Replacing the (RW) Domain controller due to Failure
Jim A.
I am new to AD and this forum/newsgroup, Please forgive any lack ot etiquite
and advise.
I have a 2k8 Domain of a flat network with 2 DC boxes, NTRN06-DC1-2K8E is a
(RW) DC, NTRN07-DC2-2K8E (RO). I call them DC1 and DC2. DC1 suffered
unrecoverable failures and i am now running solely on DC2. I have rebuilt
another server and reloaded 2k8e same Netbios name and Ip address. When I try
to re-join the Domain, AD reports "account already exists".
I need to rejoin this box to the domain and get it repromoted to be a (RW)
domain controller.
I have found some doc's on Technet but they only refer to 2k3 ont 2k8. I
know there are significant differances.
I have thought of deleting the account from the existing AD, re-joining the
domain, (which should work I think) then re-promoting the box to Domain
controller status.
I have found some doc's that refer to "resetting the account in AD2003" will
that work in 2k8 and some that refer to CLI Utilities Netdom and such also
in 2k3 AD
If I reset the machine account in active directory, will I then be able to
join the domain and do what I intend.
Can anyone give me the correct procedure to re-activate the (RW) domain
controller after a catastrophic failure
Thanks in advance for any assistance
--
Jim A.
Meinolf Weber [MVP-DS]
If one DC is crashed in a domain and NEVER comes back from backup it must
be removed from the AD database correct to prevent replication error messages
and also as you see to use the name again in the domain.
Additional it must be removed from DNS zones and if it was DNS server also
from the DNS server list in the DNS management console. If you not have any
longer a DNS server because the crashed one was the only one install immediately
the second DC with DNS server role and rebuilt DNS zones for the domain on
it.
If the crashed DC was also the holder of the 5 FSMO roles they must be seized
on the other DC and the other DC should become Global catalog if not already
done. This article applies also to 2008:
http://support.microsoft.com/kb/255504
With 2008 it is really easy to remove the crashed DC, just rightclick the
DC name in AD UC domain controllers OU and choose delete, then accept all
upcoming questions about "are you sure". Now the DC will be removed from
AD database complete. This option is new with 2008 OS version.
Also AD sites and services must be controlled, if the DC name is removed
from the site list.
If all the steps above are done, you can install a new 2008 member server
and promote it to DC again.
Some steps:
- On the old server open DNS management console and check that you are running
Active directory integrated zone (easier for replication, if you have more
then one DNS server)
- Install the new machine as a member server in your existing domain
- configure a fixed ip and set the preferred DNS server to the old DNS server
only, think about disabling IPv6 if you are not using it, some known problems
exist with it. Follow (http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx)
to disable it
- run dcpromo and follow the wizard to add the 2008 server to an existing
domain, make it also Global catalog and DNS server.
- for DNS give the server time for replication, at least 15 minutes. Because
you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear
- if the new machine is domain controller and DNS server run again replmon,
dcdiag on both domain controllers. For using netdiag.exe on 2008, NOT 2008
R2, you have to download and install (http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en),
ignore the compatibility warning, or extract netdiag.exe only and copy it
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Jim A.
Thank you for your assistance,
I have reviewed your post and the corresponding utilities you suggested
(ntdsutil.exe on my BDC box) , it is the Global catalog holder already (GC).
I am concerned about seizing the roles, the Microsoft Document you sent
http://support.microsoft.com/kb/255504
Refere's to "Not" putting both the (GC) roles and the Infrastructure role
on the same box, Can you please elaborate before I attempt this, Is it
necessary to keep them seperate and if so how do I keep the GC on a different
DC if I only have one DC..?
is there a "simpler or safer" way for a novice to approach this problem
using the wizard......
Again, thank you for your assistance, It is deeply appreciated
Jim
--
Jim A.
"Meinolf Weber [MVP-DS]" wrote:
> .
>
Meinolf Weber [MVP-DS]
In a single forest domain like domain.com without child domains like child.domain.com
this doesn't apply. In a single forest domain make all DCs Global catalog
server. The IM has nothing to do in a single forest domain, because there
are no phantoms.
