Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Glad to hear that it was resolved!
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Joao Paulo" <jrpetrasso@hotmail.com> wrote in message
news:uZTauDdUFHA.2172@tk2msftngp13.phx.gbl...
> Guys,
>
> Surprinsingly DC2 is back online again and the only step taken was
> restoring
> System State from a previous backup (3 or 4 days old). It was just a
> matter
> of waiting for the replication to finish BUT the massive logon problem
> that
> I had in parallel to that was enough to worry and take the box offline
> again. Then I decided to turn it on after hours and see what happened.
> Everything run just fine, I added new accounts and computers and saw them
> being replicated as usual.
>
> Because I forced the PDC and Infrastructure master to be transfered to
> DC1,
> when I put DC2 back it "thought" it had those FMSO roles and that's why
> both
> of them were showing as PDC and Infra (very concerning at that stage).
> Perhaps the issue of people not being able to logon was simply because DC2
> was receiving the updates and for some reason DC1 wasn't able to provide
> logon access (?). Then I restarted DC1 and everyone could logon again.
>
> We have 3 domains (will consolidate in the future, hopefully): 1, 2, and
> 3.
> GC is located in domain 1. DC1 and DC2 in domain 3. Domain 2 is for staff.
>
> Indeed, the tips provided by you will be very useful when we consolidate
> the
> domains (in case we have issues demoting DCs).
>
> I do appreciate your help on this.
>
> Thank you
> Joao Paulo
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:erI1p9YUFHA.1508@tk2msftngp13.phx.gbl...
>> Probably not a bad idea!
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>>
http://www.activedirectory-win2000.com
>>
http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
>> news:efkf1TXUFHA.752@TK2MSFTNGP10.phx.gbl...
>> > This is the reason I suggested PSS. Unless you are familiar with
> metadata
>> > cleanup, I still recommend that you get some assistance before you
> proceed
>> > further. At this point, you are still in a recoverable shape. This
>> > (http://www.readymaids.com/Portals/1/Docs/xferfsmos.htm) can help you a
>> > little, although it doesn't go into the other post-cleanup tasks you
> will
>> > have to do (ADSIEdit cleanup, DNS cleanup, etc)
>> >
>> > --
>> >
>> > Sincerely,
>> > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>> > Microsoft MVP - Directory Services
>> > www.readymaids.com - we know IT
>> > www.akomolafe.com
>> > Do you now realize that Today is the Tomorrow you were worried about
>> > Yesterday? -anon
>> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> > news:%23tqTgJXUFHA.1404@TK2MSFTNGP09.phx.gbl...
>> >> Joao,
>> >>
>> >> I would concentrate on cleaning up Active Directory first and
>> >> foremost.
>> >> You
>> >> have one Domain Controller that is fine ( DC1 ) and one that is
>> >> causing
>> >> you
>> >> problems ( DC2 ).
>> >>
>> >> I would make crystal clear what DC holds what FSMO Roles. There seems
> to
>> >> be
>> >> a problem with the RID Master and the Infrastructure Master. Fix
>> >> this.
>> >> If
>> >> you have to seize it from DC2 to DC1 using ntdsutil then do this.
>> >> However,
>> >> once you do this then DC2 can not go back on the network.
>> >>
>> >> Typically if you run dcpromo on a Domain Controller that holds any of
> the
>> >> FSMO Roles during the dcpromo process those specific roles will be
>> >> transferred to another Domain Controller. I would bet that this will
> not
>> >> work in this case. You are probably stuck with using ntdsutil to
>> >> seize
>> >> them.
>> >>
>> >> Maybe someone else has another idea?
>> >>
>> >> Once you do this I would simply do a Metadata Cleanup. Get rid of all
>> >> references to any Domain Controller that is not actually there. I do
> not
>> >> remember if I provided a link to the MSKB Article on how to use
> ntdsutil
>> >> to
>> >> do this. It is readily available.
>> >>
>> >> I would then completely wipe out 'DC2' and start over. I would not
>> >> simply
>> >> dcpromo ( to demote it ) and then dcpromo it again ( to promote it ).
> I
>> >> would wipe everything and start new. You can follow your internal
>> >> procedures at this point. It seems that your concern about not having
>> >> two
>> >> Domain Controllers ( which is a very very good concern to have ) is
> still
>> >> a
>> >> concern. Unless I have read something incorrectly or missed something
>> >> you
>> >> currently have only one Domain Controller.
>> >>
>> >> Make sure to install DNS on the 'new' Domain Controller and make sure
>> >> that
>> >> it is DDNS ( assuming that you are running DDNS ). I would also
>> >> *typically*
>> >> suggest that you make this DC a Global Catalog Server. But, since you
>> >> stated that you have three domains there is a potential problem. The
> DC
>> >> that holds the FSMO Role of Infrastructure Master ( right now a
>> >> problem..... ) should not be a Global Catalog Server -UNLESS- all
> Domain
>> >> Controllers are Global Catalog Servers. I would think that not all of
>> >> your
>> >> Domain Controllers are Global Catalog Servers.....based on your other
>> >> post
>> >> about not being able to log on. Which Domain Controllers are Global
>> >> Catalog
>> >> Servers?
