Operations master.

  • Thread starter Thread starter Dom
  • Start date Start date
D

Dom

Here is a problem you have probably heard before. I have
installed AD in on my network. Had to take down the
origianal Domain controler. Unfortunatelly I did not
transfer all the roles before formating that box to
another DC on the network. Now I have a AD domain that is
lipming. I have tried going over numerous KB docs but some
of them seem to be written by people in "know how" because
they seem to be missing important details.
Any how. My current situation is as follows. A domain with
one DC but it doesnt have Operations master. Is there any
way I can restore Operations master (i have no backup) or
i might be better of wipping out the domain and starting
from scratch.
TIA
 
-----Original Message-----
Here is a problem you have probably heard before. I have
installed AD in on my network. Had to take down the
origianal Domain controler. Unfortunatelly I did not
transfer all the roles before formating that box to
another DC on the network. Now I have a AD domain that is
lipming. I have tried going over numerous KB docs but some
of them seem to be written by people in "know how" because
they seem to be missing important details.
Any how. My current situation is as follows. A domain with
one DC but it doesnt have Operations master. Is there any
way I can restore Operations master (i have no backup) or
i might be better of wipping out the domain and starting
from scratch.
TIA
.
Click to expand...
Dom,

No need to wipe anything out just yet! And I will mention
this before I address your question at hand: did you also
set up the "surviving" DC to be a Global Catalog Server?
As a DNS Server? Possibly as a DHCP Server? Would
guess 'yes' to the last two but maybe a 'no' to the first
one...

Also, another question: before you formatted the "gone"
DC did you DCPROMO it down to a Member Server or did you
simply format it? By "take down" I *understand* that you
did run DCPROMO, but it is very important to know if you
did or did not run DCPROMO first.

So, to your question: Install the Support Tools on all of
your WIN2000 Servers ( Domain Controller, Member Server,
whatever! ). The Support Tools are located in two
different places: on the WIN2000 Server CD in the Support
| Tools folder or on the WIN2000 Service Pack CD in the
Support | Tools folder.

You need to make use of a wonderful utility called
NTDSUtil. However, please be advised that it is rather
powerful! You would need to SEIZE any / all of the
missing five FSMO Roles that your "surviving" DC might not
hold. Please note that there are two choices: SEIZE -
what you need to do in this case - or transfer.

However, before you do this if you answered "NO" to my
second question ( about running DCPROMO before
formatting ) then you would need to do a metadata
cleanup. This is also done with a combination of NTDSUtil
and ADSIEdit ( also from the Support Tools ).

Do you need any links? or will you simply search the MSKB
for 'NTDSUtil' yourself? I am not at the computer where I
have the links saved in my My Favorites folder....

HTH,

Cary
 
Cary,
Thanks for your response. To answer your questions. When I
said take it down I did not use dcpromo. I just turned it
off. Made sure I could add users to the domain on the
recond server and then wipped out the first server and
proceed to reinstall w2k on it. (eventuall this will be
the main DC for the domain again). As far as DNS is
concerned I have DNS running on the remainig DC, DHCP
services are provided by other party on the newtork which
I have no control over. Lastly I did not make
the "surviving" DC to be a Global catalog server.
As far as the Support Tools I have them installed but and
I even tried to follow one of the KB atricles on changing
the values (for fsoisMaster i think) but run into error.
Something to the effect. Value cannot be read.
So this forum is my last resource for getting out of those
problems.
As an aside I remember good old days where NT 4 Domain
could be "moved" from computer to computer by checking an
option to update BDC to PDC. Not that easy this time. (For
a newbie :) )

Thanks again .
 
some more detailed info.

One thing to mention is that the restored server name is
cic which seems to be adding to confusion since the old
deleted DC was also called cic.

I have fun dcdiag and here is the meat of it (IMHO) :



Starting test: KnowsOfRoleHolders
Warning: CCI2 could not resolve the name for role
Schema Owner.
The name error was Not Found.
Role Domain Owner = CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a
Warning: CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a is the Domain Owner, but is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a
Warning: CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a is the PDC Owner, but is deleted.
Role Rid Owner = CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a
Warning: CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a is the Rid Owner, but is deleted.
Role Infrastructure Update Owner = CN="NTDS
Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a
Warning: CN="NTDS Settings
DEL:11dcaafe-222c-495f-b310-
963c215404e6",CN=CIC,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cic,DC=cci,DC=xxxxxx,DC=c
a is the Infrastructure Update Owner, but is deleted.
......................... CCI2 failed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2100 to
1073741823
Warning: FSMO Role Owner is deleted.
* cic.cic.cci.xxxxxx.ca is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1600 to 2099
* rIDNextRID: 1605
* rIDPreviousAllocationPool is 1600 to 2099
......................... CCI2 passed test
RidManager
...
--**
...
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call
failed, error 1355
A Global Catalog Server could not be located -
All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed,
error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Time Server Name: \\cci2.cic.cci.xxxxxx.ca
Locator Flags: 0xe00001f8
Preferred Time Server Name:
\\cci2.cic.cci.canon.ca
Locator Flags: 0xe00001f8
KDC Name: \\cci2.cic.cci.xxxxxx.ca
Locator Flags: 0xe00001f8
......................... cic.cci.xxxxxx.ca
failed test FsmoCheck
--**
 