See also:
http://support.microsoft.com/kb/223346/en-us
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Meinolf,
>
> Thank you for your assistance,
>
> I have reviewed your post and the corresponding utilities you
> suggested (ntdsutil.exe on my BDC box) , it is the Global catalog
> holder already (GC). I am concerned about seizing the roles, the
> Microsoft Document you sent
>
> http://support.microsoft.com/kb/255504
>
> Refere's to "Not" putting both the (GC) roles and the Infrastructure
> role on the same box, Can you please elaborate before I attempt this,
> Is it necessary to keep them seperate and if so how do I keep the GC
> on a different DC if I only have one DC..?
>
> is there a "simpler or safer" way for a novice to approach this
> problem using the wizard......
>
> Again, thank you for your assistance, It is deeply appreciated
>
> Jim
>
Meinolf Weber [MVP-DS]
If the crashed DC was the FSMO roles holder, check with "netdom query fsmo"
in a command prompt on the eixsting DC they must be seized and there is no
other way to do it.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Meinolf,
>
> Thank you for your assistance,
>
> I have reviewed your post and the corresponding utilities you
> suggested (ntdsutil.exe on my BDC box) , it is the Global catalog
> holder already (GC). I am concerned about seizing the roles, the
> Microsoft Document you sent
>
> http://support.microsoft.com/kb/255504
>
> Refere's to "Not" putting both the (GC) roles and the Infrastructure
> role on the same box, Can you please elaborate before I attempt this,
> Is it necessary to keep them seperate and if so how do I keep the GC
> on a different DC if I only have one DC..?
>
> is there a "simpler or safer" way for a novice to approach this
> problem using the wizard......
>
> Again, thank you for your assistance, It is deeply appreciated
>
> Jim
>
Jim A.
Here I GO...
Seize the Roles....from the crashed Dc to the running one
Delete the crashed DC from AD...
Join the new DC to AD
Promote the new DC to Domain Controller...
Then, If I want all to be as it was, **(Transfer not seize) the roles from
the existing DC back to the New DC..
Correct...?
--
Jim A.
"Meinolf Weber [MVP-DS]" wrote:
> .
>
Meinolf Weber [MVP-DS]
If the running is DNS server you can go that way, otherwise you have to built
DNS before.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Okay Meinolf...
>
> Here I GO...
>
> Seize the Roles....from the crashed Dc to the running one
>
> Delete the crashed DC from AD...
>
> Join the new DC to AD
>
> Promote the new DC to Domain Controller...
>
> Then, If I want all to be as it was, **(Transfer not seize) the roles
> from the existing DC back to the New DC..
>
> Correct...?
>
>>>> bl ing-ipv6-on-windows-2008.aspx) to disable it
>>>>
>>>> - run dcpromo and follow the wizard to add the 2008 server to an
>>>> existing domain, make it also Global catalog and DNS server.
>>>>
>>>> - for DNS give the server time for replication, at least 15
>>>> minutes. Because you use Active directory integrated zones it will
>>>> automatically replicate the zones to the new server. Open DNS
>>>> management console to check that they appear
>>>>
>>>> - if the new machine is domain controller and DNS server run again
>>>> replmon, dcdiag on both domain controllers. For using netdiag.exe
>>>> on 2008, NOT 2008 R2, you have to download and install
>>>> (http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-
>>>> FD 83-419D-939B-9A772EA2DF90&displaylang=en), ignore the
Jim A.
DNS was infact setup on my BDC box.
I have seized all fsmo roles and confirmed that they are now on the
remaining DC NTRN07-BDC-2k8E
I have deleted the old (dead) DC NTRN06-PDC-2K8E from the Active Directory
successfully,
I have re-joined the domain as the same netbios name with the new server
NTRN06-PDC-2K8E
That's going to be it for today, I will not be able to continue unti
Thursday night, (other committments,sorry)
I will advise you upon completion,
Thanks you again for your assistance..
There is another issue you may be able to help me with if you don't mind.
This is my first Routed Network with subnets. Ip Scheme is 172.16.X.X/24.
