New AD DC cannot be seen by other Domains in Forest

  • Thread starter Thread starter Brian
  • Start date Start date
B

Brian

We are in the process of upgrading several NT4 account domains to W2K
AD within one forest. Last week DomainX performed their upgrade as
follows:
1 Upgraded NT4 PDC (TempDC) to W2K with DNS pointing to forest root DC
2 Ran dcpromo on W2K member server (DC1) - decided to install DNS on
this box
3 DNS configured incorrectly on DC1
4 Attempt to run dcpromo to downgrade TempDC - unsuccessful
5 Forcibly remove TempDC from AD ->
http://support.microsoft.com/?id=216498
6 Disconnect TempDC from the network
7 Fix DNS problems on DC1

Now other domains are still looking for TempDC, not DC1. I cannot see
DC1 to make an AD Replication Connector using AD Sites and Services.

Details -

When looking at AD Sites and Services\ Sites\ SiteX\ Servers\ from
DomainZ, I see TempDC and not DC1.

In AD Domains and Trusts, DomainX appears, but its properties are
unavailable. Using AD Domains and Trusts to view domainZ and look at
Properties\ Trusts tab I don't see DomainX listed either trusted or
trusting. But, I can browse the sysvol share from domainZ and sysvol
on domainZ from domainX. This implies transitive trust is actually
there.

From DomainZ I try to connect to AD Users and Computers for DomainX,
the domain cannot be contacted. My forest root DC is generating
Directory Service events every 15 min trying to replicate with TempDC.

Forest root DNS sees DC1 under _msdcs folder and other appropriate
locations. DNSLint run on forest root DC reports no mention of DC1,
but shows all 3 forest root DCs missing the guid for TempDC.

From the DomainX perspective, everything appears to work and event
logs are clean. They see DC1 as holding all 3 master roles for their
domain. They can see DC1 in AD Sites and Services and have an AD
connector pointed to the nearest forest root DC. I think netdiag and
dcidag run cleanly on DC1 as well.

Any ideas on how to get the other domains in the forest to see DC1?
 
Use the metadata cleanup process to remove TempDC from Active Directory.
http://support.microsoft.com/?id=216498

I would also advise setting up DNS on DC1 and testing before running
dcpromo. As a general rule, don't let dcpromo do the configuration for you
as you have to be sure this is all working in advance.
 
Simon,
Thanks for replying. I have a couple questions regarding your advice.

1. Where would I use the metadata cleanup process? On the forest root
domain? On all domains in the forest?
2. DNS is now running on DC1. It is setup properly now (was not
during dcpromo). I want to keep DC1 as a DC for DomainX. Am I
supposed to run dcpromo on this server again?

I would like to get the other domains to recognize DC1 as a DC for
DomainX. How do I do this?

Also, I forgot to mention DC1 is a GC. There are GC records for it in
DNS on the forest root DCs.

Thanks,
Brian
 
Run the metadata cleanup process against any other domain controller.

I think DC1 is now just a member server or standalone server, yes? If so,
you can now run dcpromo on it again to promote it to a DC. Part of the
dcpromo process will involve DC1 registering its SRV records in DNS and this
is how other clients will be able to tell that it is now a DC for DomainX.
As you have run the forceremoval dcpromo option on DC1 it will not be a GC
even if the records have not been removed from DNS. As you will be promoting
it to a DC anyway these records will probably not cause any problems as they
would be recreated as part of the promotion process anyway.
 
Simon,
Thanks again for replying.
I would like to clarify what we are seeing from the forest root level.

DC1 is a DC for DomainX, it was never removed.

The admins for DomainX forcibly removed TempDC. This was performed
using DC1.

At the time TempDC was forcibly removed, DNS was not configured
correctly on DC1 or TempDC. This is why dcpromo wouldn't gracefully
remove AD from TempDC.

I helped the DomainX admins fix their DNS problems on DC1 the next
day. The SRV records for DC1 then appeared in the forest root domain
DNS servers. Somehow the other domains in the forest are still are
looking for TempDC, not DC1.

Thanks again for your help,
Brian
 
OK, in that case you should run the metadata cleanup against DC1 to remove
references to TempDC.

Brian said:
Simon,
Thanks again for replying.
I would like to clarify what we are seeing from the forest root level.

DC1 is a DC for DomainX, it was never removed.

The admins for DomainX forcibly removed TempDC. This was performed
using DC1.

At the time TempDC was forcibly removed, DNS was not configured
correctly on DC1 or TempDC. This is why dcpromo wouldn't gracefully
remove AD from TempDC.

I helped the DomainX admins fix their DNS problems on DC1 the next
day. The SRV records for DC1 then appeared in the forest root domain
DNS servers. Somehow the other domains in the forest are still are
looking for TempDC, not DC1.

Thanks again for your help,
Brian

"Simon Geary" <[email protected]> wrote in message
Click to expand...
DC1?
 
Metadata cleanup was run on DC1 last week. Do you think we need to
run cleanup on this server again? Also, we ran metadata cleanup on
our root domain controller to remove the references our other servers
had to TempDC. I got an admin logon for DomainX today, so I should be
able to troubleshoot more tomorrow.
 
Some additional information:
I have logged into DC1 for domainX. Netdiag does run cleanly. Dcdiag
does not run cleanly. Most of the Dcdiag tests fail. I can post more
specific results tomorrow.

I am wondering if creating an additional dc for this domain would
work. Then I could dcpromo DC1 down, run metadata cleanup, and
dcpromo DC1 back up. Or am I better off to fall back to an NT4 bdc
and start over with AD. DC1 is running some other aps and I would
prefer not to have to do a complete reinstall on it.
 
Back
Top