-----Original Message-----
Cary,
Thanks for your response. To answer your questions. When I
said take it down I did not use dcpromo. I just turned it
off. Made sure I could add users to the domain on the
recond server and then wipped out the first server and
proceed to reinstall w2k on it. (eventuall this will be
the main DC for the domain again). As far as DNS is
concerned I have DNS running on the remainig DC, DHCP
services are provided by other party on the newtork which
I have no control over. Lastly I did not make
the "surviving" DC to be a Global catalog server.
As far as the Support Tools I have them installed but and
I even tried to follow one of the KB atricles on changing
the values (for fsoisMaster i think) but run into error.
Something to the effect. Value cannot be read.
So this forum is my last resource for getting out of those
problems.
As an aside I remember good old days where NT 4 Domain
could be "moved" from computer to computer by checking an
option to update BDC to PDC. Not that easy this time. (For
a newbie :) )

Thanks again .

where
.
Click to expand...
Dom,

Okay. I am back where the links are. Check out the
following:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;216498&Product=win2000

This should be the nuts and bolts to what you need to
do. First you need to connect to the existing DC ( part
of the NTDSUtil where you need to 'connect to server
DC02' ). You can not connect to a DC that you are trying
to delete! This is something that a lot of people do.

Once you have done that then you would need to use
ADSIEdit to clean things up. You can follow the
article. Please note that you can probably do with
ADSIEdit what the article suggests to do with Active
Directory Sites and Services MMC! There are usually a
few other things that you might have to manually do:
check the DNS MMC and make sure that there are no more
instances in both the FLZ and RLZ.

Then, go into AD Sites and Services and make
the 'surviving' DC a Global Catalog Server. I am going
to assume either (1) you do not use Universal Groups
and/or Exchange 2000 or (2) you do and no one has been
able to work!

This should clean things up for you. I would go ahead
and reboot the 'surviving' DC ( or DC02 in my NTDSUtil
example above ) so that the Global Catalog Server is now
registered with any MAPI Clients that you might have....

HTH,

Cary
 
-----Original Message-----
Here is a problem you have probably heard before. I have
installed AD in on my network. Had to take down the
origianal Domain controler. Unfortunatelly I did not
transfer all the roles before formating that box to
another DC on the network. Now I have a AD domain that is
lipming. I have tried going over numerous KB docs but some
of them seem to be written by people in "know how" because
they seem to be missing important details.
Any how. My current situation is as follows. A domain with
one DC but it doesnt have Operations master. Is there any
way I can restore Operations master (i have no backup) or
i might be better of wipping out the domain and starting
from scratch.
TIA
.
Wipe it brother and get it all fixed as once... no
Click to expand...
telling what else you did...
 
-----Original Message-----

telling what else you did...
.
Click to expand...
Not necessarily any need to do that at this point, unless
I am missing something!

What I have suggested will indeed work. I have done it a
few times myself. Remember, I just did the same thing in
my test lab intentionally so that I can keep abreast of
(1) the procedure and (2) the potential pitfals ( read:
possible things left out of the MSKB Articles ).

If this is a production environment Dom would have quite
a situation on his hands...wiping and loading is a rather
drastic step to take before we exhaust all avenues...

Cary
 
Hi Cary,
I have just tried to follow the KB document you sent link
to. I have run into difficulties at step one of the
ADSIEdit utility. It states in there i have to expand
DC=Your Domain, DC... but i can't see it there. All it is
there under Domain NC is
CN=Schema,CN=Configuration,DC=cic... This hive cannot be
expanded any further yet in the KB they talk about
expanding DC and OU objects (steps d and e) ? Am I missing
something.

Dom
 
-----Original Message-----
Hi Cary,
I have just tried to follow the KB document you sent link
to. I have run into difficulties at step one of the
ADSIEdit utility. It states in there i have to expand
DC=Your Domain, DC... but i can't see it there. All it is
there under Domain NC is
CN=Schema,CN=Configuration,DC=cic... This hive cannot be
expanded any further yet in the KB they talk about
expanding DC and OU objects (steps d and e) ? Am I missing
.
Click to expand...
Dom,

At the risk of sounding facetious - Yes, you are missing
something! Going off of memory here so please forgive me
if I am off a tiny bit. You should essentially see under
the Domain Naming Context everything that you see when
you open up the Active Directory Users and Computers
MMC. What I mean by that is that you should see a
Computers entry, a Users entry, a Domain Controllers
entry, etc. etc. etc. Underneath each of these you
should see each computer account object or each user
account object. Specifically to your situation you would
click on the "+" next to Domain Controllers and you
should see an entry for each DC in there.

So, in a nutshell, you should see something like this:

+ Domain NC(dc02.yourdomain.com)
+ DC=yourdomain,DC=com
+ CN=Builtin
+ CN=Computers
+ OU=Domain Controllers
+ OU=Computers
+ Configuration Container)dc02.yourdomain.com)
+ CN=Configuration,DC=yourdomain,DC=com
+ CN=Display Specifiers
+ CN=Partitions
+ CN=Services
+ CN=Sites
+ CN=WellKnown Security Principals
+ Schema

Remember, this is just from memory. There will be more
entries. However, please note that nothing will be under
the Schema ( in the left pane ). There would, however,
be something like 1850 entries ( depending on your AD )
in the right pane for Schema.

The one for which you have an interest should be the top
one, the Domain. You need to get to the OU=Domain
Controllers section.

Am I understanding you correctly when you tell me that
you are not able to expand Domain NC?

On what Domain Controller are you running ADSIEdit?
Please refresh my memory: have you run netdiag and dcdiag
on all of your Domain Controllers? If not, please do
so. If you have ( opps! My bad! ) please remind me what
the results were.

Cary
 
Back
Top