I am setting all my central servers in the IT Lab at 172.16.20.X/24
Subnets/Vlan's are
172.16.30.X/24
172.16.40.X/24
172.16.50.X/24
I want all the Clients on the Subnets to be able to see the servers in their
respective Network Neighborhood,
it is not necessary that CLients on one Vlan can see clients on another,
BUT, All Clients must be able to see the Central servers,
I have been advised to setup WINS server by some experts and to stay away
from WINS by others, I have also seen the "subnet's" option in AD 2K8
Is there another way in AD to setup the Subnets so the can "see" the servers
on the primary Vlan
Regards
Jim
--
Jim A.
Jim A.
Can you please recommend a "Primer" beginner text on AD that would help me
to learn more,
Regards
Jim
--
Jim A.
Meinolf Weber [MVP-DS]
It is not only AD, there are relationships with DNS, a real important part
that AD will function correct. Group policies and lot of other settings come
into play when talking about AD.
See here for some:
http://www.microsoft.com/learning/en/us/book.aspx?ID=11754&locale=en-us
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-640&locale=en-us
AD step by step, just that you see what additional is available and there
is still more:
http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc771290(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc755258(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794908(WS.10).aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Meinolf,
>
> Can you please recommend a "Primer" beginner text on AD that would
> help me to learn more,
>
> Regards
> Jim
Jim A.
Success...! My New Domain controller is back on line has Joined the old
Domain and been promoted to Domain Controller and appears to be replicating
properly with the original one.
I have left the FSMO Roles, on the one that I seized with (NTRN07-BDC-2K8E)
for the time being, (I want to make sure all is wel before I transfer these
roles back to the 1st Domain controller.
Thank you for all your assistance,
I have ordered the AD Primer you recomended, I'm sure it will take me a
while to get through that,
My Last existing problem, is "Browsing the entire network with Network
Neighborhood"...
all (9) 2k8 servers on Vlan20 172.16.20.0/24
all (45) Engineering Clients W7x64 on Vlan30 172.16.30.0/24
all (31) General Clients W7x86,XPPx32 on Vlan40 172.16.40.0/24
all (63) Mgmt Clients W7x86 on Vlan50 172.16.50.0/24
Routing is being done by a Procurve 2848G Managed Switch
All Clients can Ping each other
All Clients on each seperate Vlan can "Browse" each other
All Clients on All Vlans can "Join the Domain"
No Client on Any Vlan can Browse across to another Vlan...or Browse the
servers
I have DNS running and Wins on the Domain Controller we just installed.
(NTRN06-PDC-2K8E)
I notice in AD sites and services there is an Icon for "Subnets" do I need
to configure the subnets here. I see when you "add a subnet" the IP is
required in prefix notation...(ex,172.16.30.0/24)
Then, you need to "select a site object for this prefix.."
It is here, I am Lost...
Do I need to create a new site for each subnet,,,, or Do I join all subnets
to the Default-first-site-Name...??????????
Can you assist me with that, or, can you recommend another "Forum" that
would be more appropriate
--
Jim A.
"Meinolf Weber [MVP-DS]" wrote:
> .
>
Meinolf Weber [MVP-DS]
Nice to hear that you got it. Network browsing requires that WINS is configured
for all machines and that all are also registered in WINS.
With multiple subnets you must configure AD sites and services for the sites
with there subnets and move also the correct DC to the site.
See:
http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Jim A.
I am sorry to again ask your advice, I am reading the AD Primers you
recomended, However, as you showed me, there is alot to learn, I am afraid I
need to ask another question as I need to get this system completed and by
the time I become proficient, well, you understand..
Okay,
If you recall, this Network has 2 domain controllers, you assisted me in
replacing the failed, FIRST, domain controller, it is now running and
functional, However the second domain controller still holds all 5 roles. I
am having trouble finding documentation on which of the two domain
controllers should hold which roles for "Optimum configuration / performance"
and if there is any differance,... I am thinking of just putting the 5 roles
back onto the replaced domain controller..As they were after initial
installation of both into the roles
I was wondering if you could give me the benefit of your experience again,
where would you place the 5 roles..? and why
Happy Thanksgiving
Regards
Jim
--
Jim A.
"Meinolf Weber [MVP-DS]" wrote:
> .
>