Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Domain Controller Problem after force removal
Domain Controller Problem after force removal [message #157578] Thu, 09 July 2009 07:16 Go to next message
Chris Dodson  is currently offline Chris Dodson
Messages: 4
Registered: July 2009
Junior Member
Hi all

I need some help. We had some time issues on the domain the other day, it
resulted in the DC's not replicating and thus being tombstoned, a phone call
to MS resolved this and the domain is now in working order.

However we did have around 4 DC's that would not come back, thus we had to
perform DCPromo /forceremoval which did the trick. The problem we have now is
that one of these old DC's doesnt seem to want to be part of the domain
anymore. It is a member server and is on the domain, but for some reason it
wont apply GPO, and clients located on this site are still attempting to
contact this DC for authentication!

We decided to re-promote to a DC to see if this fixed the issues, it hasnt,
the DC has promoted, but again it looks to be tombstoned and wont allow
replication to take place. If I create manual connections to this DC in sites
and services I recieve the following error "the procedure number is out of
range".

Can anyone shed any light on this? All other DC's, branches, sites and the
other tombstoned DC's (now member servers) are working fine.

Thanks for your time
Re: Domain Controller Problem after force removal [message #157579 is a reply to message #157578] Thu, 09 July 2009 07:29 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Chris,

How many DCs do you have now and how are they located? What OS version and
SP/patch level do you use? Run diagnostic tools dcdiag /v, netdiag /v and
repadmin /showrepl to check for problems on the DCs.

What kind of time problem did you have that you demote DCs?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi all
>
> I need some help. We had some time issues on the domain the other day,
> it resulted in the DC's not replicating and thus being tombstoned, a
> phone call to MS resolved this and the domain is now in working order.
>
> However we did have around 4 DC's that would not come back, thus we
> had to perform DCPromo /forceremoval which did the trick. The problem
> we have now is that one of these old DC's doesnt seem to want to be
> part of the domain anymore. It is a member server and is on the
> domain, but for some reason it wont apply GPO, and clients located on
> this site are still attempting to contact this DC for authentication!
>
> We decided to re-promote to a DC to see if this fixed the issues, it
> hasnt, the DC has promoted, but again it looks to be tombstoned and
> wont allow replication to take place. If I create manual connections
> to this DC in sites and services I recieve the following error "the
> procedure number is out of range".
>
> Can anyone shed any light on this? All other DC's, branches, sites and
> the other tombstoned DC's (now member servers) are working fine.
>
> Thanks for your time
>
Re: Domain Controller Problem after force removal [message #157584 is a reply to message #157579] Thu, 09 July 2009 08:09 Go to previous messageGo to next message
Chris Dodson  is currently offline Chris Dodson
Messages: 4
Registered: July 2009
Junior Member
Hi Meinolf

Thanks for the prompt reply. Unfortunately our time server reset back to
last year, this was caused by our VM ESX infrastructure upgrade. We changed
the time back to the correct time and left it at that, unfortunately a few
days later we experienced replication problems, we contact MS support and he
informed us it was caused by the DC's becoming tombstoned due to the time
reset!

Anyway, all our existing DC's are now in working order, I have also run the
DCDIAG and NETDIAG and they both result full successes.

After promoting the problematic member server and leaving it a few hours, it
looks as though the problems may have been resolved. For some reason both
this server and clients based on this servers site were still attempting to
authenticate with the old DC!! After re-promoting it, it seems to have gone
away, clients can now authenticate and the server looks to be replicating and
working!

Any idea what could have caused this?

"Meinolf Weber [MVP-DS]" wrote:

> Hello Chris,
>
> How many DCs do you have now and how are they located? What OS version and
> SP/patch level do you use? Run diagnostic tools dcdiag /v, netdiag /v and
> repadmin /showrepl to check for problems on the DCs.
>
> What kind of time problem did you have that you demote DCs?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi all
> >
> > I need some help. We had some time issues on the domain the other day,
> > it resulted in the DC's not replicating and thus being tombstoned, a
> > phone call to MS resolved this and the domain is now in working order.
> >
> > However we did have around 4 DC's that would not come back, thus we
> > had to perform DCPromo /forceremoval which did the trick. The problem
> > we have now is that one of these old DC's doesnt seem to want to be
> > part of the domain anymore. It is a member server and is on the
> > domain, but for some reason it wont apply GPO, and clients located on
> > this site are still attempting to contact this DC for authentication!
> >
> > We decided to re-promote to a DC to see if this fixed the issues, it
> > hasnt, the DC has promoted, but again it looks to be tombstoned and
> > wont allow replication to take place. If I create manual connections
> > to this DC in sites and services I recieve the following error "the
> > procedure number is out of range".
> >
> > Can anyone shed any light on this? All other DC's, branches, sites and
> > the other tombstoned DC's (now member servers) are working fine.
> >
> > Thanks for your time
> >
>
>
>
Re: Domain Controller Problem after force removal [message #157620 is a reply to message #157584] Thu, 09 July 2009 23:46 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Chris,

Did you check after demoting the tombstoned DCs that they are also removed
complete form AD database and AD sites and services and all DNS zones? /forceremoval
will demote a DC regardless of availability of the FSMO holders or Global
catalog server. I asssume that there where still some entries left so the
clients try to contact them as before, especially if that DCs where also
DNS servers and the clients are configured to use them as preferred.

