Not quite a GC server
BiscuitEater
The primary Win 2003 DC crashed, so I promoted my alternate DC.
However, unable to get all roles transferred (seized) OK. Even though I
was logged in as the EnterpriseAdmin/SchemaAdmin, NTDSutil said that I
did not have permission to seize the schema master role.
dcdiag reports that the new DC "...has not finished promoting to be a
GC." and "...is not advertising as a global catalog." For the Schema
Owner role, it also shows the original DC, instead of the new one. Then
I ran 'dsquery server -isgc' and it said that the new DC was the GC.
This is a small subnet with no other DCs.
I seem to keep running in a circle, with no place to break in and
resolve this.
Suggestions?
--
BiscuitEater
------------------------------------------------------------------------
BiscuitEater's Profile: http://forums.techarena.in/members/219433.htm
View this thread: http://forums.techarena.in/active-directory/1336371.htm
Florian Frommherz [MVP]
Am 12.05.2010 16:17, schrieb BiscuitEater:
> The primary Win 2003 DC crashed, so I promoted my alternate DC.
> However, unable to get all roles transferred (seized) OK. Even though I
> was logged in as the EnterpriseAdmin/SchemaAdmin, NTDSutil said that I
> did not have permission to seize the schema master role.
What does netdom query fsmo say? The Schema FSMO role isn't too critical
right now if you're in the middle of troubleshooting things. I'd
concentrate on RID and PDC first of all. Are both of them on the new DC?
Is DNS working correctly (on clients as well as the DC)?
> dcdiag reports that the new DC "...has not finished promoting to be a
> GC." and "...is not advertising as a global catalog." For the Schema
> Owner role, it also shows the original DC, instead of the new one. Then
> I ran 'dsquery server -isgc' and it said that the new DC was the GC.
>
> This is a small subnet with no other DCs.
>
> I seem to keep running in a circle, with no place to break in and
> resolve this.
So the second DC was promoted when the "primary" DC still was alive,
right? Do you need a GC at the moment (is Exchange involved)?
The easiest thing to get out of the woods would be trying to bring the
crashed DC back online. You have a backup?
Are there other domains in this forest or is that just the only DC in
the only domain left? If so, you could try to force the DC to register
itself as a GC with the following reg key:
HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\Parameters -
"Global Catalog Partition Occupancy" as per
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(WS.10).aspx
("Requirements for Global Catalog Readiness").
I'm unsure as to what is working and what not. Can users log on?
Cheers,
Florian
BiscuitEater
>> The primary Win 2003 DC crashed, so I promoted my alternate DC.
>> However, unable to get all roles transferred (seized) OK. Even though
I
>> was logged in as the EnterpriseAdmin/SchemaAdmin, NTDSutil said that
I
>> did not have permission to seize the schema master role.
> What does netdom query fsmo say? The Schema FSMO role isn't too
critical
> right now if you're in the middle of troubleshooting things. I'd
> concentrate on RID and PDC first of all. Are both of them on the new
DC?
> Is DNS working correctly (on clients as well as the DC)?
RID and PDC roles seem to be OK. (At least 'dcdiag' says that it passes
those tests.) DNS appears to be working OK.
'netdom query fsmo' responds with "The system cannot find the file
specified."
>> dcdiag reports that the new DC "...has not finished promoting to be
a
>> GC." and "...is not advertising as a global catalog." For the Schema
>> Owner role, it also shows the original DC, instead of the new one.
Then
>> I ran 'dsquery server -isgc' and it said that the new DC was the GC.
>>
>> This is a small subnet with no other DCs.
>>
>> I seem to keep running in a circle, with no place to break in and
>> resolve this.
> So the second DC was promoted when the "primary" DC still was alive,
> right? Do you need a GC at the moment (is Exchange involved)?
No, I only promoted the second DC after the drive controller took out
the entire RAID system on my primary DC.
> The easiest thing to get out of the woods would be trying to bring
the
> crashed DC back online. You have a backup?
Operating on a budget, so was dependent on the RAID systems in the two
DCs to provide enough redundancy. (Plus, this is not a mission-critical
network.)
> Are there other domains in this forest or is that just the only DC in
> the only domain left? If so, you could try to force the DC to
register
> itself as a GC with the following reg key:
>
> HKEY_Local_Machine\System\CurrentControlSet\Services\NTDS\
> Parameters -
> "Global Catalog Partition Occupancy" as per
> http://technet.microsoft.com/en-us/l...rk(WS.10).aspx
> ("Requirements for Global Catalog Readiness").
This is a subdomain used for R&D purposes. Have some one-way trusts,
but not a member of the corporate forest.
(Reading the reference right now.)
> I'm unsure as to what is working and what not. Can users log on?
AD is not fully functional for logins. I can login only as the network
admin right now.
Meinolf Weber [MVP-DS]
Would be nice if you can describe the forest/domain complete with the complete
amount of DCs in each domain and which FSMOs are listed in which domain,
as you should have FSMO roles in the root domain(schema, domain naming master,
PDCEmulator, Infrastructure and RID master) and also 3 in the subdomain(PDCEmulator,
Infrastructure and RID master).
See here about FSMO placement:
http://support.microsoft.com/kb/223346/en-us
What exactly should this mean, i cannot follow you?
