A
Ash Ridley
Hi all,
Got a bit of a nightmare on my hands and I cant seem to fix it
We've run ADPrep to add a 2k3 server to my existing 2k domain and it went a
bit sour.
Unfortunately I've had to pick up this problem from a Junior so the details
are (unfortunately) a bit sketchy.
After running ADPrep none of the users could not log in (apparently the GC
couldnt be contacted) so he decided to demote the server to remove AD and
then install it back in again.
Needless to say that this didnt work (presumably because the problem had
spread to the other DC).
At this point I got pulled in and decided to do an authorative restore from
backup...which didnt cure the problem either.
I have identified several key problems, the main ones being that there is
currently no domain naming or schema master set (the other FSMOs roles are
fine) - unfortunately I am unable to seize these roles, the error is that I
dont have permission to do so and on further investigation the problem
appears to be that because a GC cannot be contacted (both DC's are set to be
GC's) the system cannot validate that the account I am using is a member of
enterprise admins (a GC error is generated when you go to view the Ent Admin
group membership)
The other obvious problem is that I have a ghost entry in AD sites and
services, it has the same name as my FSMO master DC (with a load of extra
characters on the end) and I am unable to remove it (which does not appear
in ADSIEdit)
I have managed to get users back on the system by disabling GC error
checking in the registry on both DC's (one of the few times I have been
thankful we use Lotus Notes and not Exchange)
Does anyone have any suggestions?
Ash
Got a bit of a nightmare on my hands and I cant seem to fix it
We've run ADPrep to add a 2k3 server to my existing 2k domain and it went a
bit sour.
Unfortunately I've had to pick up this problem from a Junior so the details
are (unfortunately) a bit sketchy.
After running ADPrep none of the users could not log in (apparently the GC
couldnt be contacted) so he decided to demote the server to remove AD and
then install it back in again.
Needless to say that this didnt work (presumably because the problem had
spread to the other DC).
At this point I got pulled in and decided to do an authorative restore from
backup...which didnt cure the problem either.
I have identified several key problems, the main ones being that there is
currently no domain naming or schema master set (the other FSMOs roles are
fine) - unfortunately I am unable to seize these roles, the error is that I
dont have permission to do so and on further investigation the problem
appears to be that because a GC cannot be contacted (both DC's are set to be
GC's) the system cannot validate that the account I am using is a member of
enterprise admins (a GC error is generated when you go to view the Ent Admin
group membership)
The other obvious problem is that I have a ghost entry in AD sites and
services, it has the same name as my FSMO master DC (with a load of extra
characters on the end) and I am unable to remove it (which does not appear
in ADSIEdit)
I have managed to get users back on the system by disabling GC error
checking in the registry on both DC's (one of the few times I have been
thankful we use Lotus Notes and not Exchange)
Does anyone have any suggestions?
Ash