Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

netlogon service paused at dC startup

944 views
Skip to first unread message

stingray

unread,
Dec 25, 2009, 6:17:12 PM12/25/09
to
I am having serious problems here, see I have a small network & a single
active directory server in a virtual server environment, now I did a mistake
I.e restore my DC from snapshot after its windows installation got corrupt.
now according to Microsoft this is not supported which I found out
afterwards & causes a situation called USN rollback.
& this is now causing the netlogon service to be paused after every restart
of the server.
How can I fix this ? the solution to this from Microsoft is to install
another dC transfer DNS & server roles to that server & remove active
directory from this & reinstall active directory again using dcpromo.
but this is not working as soon as I do all the things according to
Microsoft document steps & shutdown the old problem giving server, things
stops working.clients cannot join domain, & no authentication occurs
now I cannot get rid of the DC with USN roll back problem, and keep getting
the pause in netlogin service.

can anyone help me in this ?
Happy birthday of prophet Jesus to all of you.

regards


Meinolf Weber [MVP-DS]

unread,
Dec 25, 2009, 7:07:14 PM12/25/09
to
Hello Stingray,

An USN rollback occur if you have more then one DC and restore one of it
from an unsupported backup solution. So as you said there is only one DC
in the network USN rollback will not occur. The USN are stored on the DCs
and on none other machines in the domain.

Please post the link to the article from Microsoft with the solution you
found.

Also describe more detailed what you have done.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

stingray

unread,
Dec 26, 2009, 4:15:37 AM12/26/09
to
Thanks for the reply Meinolf

well the Microsoft solution i was talking about is present on
http://support.microsoft.com/kb/875495

Well currently there is only one DC, but there were multiple some time ago
before the bdc crashed and was unrecoverable may be its cause of that USN
problem is coming.
Anyways what if that is the case is there a way to fix this now ?

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911db6c98...@msnews.microsoft.com...

Meinolf Weber [MVP-DS]

unread,
Dec 26, 2009, 6:57:54 AM12/26/09
to
Hello Stingray,

How old is the snapshot you have?

The article relies to a domain a with at least 2 DCs, where you can kick
out the machine with USN rollback and then cleanup AD database from it. Now
you can install an additional DC again.

Is the DC also DNS server? Please post an unedited ipconfig /all from it
and also a dcdiag /v. If you are able to start netlogon service manual clenaup
AD database from all old DCs according to:
http://support.microsoft.com/kb/555846/en-us

stingray

unread,
Dec 26, 2009, 8:26:43 AM12/26/09
to
Thanks for the reply Meinolf

Well i did the restore from snapshot for about a week ago. & yes the my dC
is also my dns server

here is my ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : mdomain
Primary Dns Suffix . . . . . . . : akesp.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : akesp.org

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-51-6A-37
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
IP Address. . . . . . . . . . . . : 172.16.1.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.1.3
DNS Servers . . . . . . . . . . . : 172.16.1.1
Primary WINS Server . . . . . . . : 172.16.1.1

& my dcdiag /v

C:\Program Files\Support Tools>dcdiag /v

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine mdomain, is a DC.
* Connecting to directory service on server mdomain.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MDOMAIN
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MDOMAIN passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MDOMAIN
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=akesp,DC=org
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=DomainDnsZones,DC=akesp,DC=org
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Configuration,DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
* Replication Site Latency Check
......................... MDOMAIN passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MDOMAIN.
* Security Permissions Check for
DC=ForestDnsZones,DC=akesp,DC=org
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=akesp,DC=org
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=akesp,DC=org
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=akesp,DC=org
(Configuration,Version 2)
* Security Permissions Check for
DC=akesp,DC=org
(Domain,Version 2)
......................... MDOMAIN passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MDOMAIN\netlogon
Verified share \\MDOMAIN\sysvol
......................... MDOMAIN passed test NetLogons
Starting test: Advertising
The DC MDOMAIN is advertising itself as a DC and having a DS.
The DC MDOMAIN is advertising as an LDAP server
The DC MDOMAIN is advertising as having a writeable directory
The DC MDOMAIN is advertising as a Key Distribution Center
The DC MDOMAIN is advertising as a time server
The DS MDOMAIN is advertising as a GC.
......................... MDOMAIN passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Domain Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role PDC Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Rid Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
......................... MDOMAIN passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 6603 to 1073741823
* mdomain.akesp.org is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4603 to 5102
* rIDPreviousAllocationPool is 4603 to 5102
* rIDNextRID: 4618
......................... MDOMAIN passed test RidManager
Starting test: MachineAccount
Checking machine account for DC MDOMAIN on DC MDOMAIN.
* SPN found :LDAP/mdomain.akesp.org/akesp.org
* SPN found :LDAP/mdomain.akesp.org
* SPN found :LDAP/MDOMAIN
* SPN found :LDAP/mdomain.akesp.org/AKESP
* SPN found
:LDAP/0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org

* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a205198-abb0-4734-83
d0-0d66ac246cd1/akesp.org
* SPN found :HOST/mdomain.akesp.org/akesp.org
* SPN found :HOST/mdomain.akesp.org
* SPN found :HOST/MDOMAIN
* SPN found :HOST/mdomain.akesp.org/AKESP
* SPN found :GC/mdomain.akesp.org/akesp.org
......................... MDOMAIN passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MDOMAIN passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MDOMAIN is in domain DC=akesp,DC=org
Checking for CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org in
domain
DC=akesp,DC=org on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org in domain
CN=Configuration,DC=
akesp,DC=org on 1 servers
Object is up-to-date on all servers.
......................... MDOMAIN passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MDOMAIN passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Error Event occured. EventID: 0xC00034F7
Time Generated: 12/26/2009 14:40:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00034F7
Time Generated: 12/26/2009 15:25:20
(Event String could not be retrieved)
......................... MDOMAIN failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minut
es.
......................... MDOMAIN passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 12/26/2009 18:19:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 12/26/2009 18:19:15
(Event String could not be retrieved)
......................... MDOMAIN failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org and backlink on
CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
ion,DC=akesp,DC=org
are correct.
The system object reference (frsComputerReferenceBL)
CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=akesp,DC=org
and backlink on CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org
are
correct.
The system object reference (serverReferenceBL)
CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=akesp,DC=org
and backlink on
CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=akesp,DC=org
are correct.
......................... MDOMAIN passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : akesp
Starting test: CrossRefValidation
......................... akesp passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... akesp passed test CheckSDRefDom

Running enterprise tests on : akesp.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope
provided by the command line arguments provided.
......................... akesp.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
PDC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
Time Server Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
KDC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
......................... akesp.org passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


thanks again .
Faisal


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911db6ec8...@msnews.microsoft.com...

Meinolf Weber [MVP-DS]

unread,
Dec 26, 2009, 9:05:53 AM12/26/09
to
Hello Stingray,

Your DC is multihomed, 2 different ip addresses which is a really bad configuration
for a DC, remove one of them and then make sure it is also listed in the
DNS zones only with the configured one.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the reply Meinolf
>

stingray

unread,
Dec 26, 2009, 9:48:26 AM12/26/09
to
well i only did that for troubleshooting purpose, (old ip of BDC) anything
else you want me to do ? as i did that & still the netlogon service is
paused after startup, also windows time service is stopped have to restart
it manualy.


thanks & regards

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911db6f18...@msnews.microsoft.com...

Ace Fekay [MCT]

unread,
Dec 26, 2009, 1:15:44 PM12/26/09
to
"stingray" <fas...@yahoo.com> wrote in message
news:uSQYkqjh...@TK2MSFTNGP05.phx.gbl...