So if you kick out a DC the hard way you should at least check with ntdsutil
that the database is cleaned from them. See also this article about needed
steps when a DC was not demoted properly or died before you where able to
demote it.
http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf
>
> Thanks for the prompt reply. Unfortunately our time server reset back
> to last year, this was caused by our VM ESX infrastructure upgrade. We
> changed the time back to the correct time and left it at that,
> unfortunately a few days later we experienced replication problems, we
> contact MS support and he informed us it was caused by the DC's
> becoming tombstoned due to the time reset!
>
> Anyway, all our existing DC's are now in working order, I have also
> run the DCDIAG and NETDIAG and they both result full successes.
>
> After promoting the problematic member server and leaving it a few
> hours, it looks as though the problems may have been resolved. For
> some reason both this server and clients based on this servers site
> were still attempting to authenticate with the old DC!! After
> re-promoting it, it seems to have gone away, clients can now
> authenticate and the server looks to be replicating and working!
>
> Any idea what could have caused this?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Chris,
>>
>> How many DCs do you have now and how are they located? What OS
>> version and SP/patch level do you use? Run diagnostic tools dcdiag
>> /v, netdiag /v and repadmin /showrepl to check for problems on the
>> DCs.
>>
>> What kind of time problem did you have that you demote DCs?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi all
>>>
>>> I need some help. We had some time issues on the domain the other
>>> day, it resulted in the DC's not replicating and thus being
>>> tombstoned, a phone call to MS resolved this and the domain is now
>>> in working order.
>>>
>>> However we did have around 4 DC's that would not come back, thus we
>>> had to perform DCPromo /forceremoval which did the trick. The
>>> problem we have now is that one of these old DC's doesnt seem to
>>> want to be part of the domain anymore. It is a member server and is
>>> on the domain, but for some reason it wont apply GPO, and clients
>>> located on this site are still attempting to contact this DC for
>>> authentication!
>>>
>>> We decided to re-promote to a DC to see if this fixed the issues, it
>>> hasnt, the DC has promoted, but again it looks to be tombstoned and
>>> wont allow replication to take place. If I create manual connections
>>> to this DC in sites and services I recieve the following error "the
>>> procedure number is out of range".
>>>
>>> Can anyone shed any light on this? All other DC's, branches, sites
>>> and the other tombstoned DC's (now member servers) are working fine.
>>>
>>> Thanks for your time
>>>
Re: Domain Controller Problem after force removal [message #157639 is a reply to message #157584] Fri, 10 July 2009 06:23 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
One possibility is cached dns. The server still had the old dns data from
the old server. A possible reboot, cache clear or the TTL expired. This
would be my guess.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Chris Dodson" <ChrisDodson@discussions.microsoft.com> wrote in message
news:89D4C367-E6C7-4283-87A2-AA70BF605531@microsoft.com...
> Hi Meinolf
>
> Thanks for the prompt reply. Unfortunately our time server reset back to
> last year, this was caused by our VM ESX infrastructure upgrade. We
> changed
> the time back to the correct time and left it at that, unfortunately a few
> days later we experienced replication problems, we contact MS support and
> he
> informed us it was caused by the DC's becoming tombstoned due to the time
> reset!
>
> Anyway, all our existing DC's are now in working order, I have also run
> the
> DCDIAG and NETDIAG and they both result full successes.
>
> After promoting the problematic member server and leaving it a few hours,
> it
> looks as though the problems may have been resolved. For some reason both
> this server and clients based on this servers site were still attempting
> to
> authenticate with the old DC!! After re-promoting it, it seems to have
> gone
> away, clients can now authenticate and the server looks to be replicating
> and
> working!
>
> Any idea what could have caused this?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Chris,
>>
>> How many DCs do you have now and how are they located? What OS version
>> and
>> SP/patch level do you use? Run diagnostic tools dcdiag /v, netdiag /v and
>> repadmin /showrepl to check for problems on the DCs.
>>
>> What kind of time problem did you have that you demote DCs?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > Hi all
>> >
>> > I need some help. We had some time issues on the domain the other day,
>> > it resulted in the DC's not replicating and thus being tombstoned, a
>> > phone call to MS resolved this and the domain is now in working order.
>> >
>> > However we did have around 4 DC's that would not come back, thus we
>> > had to perform DCPromo /forceremoval which did the trick. The problem
>> > we have now is that one of these old DC's doesnt seem to want to be
>> > part of the domain anymore. It is a member server and is on the
>> > domain, but for some reason it wont apply GPO, and clients located on
>> > this site are still attempting to contact this DC for authentication!
>> >
>> > We decided to re-promote to a DC to see if this fixed the issues, it
>> > hasnt, the DC has promoted, but again it looks to be tombstoned and
>> > wont allow replication to take place. If I create manual connections
>> > to this DC in sites and services I recieve the following error "the
>> > procedure number is out of range".
>> >
>> > Can anyone shed any light on this? All other DC's, branches, sites and
>> > the other tombstoned DC's (now member servers) are working fine.
>> >
>> > Thanks for your time
>> >
>>
>>
>>
Previous Topic:DC Replication help
Next Topic:Group policy tatooing with restricted group ? or strange behaviour !
Goto Forum:
  


Current Time: Tue Jan 23 16:34:38 MST 2018

Total time taken to generate the page: 0.16601 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software