Dwight said:
I excluded %sysvol% and C:\winnt\ntds from AV. Let M=Legacy Windows 2000
server and Q=Newer Windows 2003 server. I used the "Enable Journal Wrap
Automatic Restore" to try and clear the journal wrap error per MS
documentation. As I had suspected, it's trying to replicate from Q but Q
is
NOT a healthy AD. Recall that NETDIAG /TEST
NS on Q said "WARNING: The
system volume has not been completely replicated to the local machine.
This
machine is not working properly as a DC." This is that circular problem I
spoke of originally.
Q is currently disconnected from the network. The question now is, will
it
be detrimental to M, our legacy server, if I reconnect Q and let NTFRS on
M
try to replicate SYSVOL? Since Q isn't working properly as an AD, will
that
spread to M and thus, M would stop working correctly as the DC? We can't
afford any down time. Thanks for your advice on this.
If I can be sure it won't harm functioning of M, I will connect Q back to
the network and run repadmin, netdiag, and dcdiag per your request.
Otherwise, is there a way I can cancel the FRS attempts to replicate from
Q
to M?
It appears from the ipconfig, that you have a Single Label name. That may be
the root of the whole issue. Read teh following for what this condition
really means, and how it affects everything. You've just never noticed it
until trying to add an additional DC.
And I wouldn't simply shutting down or unplug one a DC. The other DC will be
looking for it, because it is aware of it. Never turn off a DC. If you don't
want a DC, demote it. If it won't demote, run the dcpromo /forcedemote
switch. If that doesn't work, then unplug it, wipe it out and rebuild it
from scratch, then perform a Metadata Cleanup procedure on the AD database
from the current DC that you want to keep, to remove references to the old
DC so it won't keep trying to replicate and communicate to it.
But the single label name is the cause of this.
I assume there is only one interface (NIC) on this machine. It appears that
way in the ipconfig, but it seems you typed it in, and not copied/pasted it.
Just making sure you didn;t leave anything out. If more than one NIC, IP or
RRAS on it, it will complicate the whole scenario.
Let us know what you think, and how you plan on addressing it.
Ace
==================================================================
Single label names:
By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000 & 2003, MCSA
Messaging
Compiled 3/2005
---
What is an FQDN?
It stands for "Fully Qualified Domain Name." It is multi-level, or
hierarchal, such as:
domain.com
domain.net
domain.local
childdomainname.domain.local
etc
What is a Single Label DNS Domain name?
They are like the old style NT4 domain NetBIOS domain names, such as:
DOMAIN
CORP
COMPANYNAME
etc
DNS is a hierarchal database. Some call it a "tree" with a root (the 'com'
or 'net', etc, name), then the trunk (the 'domain' portion of it), and the
branches (such as www, servername, etc). The Root domain name, such as com,
edu, net, etc, is also known as the TLD (Tope Level Domain name).
Basically you can look at a DNS domain name as having multiple levels
separated by periods. The minimal requirment for an FQDN domain name, such
as microsoft.com, is two levels. Then of course are your resource names,
such as www, servername, or even child domain names under it.
Notice with a single label name there is only one name for the domain, or
one level? Don't get this confused with the NetBIOS domain name, that we
were familiar with in the NT4 days. AD supports the NetBIOS domain name as
well, but only as a NetBIOS domain name. It's one of the domain names chosen
when a machine is promoted into a domain controller for a brand new domain
in a brand new forest. NT4 wasn't reliant nor did it use DNS for NT4
domains. However, AD is reliant, therefore it must follow DNS naming rules.
Unfortunately tHe old NT4 style names are not hierachal because there is
only one level.
Since AD requires and relies on DNS, and DNS is a hierarchal database, a
single lable name does not follow any sort of hierarchy. DNS fails with
single label names. Windows 2008, Windows 2003, XP and Vista have problems
resolving single label names because it does not follow the proper format
for a DNS domain name, such as domain.com, etc.
Also, Windows 2000 SP4 and all newer machines have problems querying single
label names. It's explained below by Alan Woods. Because clients query DNS
for AD resources (domain controller locations and other services), they may
have difficulty finding resources.
How did it happen? Most cases it's due to lack of research on AD's DNS
requirements, or how it works, or it could have been a simple typo, yet
costly typo, when originally upgrading from NT4 or promoting your new AD
domain.
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain (or any AD upgrade or installation):
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040
---
How to fix it? Good question. Glad you've asked.
---
1. The preferred "fix" (in a one line summary), is to install a fresh new
domain properly named and use ADMT to migrate user, group and computer
accounts into the new domain from the current domain.
2. An alternative is to perform a domain rename, (difficulty depends on the
operating system and which version of Exchange is installed).
3. As a temporary resort, you can use the patch/bandaid registry entry to
force resolution and registration that is mentioned in the following link.
This must be applied to every machine. Unfortunately it must be done on
every machine in the domain, including the DCs, member servers, workstations
and laptops.
300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684
---
Please read Microsoft's stance on Single Label Names:
---
Single label names, from Alan Woods, MS:
"We really would preffer to use FQDN over Single label name. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.
Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA
If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.
Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.
Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
Thank you,
Alan Wood[MSFT]"
---
More Info:
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain
http://support.microsoft.com/?id=555040
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003:
http://support.microsoft.com/?id=825036
DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/?id=291382
Naming conventions in Active Directory for computers, domains, sites, and
OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264
============================================
Ace