DCPromo cleanup?

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

when you demote a DC and you want to promote it again (because of
errors) do you have to do any cleanup activities when you demote it
before you promote it again?
The errors are relating to replication and should be cleaned up again
once the server is promoted (looks like the server has got out of
sync). Just wondered if you have to wait a while before you promote it
again or whether you can just promote it straight after you have
demoted it...?
Thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks.

A useful document, although a little scary doing that kind of stuff
when the entire company is hanging off active directory. "Hang on
everybody while i restore active directory!"

I guess I'm looking at 90 minutes then until we should try proting that
server again eh?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

If you did not have any problems demoting the DC and wait for all your DC's
to be fully replicated afterwards, you should not have any problems
promoting the server again (under normal circumstances).

If you did have problems while demoting, you will find remains and traces in
AD, that are likely to interfere with successive promotions (of the same
server/DC), and generally show up as replication errors, so AD should be
"cleaned" beforehand for any AD (configurations and domain objects)
references as well as DNS registrations.

The cleanup process very well described in the following MS Kb article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

Please read and follow every step within this article very carefully, as any
mishaps can damage or destroy your AD. I recommend making backups of your AD
beforehand.

regards

Søren Lassen
MSCE

<erectmember@gmail.com> wrote in message
news:1102939621.511036.203510@z14g2000cwz.googlegroups.com...
> Hi,
>
> when you demote a DC and you want to promote it again (because of
> errors) do you have to do any cleanup activities when you demote it
> before you promote it again?
> The errors are relating to replication and should be cleaned up again
> once the server is promoted (looks like the server has got out of
> sync). Just wondered if you have to wait a while before you promote it
> again or whether you can just promote it straight after you have
> demoted it...?
> Thx.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If it is possible, it is recommended to build another new DC with a
different name in the same AD site. That way, a functional DC would still be
accessible should potential problems arise.

In any case, allow replication to fully complete before and after dcpromo.
Look for hints in the Event Viewer. Some things to check for include DC
shares, FRS errors, DNS, Global Catalog, etc.

Hope this helps.

rgds,

"erectmember@gmail.com" wrote:

> Hi,
>
> when you demote a DC and you want to promote it again (because of
> errors) do you have to do any cleanup activities when you demote it
> before you promote it again?
> The errors are relating to replication and should be cleaned up again
> once the server is promoted (looks like the server has got out of
> sync). Just wondered if you have to wait a while before you promote it
> again or whether you can just promote it straight after you have
> demoted it...?
> Thx.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Well, as a consultant I often get the dirty job of cleaning up or repairing
AD's and I actually never had any problems with deleting remains after
defunced DC's, so it might seem a bit more scary that it actually is, try
doing it in non-production hours, and be patient for replicating the
deletions before re-promoting anything.

Regards

Søren Lassen

<erectmember@gmail.com> wrote in message
news:1102948746.101926.232800@c13g2000cwb.googlegroups.com...
> Thanks.
>
> A useful document, although a little scary doing that kind of stuff
> when the entire company is hanging off active directory. "Hang on
> everybody while i restore active directory!"
>
> I guess I'm looking at 90 minutes then until we should try proting that
> server again eh?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Lucky you! :0)

Yes I think that out of hours is the way to go. So you have to wait the
default 90min for full replication throughout the forest to take place
then?

Just out of interest, how do problems generally manifest themselves
when you're called in to do an AD cleanup? I realise that that's a
fairly open ended question but what sort of things are you generally
looking for?

Thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

you can force replication with ADSS / Servers / Servername / NTDS Settings
or via the "repadmin /replicate /force" without waiting for the full 90
minutes to elapse.


"erectmember@gmail.com" wrote:

> Lucky you! :0)
>
> Yes I think that out of hours is the way to go. So you have to wait the
> default 90min for full replication throughout the forest to take place
> then?
>
> Just out of interest, how do problems generally manifest themselves
> when you're called in to do an AD cleanup? I realise that that's a
> fairly open ended question but what sort of things are you generally
> looking for?
>
> Thx.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Well, luck might not be the fitting term

Anyway - the default 90min. for full forest replication depend on your site
link layout, as you can easily reduce the time between replications, but
this might increase the bandwidth occupied for replication traffic.
If you can give me some figueres on your current environment, I might be
able to make some assumptions on how to optimize replication scenario, i.e.:
- Number of sites
- Number of DC's per site
- Number of users per site
- Number of coputers per site
- Bandwidth between sites.

In general most problems can be put into 3 categories:

1. Problems caused by misconfiguration and neglect of reoccuring failure
events that gradually become more severe, or not taking enough care when
performing structural changes to AD infrastructure. Misconfiguration can
also mean "optimization" by deleting what is assumed to be unused objects,
but later cause severe damage to AD.

2. Problems caused by DNS problems, primarily in regard to category 1.

3. Problems occuring in other server apps interfacing AD, that also are
caused by these server apps.

Generally AD seems very solid, the vast majority of my customers do not
encounter any severe problems.

The manifestation of these problems are often kinda like:

- AD Replication failing, often due to underlying DNS problems, that block
for desired site configuration.

- Problems when adding DCs

- DC do not start

- FSMO role failure

- SYSVOL replication (FRS) fails

- AD generally behaves strange, as some system objects are missing, mostly
due to beforementioned "optimizations".

Regards

Søren Lassen


<erectmember@gmail.com> wrote in message
news:1103104090.771490.186370@z14g2000cwz.googlegroups.com...
> Lucky you! :0)
>
> Yes I think that out of hours is the way to go. So you have to wait the
> default 90min for full replication throughout the forest to take place
> then?
>
> Just out of interest, how do problems generally manifest themselves
> when you're called in to do an AD cleanup? I realise that that's a
> fairly open ended question but what sort of things are you generally
> looking for?
>
> Thx.
>