> well i only did that for troubleshooting purpose, (old ip of BDC) anything
> else you want me to do ? as i did that & still the netlogon service is
> paused after startup, also windows time service is stopped have to restart
> it manualy.
>
>
> thanks & regards

Did you go through every folder and object in DNS and make sure the
additional IP address no longer shows up? You have to check both the
akesp.org zone and the _msdcs.akesp.org zone. Check every entry in each
zone, expanding each folder. Also check the Nameservers tab and everything
else in each zone's properties to make sure the additonal IP does not exist,
including the "A" records. If it does, delete it.

Once that is done, run:

ipconfig /all
net stop netlogon
net start netlogon

Then restart your machine to see if it still happens.

Please post any eventID# errors in any of the event logs, whether this works
or not. If it continues, I am going with what Meinolf said about the USN
rollback issue, because you used a snapshot. As pointed out, snapshots are
NOT supported, nor do they work. It is extremely difficult if not possible,
to clean up a USN rollback issue from a snapshot restoration. That's why
they are not supported.

That standing recommendation for a DC is to always perform full backups of
the system drive (C:) and a System State backup. They work nicely each and
everytime you need to restore.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

stingray

unread,
Dec 26, 2009, 11:39:36 PM12/26/09
to
Ace i did all that but still ....

here are some errous event log entries.

======================================================
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 12/27/2009
Time: 9:24:06 AM
User: NT AUTHORITY\SYSTEM
Computer: MDOMAIN
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==================================================================

Event Type: Error
Event Source: NTDS General
Event Category: Service Control
Event ID: 2103
Date: 12/27/2009
Time: 9:23:30 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MDOMAIN
Description:
The Active Directory database has been restored using an unsupported
restoration procedure.

Active Directory will be unable to log on users while this condition
persists. As a result, the Net Logon service has paused.

User Action
See previous event logs for details.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

=====================================================================
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4010
Date: 12/27/2009
Time: 9:23:32 AM
User: N/A
Computer: MDOMAIN
Description:
The DNS server was unable to create a resource record for
0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org. in zone akesp.org.
The Active Directory definition of this resource record is corrupt or
contains an invalid DNS name. The event data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 00 00 00 {...

==========================================================================

Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13559
Date: 12/27/2009
Time: 9:24:08 AM
User: N/A
Computer: MDOMAIN
Description:
The File Replication Service has detected that the replica root path has
changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain". If
this is an intentional move then a file with the name
NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.
This was detected for the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

Changing the replica root path is a two step process which is triggered by
the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.

[1] At the first poll which will occur in 5 minutes this computer will be
deleted from the replica set.
[2] At the poll following the deletion this computer will be re-added to
the replica set with the new root path. This re-addition will trigger a full
tree sync for the replica set. At the end of the sync all the files will be
at the new location. The files may or may not be deleted from the old
location depending on whether they are needed or not.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

==================================================================================

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 12/27/2009
Time: 9:24:15 AM
User: N/A
Computer: MDOMAIN
Description:
The Windows Time service terminated with the following error:
An attempt was made to logon, but the network logon service was not started.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

=======================================================================================

Thanks & regards


"Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org> wrote in message
news:enMMydlh...@TK2MSFTNGP04.phx.gbl...

Meinolf Weber [MVP-DS]

unread,
Dec 27, 2009, 5:36:43 AM12/27/09
to
Hello Stingray,

Adding the other DCs ip address will not help for whatever reason you thought
about.

As stated in Event ID: 2103 the stopped netlogon states to the unsupported
way of restore. So as you have only one DC i see not a way to restore the
domain.

Basically adding a DC to the domain when the problem exists will not help
as you copy the existing AD database with the problem to the new server.

For the event id 13559 see this articles, maybe they help you:
http://support.microsoft.com/kb/819268

http://support.microsoft.com/kb/887440

In my opinion the best option is to start from scratch with the domain and
make a new one with 2 DC/DNS/GC as recommended for failover and redundancy.

Maybe you can create a trust to anew installed domain with different domain
name and use ADMT to migrate the existing accounts and computers, but as
there is this critical situation i am not sure if this will work.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Ace Fekay [MCT]

unread,
Dec 27, 2009, 10:38:29 AM12/27/09
to
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911db7268...@msnews.microsoft.com...

