[Long] Clearing GC check box caused child domain to be deleted!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi All,

We have a Windows 2003 forest with one parent doman and one child domain.
The parent domain has 3 domain controllers (DCs).
The child domain has 2 DCs.
2 of the parent domain DCs are Global Catalog servers (GC).
One of the child domain DCs is a GC.

One DC in the parent domain that is a GC server also holds all the FSMO roles.
(This is not correct). It needs to be replaced, so I am trying to move all the
FSMO roles off that DC.

The first change I decided to make was to remove the GC from the FSMO role
holder. This would both remove the GC and fix the incompatability between it
being a GC server and the infrastructure master (IM). Since there is another
GC
server in the parent domain, all should be well. I cleared the check box in
AD Sites and Services> NTDS Settings for that DC, applied the change, sat back
and watched the event viewer. What followed is appended to the end of this
post.

The first error:
"This machine holds the Domain Master Role, and is not a GC. These two states
are incompatible."
I had not read about this requirement anywhere. I thought only grandchild
domains required this. This means that if I need to have all the FSMO roles on
one machine, I must have that machine also be a GC. BUT, I am also prohibited
from having the IM be a GC. These two requirements seem contradictory.

My Questions:
1) Why was the child domain removed?

2) The event log suggests that if all DCs in the parent domain are GCs,
the GC vs IM issue be safely ignored. Is 3 GCs in the parent domain too
many? Is this a good solution?

3) I put the GC back on the DC that holds the other FSMO roles. The child
domain was put back automatically when the replication link from the child
DC reappeared. But now, the DC in the parent domain that is a GC server
(but not the FSMO role holder) can no longer access the child domain.
"No list of servers for this domain is available".
How can I fix this?


Sorry for the length of this post!
Cheers,
Geoff

Events after removing GC check box:
============
This machine holds the Domain Master Role, and is
not a GC. These two states are incompatible.
Either this machine should be made a GC or the
role should be transferred to a machine that is a GC.
============
The local machine is no longer a global catalog server.
The domain DC=CHILD,DC=PARENT,DC=com is no longer
replicated from server CN=NTDS
Settings,CN=DC_CHILD,CN=Servers,CN=CHILD,CN=Sites,
CN=Configuration,DC=PARENT,DC=com at address
0a41c216-fa5a-nnnn-ac49-a9e8734c3bbd._msdcs.PARENT.com.
============
The local domain controller is no longer configured
to host the following directory partition. As a result,
the objects in this directory partition will be removed
from the local Active Directory database.

Directory partition:
DC=CHILD,DC=PARENT,DC=com

Until these objects are completely removed, this domain
controller cannot be reconfigured to host this directory
partition.
============
The removal of the following directory partition from the
local Active Directory database has resumed.

Directory partition:
DC=CHILD,DC=PARENT,DC=com
============
The local machine is no longer a global catalog server.
The domain DC=CHILD,DC=PARENT,DC=com is no longer
replicated from server CN=NTDS
Settings,CN=DC_PARENT,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=PARENT,DC=com at address
b8530998-3a4a-nnnn-92b1-a03cb8692844._msdcs.PARENT.com.
============
The removal of the following directory partition from
the local Active Directory database completed successfully.

Directory partition:
DC=CHILD,DC=PARENT,DC=com
===========
 
I had not read about this requirement anywhere. I thought only grandchild
domains required this. This means that if I need to have all the FSMO
roles on one machine, I must have that machine also be a GC. BUT, I am
also prohibited
Click to expand...
from having the IM be a GC. These two requirements seem contradictory.

This is only an issue in the environment that you have --multiple domains,
and not all DCs being GCs. If you make the third DC in the root domain a GC
then this is no longer an issue. The same goes for the child domain -if all
the DCs in a domain are GCs there's no need for the IM.

1) Why was the child domain removed?
Click to expand...

Where's this come from?!?! What was removed?

2) The event log suggests that if all DCs in the parent domain are GCs,
the GC vs IM issue be safely ignored. Is 3 GCs in the parent domain too
many? Is this a good solution?
Click to expand...

Yes this is a good solution. With so few DCs (and domain) replication
shouldn't be an issue, so make all DCs GCs.

3) I put the GC back on the DC that holds the other FSMO roles. The child
domain was put back automatically when the replication link from the child
DC reappeared. But now, the DC in the parent domain that is a GC server
(but not the FSMO role holder) can no longer access the child domain.
Click to expand...

