the Group Policy Object". You may not have
appropiate
rights. Details: The specified domain either does not exist or
could not be
contacted.
5.) When trying to setup ACL over folders in Win2000, it takes
a long time
but it finally shows users fine. In win2003, this process
works fast as
normal.

I have read a lot of possible causes for each of these errors
in Usenet
groups. There are also a number of possible fixes, some
including editing
registry settings, etc. I could not find anything that really
matched mi
situation. Any ideas?? Is there at least any "tests" I could
do to
troubleshoot and pinpoint my exact problem? AD literature is
extense and
complex, and i'm not an expert.

Please help!!

best regards,

Camilo Arango
Click to expand...

Assuming you had 2 DCs and one of them died
* Make a FULL backup of BOTH servers (at least systemdisk and system
state)
* Make the W2K3 DC a GC using sites and services
* Disconnect the new installed W2K box from the network
* On the new installed W2K box run DCPROMO /FORCEREMOVAL (this will
remove AD from the W2K box)
* After demotion reboot and connect the W2K server to the network
* On the W2K3 box check which DCs holds FSMO roles
http://support.microsoft.com/?id=324801
* Seize the FSMO roles to the W2K3 DC that it does not hold
http://www.petri.co.il/seizing_fsmo_roles.htm
http://support.microsoft.com/default.aspx/kb/255504
* On the W2K3 box cleanup the metadata of the W2K box
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://www.petri.co.il/fix_unsuccessful_demotion.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498
* DCPROMO the stand alone server again to a DC (the one you previous
demoted to a stand alone server) and make that DC also a GC

Check the event logs of the DCs to see what is going on

Good luck!
 
Greetings Everybody.

Im sorry I didn't write before, but the task I was doing requiered a lot of
time and took me over a month to finisih. Thank you very much Paul!

I carefully read and did what Pauls' email explained, and managed to solve
my problem by seizig all roles to the new server. When trying to make the
server a DC, I read I had some problems with replication. So I had to
rebuild the SYSVOL, its junction points and restart FRS in one DC as
authoritative while the in the other one as non-authoritative.

Everything is working now fine. I ran the script you gave me and all tests
passed fine.

Now I only have one problem: When recreating the SYSVOL, I deleted (all
copies on both DC's) the GPO's files located in SYSVOL. So now when I try to
access the Domain Controller Security Policy, I get the "The system cannot
find the path specified" error. I have already checked that NETLOGON and
SYSVOL shares exist on both DC's. The problem is that the content of the
Policies folder was deleted (I recreated all folders from scratch). I have
two questions:

1. If I open Local Security Policy and try to set something, I can see in
the Effective Policy setting that the system still "remembers" my Domain
Controller Policy. This I know because there are settings not set on Local
Policy but I can see them on Effective Policy, which should be Domain
Policy. Does it mean that this GPO is stored somewhere else that the SYSVOL
folder? If so, where is it, and why does it work that way? Can I copy it to
the shared SYSVOL folder and get it to work?

2. If not, How can I recreate from scratch my Domain Policy? I don't care if
I have to rewrite the policy from start.

Thanks everybody for your help.

Camilo
 
Back
Top