"No, I only promoted the second DC after the drive controller took out the
entire RAID system on my primary DC."
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Danny Sanders
What does this mean?
To me this statement means this was a member server and once the main DC
crashed you ran dcpromo to make this a DC. If this is the case you need to
restore from a backup. If you "promoted" your "alternate DC" to a DC (by
running dcpromo) after the main DC crashed, you did it wrong. In order for
the second DC (the one you promoted) to take over for the main DC, it had to
be a DC online and replicating with the main DC BEFORE the main DC crashed.
It "sounds" like you ended up creating a new domain with the same name as
your old domain.
hth
DDS
"BiscuitEater" <BiscuitEa...@DoNotSpam.com> wrote in message
news:BiscuitEa...@DoNotSpam.com...
BiscuitEater
Additional Info:
The original DC is now in network heaven.
In the registry:
Hmmm...Looking in the registry of the new DC. I found an entry that
lists the original DC as the "SRC Root Domain Srv". I could update that
entry to the new DC...However, the data value of the very next entry
"SRC Srv objectGuid" appears to contain info related to my original DC.
Did not see any entries describing GC settings.
kj [SBS MVP]
BiscuitEater wrote:
> Additional Info:
>
> The original DC is now in network heaven.
>
> In the registry:
> Hmmm...Looking in the registry of the new DC. I found an entry that
> lists the original DC as the "SRC Root Domain Srv". I could update
> that entry to the new DC...However, the data value of the very next
> entry "SRC Srv objectGuid" appears to contain info related to my
> original DC. Did not see any entries describing GC settings.
If your new DC never fully replicated with the old DC then you won't have a
full DC.
I'm not sure how you got as far as you did, but do you have backups that you
can recover the first DC?
--
/kj
BiscuitEater
Hello Meinolf,
My domain is inside of the corporate environment, but is essentially a
standalone domain. It is not a member of the corporate forest.
Originally, I had two domain controllers--a primary DC ("DC1") and a
secondary DC ("DC2"). All FSMO roles were owned by DC1.
There was an electrical surge that damaged one UPS and apparently also
damaged the RAID controller in DC1. The result was that I lost the
entire RAID drive system in DC1. I attempted to recover the drives, but
did not succeed.
Not being able to restore DC1, I decided to promote DC2 to the primary
DC. This is when my other problems began.
I just ran 'ntfrsutl' and it reported that I have a cracked domain (null
references to DC1).
------
I have already spent two days trying to clear up the problems with DC2.
However, I have a new hard drive controller and new drives in the DC1
box, so I may just build a brand new DC and start over.
It is late and I am tired, so am going home now.
Thanks for your efforts to understand and assist!
Florian Frommherz [MVP]
Am 13.05.2010 00:04, schrieb BiscuitEater:
> I have already spent two days trying to clear up the problems with DC2.
> However, I have a new hard drive controller and new drives in the DC1
> box, so I may just build a brand new DC and start over.
>
> It is late and I am tired, so am going home now.
> Thanks for your efforts to understand and assist!
So my next step would probably be to metadata cleanup the first DC
that's not coming back online again. You'll destroying any references to
that DC1 in the directory with that: http://support.microsoft.com/kb/216498
That should resolve the GC problem that you have. After that, you should
be able to run dcdiag again and look at its outputs. Do things look
cleaner now?
Florian
Florian Frommherz [MVP]
Am 12.05.2010 22:25, schrieb BiscuitEater:
> In the registry:
> Hmmm...Looking in the registry of the new DC. I found an entry that
> lists the original DC as the "SRC Root Domain Srv". I could update that
> entry to the new DC...However, the data value of the very next entry
> "SRC Srv objectGuid" appears to contain info related to my original DC.
> Did not see any entries describing GC settings.
You can leave both these settings alone. Those are registry key/values
that are set and used during initial DC dcpromo and the reboot after
that. They're not used afterwards again -- so changing them won't get
you anywhere :(
Florian
BiscuitEater
'kj [SBS MVP Wrote:
No, since this is a very fluid, non-mission-critical environment, the
system design was two DCs (primary and secondary). Both using RAID 1
drive configurations--with the idea that electronics are fairly reliable
these days and that the most likely point of failure would be one of the
two hard drives. Thus, the mirrored drive could take over if needed.
BiscuitEater
'kj [SBS MVP Wrote:
No, since this is a very fluid, non-mission-critical environment, the
system design was two DCs (primary and secondary). Both using RAID 1
drive configurations--with the idea that electronics are fairly reliable
these days and that the most likely point of failure would be one of the
two hard drives. Thus, the mirrored drive could take over if needed.
BiscuitEater
To all who have responded to my recent quandry,
A big "Thanks!" to all of you for your time and efforts in assisting me
as I tried to work through this problem.
Unfortunately, I was running short on time--as I was about to leave for
vacation, but had to have everything working again for an important
demonstration. Having run in circles for several days and not appearing
to make any significant progress, I finally called Microsoft for
assistance. One of their gurus called me right back and began working
through the several problems.
He used many of the utilities that have been discussed here, plus ADSI
Edit (which I had not tried) to make a number of changes and perform
some null-reference cleanup that had stimied me. However, after two
hours and several reboots, he had the domain controller and all of the
services fully functional again.
Again, thanks to all of you for your guidance and advice!
Regards,
BiscuitEater