I don't quite follow you here. Are we talking about Connection Objects (for
replication in sites and services)?

"No list of servers for this domain is available". How can I fix this?
Click to expand...

This is a DNS issue. How is name resolution setup? Normally, you would
either use only the DCs in the root, or perform a delegation to a child DNS
server and then have the child domain DNS server hold a secondary copy of
the other domain. For example, the child would hold a secondary copy of the
parent domain. The parent uses the delegation, so doesn't require a
secondary zone.

Have a look at this article about the IM and GC issue. It needs updating,
but should suffice. Just note that the IM is a domain-specific role and
therefore only all DCs in the DOMAIN need to be GCs for the IM to be
defunct. What happens in other domains has no bearing --this is a domain
specific issue.
-- http://www.msresource.net/content/view/14/46/
 
Hi Paul,
Thanks for the response. We'll make the third DC a GC.

1) Why was the child domain removed?

I asked this because that's what happened when I removed the GC check
box on the IM. The exact sequence of Event log errors is appended to the post,
but the relevant ones are:
============
This machine holds the Domain Master Role, and is
not a GC. These two states are incompatible.
Either this machine should be made a GC or the
role should be transferred to a machine that is a GC.
============
The local machine is no longer a global catalog server.
The domain DC=CHILD,DC=PARENT,DC=com is no longer
replicated from server CN=NTDS
Settings,CN=DC_CHILD,CN=Servers,CN=CHILD,CN=Sites,
CN=Configuration,DC=PARENT,DC=com at address
0a41c216-fa5a-nnnn-ac49-a9e8734c3bbd._msdcs.PARENT.com.
============
The local domain controller is no longer configured
to host the following directory partition. As a result,
the objects in this directory partition will be removed
from the local Active Directory database.

Directory partition:
DC=CHILD,DC=PARENT,DC=com

Until these objects are completely removed, this domain
controller cannot be reconfigured to host this directory
partition.
============
 
Ah right...that's fine. That's basically saying that because this DC is no
longer holding the role of GC then it does not hold the partial, read-only
replica of that domain partition (naming context). This is to be expected
and is nothing to worry about.

A GC holds a read only copy of all domainDNS partitions -with a subset of
attributes for all objects- as well as it's own domain partition and the
enterprise partitions.
 
Okaaaay...
It would be nothing to worry about, had the child domain still been
accessible,
but it wasn't. Not until I put back the GC on the DC with the FSMO roles.
This makes me suspect that the other DC that held the other GC and now still
can't access the child domain, already had a problem. If so, and that
remaining
GC could not be accessed properly, all bets were off - I'm surprised I could
log
in to the domain at all! This takes us back to your suggestion that the second
DC's problem accessing the child domain is a DNS issue.

So, here's our DNS set up:
All DNS servers in the forest are Active Directory integrated.
The DC with the FSMO roles in the parent domain is the primary DNS server.
It has one forward lookup zone for the parent domain. PARENT.com. It is marked
primary. Within that is the child domain CHILD.PARENT.com
We don't delegate to a child DNS server

The second DC in the PARENT domain is not a DNS server. It uses the third DC
for DNS lookups.

The third DC in the PARENT domain is also a DNS server.
It seems also to be a primary DNS server (I realize this might be a problem,
although I'm a little hazy on the exact definition of a primary DNS server).
It is intended to be the replacement for the primary when that machine is
taken
out of service. This DNS server currently uses the primary DNS for lookups.

In the Child domain. Both DCs are DNS servers.
The first DC server uses the primary DC in the PARENT domain for lookups
The second DC uses the first DC in the CHILD domain for lookups.

I would add that the DC with the access problem seems to be able to resolve
names OK (but I realize that's not the whole story) and DCDIAG /e is clean
apart from some services that are missing (IIS and SMTP).

Phew.

Any ideas as to what might be wrong for the second DC's access to
the child domain?
Cheers,
Geoff.
 
Two Primary's?!?! = Not good.

On the first DC, make the zone AD-integrated. On the third box, delete the
zone and point to DC01 for DNS and replicate. Once replication has
occurred, restart DNS and you will have the AD-Integrated zone there.

Leave the Child DCs as they are -they will be fine when they are pulling
info. from a synchronised source.
 
Back
Top