> Hello Stingray,
>
> Adding the other DCs ip address will not help for whatever reason you
> thought about.
>
> As stated in Event ID: 2103 the stopped netlogon states to the unsupported
> way of restore. So as you have only one DC i see not a way to restore the
> domain.
>
> Basically adding a DC to the domain when the problem exists will not help
> as you copy the existing AD database with the problem to the new server.
>
> For the event id 13559 see this articles, maybe they help you:
> http://support.microsoft.com/kb/819268
>
> http://support.microsoft.com/kb/887440
>
> In my opinion the best option is to start from scratch with the domain and
> make a new one with 2 DC/DNS/GC as recommended for failover and
> redundancy.
>
> Maybe you can create a trust to anew installed domain with different
> domain name and use ADMT to migrate the existing accounts and computers,
> but as there is this critical situation i am not sure if this will work.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi Meinolf.

At this point, I don't think a trust can be created in the DC's current
state and would agree that starting from scratch seems to be the best option
at this point.

To Stingray:

I've seen this in the past with image restores that others have done and
been called in to fix it. It's sometimes not even worth the hours to put in
and the effort even if it were possible (I don't think it is at this point
with this DC), when a new build will take a fraction of the time and you can
move on.

Ace


Meinolf Weber [MVP-DS]

unread,
Dec 27, 2009, 11:19:07 AM12/27/09
to
Hello Ace,

i think also it will not work to create the trust and migrate to a new domain,
but as the OP is searching so hard for a way he can try to do it. He can
loose nothing, as he already has lost the domain.

Ace Fekay [MCT]

unread,
Dec 27, 2009, 6:05:21 PM12/27/09
to
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911db7448...@msnews.microsoft.com...

> Hello Ace,
>
> i think also it will not work to create the trust and migrate to a new
> domain, but as the OP is searching so hard for a way he can try to do it.
> He can loose nothing, as he already has lost the domain.
>
> Best regards
>
> Meinolf Weber

That's a good point. :-)

Cheers!

Ace

S t i n g r a y

unread,
Dec 28, 2009, 10:26:23 AM12/28/09
to
Thanks for the Help Meinolf & Ace .. i really appriciate it.
it seems like all is lost for me regarding recovering my old DC. now
that i have to build a new domain from scratch, can you tell me if there
is a way to import user/computer accounts with their SID's onto the new
domain ? like we have couple of application integrated with Active
directory that would require reconfiguration on the server & client
desktops, and belive me its a mamoth task can take couple of days to do.
in other words i want to bring a new domain into place without
distrubing clients desktop. thats my biggest concern.

Thanks & regards once again.

Meinolf Weber [MVP-DS]

unread,
Dec 28, 2009, 11:07:03 AM12/28/09
to
Hello S t i n g r a y,

Check this one:
http://support.microsoft.com/kb/555636

But it will not export/import all settings, there is still requirement for
doing manual changes.

Ace Fekay [MCT]

unread,
Dec 28, 2009, 6:52:04 PM12/28/09
to
"S t i n g r a y" <fas...@yahoo.com> wrote in message
news:OMp9iI9h...@TK2MSFTNGP06.phx.gbl...

> Thanks for the Help Meinolf & Ace .. i really appriciate it.
> it seems like all is lost for me regarding recovering my old DC. now that
> i have to build a new domain from scratch, can you tell me if there is a
> way to import user/computer accounts with their SID's onto the new domain
> ? like we have couple of application integrated with Active directory that
> would require reconfiguration on the server & client desktops, and belive
> me its a mamoth task can take couple of days to do.
> in other words i want to bring a new domain into place without distrubing
> clients desktop. thats my biggest concern.
>
> Thanks & regards once again.

Unfortunately, any migration is task intensive. If you can create a trust,
ADMT is your best option to migrate users, groups and computer accounts
preserving SID History, otherwise, no, it will be from scratch. Meinolf
pointed out using LDIFDE as one method, but they will be new SIDs and
require you to make changes to make it work.

Ace

0 new messages