>> >>
>> >> --
>> >> Cary W. Shultz
>> >> Roanoke, VA 24012
>> >> Microsoft Active Directory MVP
>> >>
>> >>
http://www.activedirectory-win2000.com
>> >>
http://www.grouppolicy-win2000.com
>> >>
>> >>
>> >>
>> >> "Joao Paulo" <jrpetrasso@hotmail.com> wrote in message
>> >> news:%231orqaTUFHA.3312@TK2MSFTNGP09.phx.gbl...
>> >>> Cary,
>> >>> If I run dcpromo on DC2 to demote it and then run again to promote it
>> >>> what
>> >>> are the possible issues once this is the RID and Infrastructure
> master?
>> >>> I
>> >>> can't transfer the roles because it is out of the network now. Even
>> >>> if
> I
>> >>> connect it I can't transfer because it says "the current DC is the
>> >>> operations master. To transfer the OM role to another computer, you
> must
>> >>> first connect to it". But this message appears from either DC1 or
>> >>> DC2.
>> >>> So
>> >>> I
>> >>> can't transfer anything from any DC.
>> >>>
>> >>> Any suggestions?
>> >>>
>> >>> Thank you
>> >>> Joao Paulo
>> >>>
>> >>>
>> >>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> >>> news:%23yzzAXRUFHA.3544@TK2MSFTNGP12.phx.gbl...
>> >>>> Joao,
>> >>>>
>> >>>> I might have simply installed WIN2000, ran dcpromo on it and let it
>> >>> receive
>> >>>> everything from the existing WIN2000 Domain Controller. This would
>> >>>> have
>> >>>> been the wiser choice. But hindsight is 20/20! ;-)
>> >>>>
>> >>>> Are you stating that the 'new' DC did not replicate with the
>> >>>> existing
>> >>> Domain
>> >>>> Controller? Did you give it a minute ( or 15 )? What did you see
>> >>>> to
>> >>>> give
>> >>>> you the impression that you needed to go into Active Directory
> Restore
>> >>> Mode?
>> >>>>
>> >>>> If the crashed DC was not properly removed from Active Directory
>> >>>> then
>> >>>> you
>> >>>> would have needed to do a Metadata Cleanup. Did you do this? I am
>> >>> assuming
>> >>>> not!
>> >>>>
>> >>>> And using the same name as the crashed DC will give you problems -
>> >>> usually.
>> >>>> But I think that you are seeing this right now.
>> >>>>
>> >>>> I might run dcpromo on the 'new' Domain Controller ( if that works -
> if
>> >>> not
>> >>>> try the /forceremoval switch ) and then do a metadata cleanup. Make
>> >>>> sure
>> >>>> that 'DC02' is completely gone. You will need to make sure that
> there
>> >>>> are
>> >>>> no references to 'DC02' in DNS and use ADSIEdit to get rid of all
>> >>>> references. You might also have to go into Active Directory Sites
> and
>> >>>> Services and make sure that the object is no longer there.
>> >>>>
>> >>>> --
>> >>>> Cary W. Shultz
>> >>>> Roanoke, VA 24012
>> >>>> Microsoft Active Directory MVP
>> >>>>
>> >>>>
http://www.activedirectory-win2000.com
>> >>>>
http://www.grouppolicy-win2000.com
>> >>>>
>> >>>>
>> >>>>
>> >>>> "Joao Paulo" <jrpetrasso@hotmail.com> wrote in message
>> >>>> news:uW08XnQUFHA.1944@TK2MSFTNGP14.phx.gbl...
>> >>>> > Hello all,
>> >>>> >
>> >>>> > I have 2 Windows 2000 DCs and the disk of one of them crashed. My
>> >>>> > backup
>> >>>> > is
>> >>>> > 4 days old. I swaped the disk and installed a fresh copy of
>> >>>> > Windows
>> >>>> > 2000
>> >>> +
>> >>>> > Backup Exec Remote agent + renamed the server with the same name
>> >>>> > as
>> >>>> > before.
>> >>>> > I then restarted in Active Directory Restore Mode and run the
> System
>> >>> State
>> >>>> > and C:\ restore.
>> >>>> >
>> >>>> > After the restore I could not logon using my domain adminsitrator
>> >>> account
>> >>>> > nor could I synchronize the running server with it.
>> >>>> >
>> >>>> > Is there another tricky way to restore Windows 2000? Wasn't it
>> >>>> > supposed
>> >>> to
>> >>>> > receive the updates from the running server after the restore?
>> >>>> >
>> >>>> > Hope somebody have a clue.
>> >>>> >
>> >>>> > Thank you
>> >>>> > John
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
Facebook
Twitter
Instagram