Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » netlogon using wrong DC
netlogon using wrong DC [message #331613] Mon, 30 November 2009 15:58 Go to next message
BWPhx  is currently offline BWPhx  United States
Messages: 4
Registered: November 2009
Junior Member
I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008) we'll
call DC1 that needs to be turned off.

Because of the odd scenario, DC2 has forcefully taken over FSMO roles
from DC1. All references to DC1 have been removed in AD and DNS. As far
as DC2 knows, DC1 doesn't exist.

Similarly, DC1 doesn't have any data about DC2 (had some stale data
which I've removed).

DC1 and DC2 are on different subnets and firewall rules prevent them
from contacting each other.

I have a couple production servers that still authenticate against DC1
(in the same subnet) and don't know about DC2. I need to get them using
DC2 without disrupting the services running (ie: no reboot).

New servers in the DC1 subnet join/auth just fine with DC2, so firewall
rules are correct there.

I thought I could just stop netlogon, delete the cache file, change the
DNS server to DC2, fire netlogon back up and away I'd go.

But it's not working.

When netlogon is stopped, if I run nltest /dsgetdc:domainname I get the
correct answer, DC2. When I start netlogon back up and run the same
command, it's back to DC1.

I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.

I did notice there were some registry entries that referred to DC1.
Could those be being used by netlogon?


--
BWPhx
------------------------------------------------------------ ------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277119.htm

http://forums.techarena.in
Re: netlogon using wrong DC [message #331911 is a reply to message #331613] Tue, 01 December 2009 00:05 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello BWPhx,

Is DC1 removed from the domain now or not? You wrote "All references to DC1
have been removed in AD and DNS" and later on "DC1 and DC2 are on different
subnets and firewall rules prevent ".

If a DC is demoted correct you have to check AD sites and services to remove
it also there, not done during demtotion, also if it was DNS server you have
to check/cleanup all old DNS entries from it.

For the existing machines make sure they use the correct DNS servers on the
NIC and run ipconfig /flushdns and ipconfig /registerdns. Make sure they
are able to register without any error. Now run netdiag /fix on them.

If you have a firewall in place you MUST make sure that it is configured
to have ALL ports open for AD replication:
http://technet.microsoft.com/en-us/library/bb727063.aspx

http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

http://support.microsoft.com/kb/179442/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008)
> we'll call DC1 that needs to be turned off.
>
> Because of the odd scenario, DC2 has forcefully taken over FSMO roles
> from DC1. All references to DC1 have been removed in AD and DNS. As
> far as DC2 knows, DC1 doesn't exist.
>
> Similarly, DC1 doesn't have any data about DC2 (had some stale data
> which I've removed).
>
> DC1 and DC2 are on different subnets and firewall rules prevent them
> from contacting each other.
>
> I have a couple production servers that still authenticate against DC1
> (in the same subnet) and don't know about DC2. I need to get them
> using DC2 without disrupting the services running (ie: no reboot).
>
> New servers in the DC1 subnet join/auth just fine with DC2, so
> firewall rules are correct there.
>
> I thought I could just stop netlogon, delete the cache file, change
> the DNS server to DC2, fire netlogon back up and away I'd go.
>
> But it's not working.
>
> When netlogon is stopped, if I run nltest /dsgetdc:domainname I get
> the correct answer, DC2. When I start netlogon back up and run the
> same command, it's back to DC1.
>
> I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.
>
> I did notice there were some registry entries that referred to DC1.
> Could those be being used by netlogon?
>
> http://forums.techarena.in
>
Re: netlogon using wrong DC [message #332061 is a reply to message #331613] Tue, 01 December 2009 06:37 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I would suggest you read an article I wrote on Decommissioning a DC. This
will guide you in the proper steps to help remove your old DC.
http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"BWPhx" <BWPhx.42hlvd@DoNotSpam.com> wrote in message
news:BWPhx.42hlvd@DoNotSpam.com...
>
> I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008) we'll
> call DC1 that needs to be turned off.
>
> Because of the odd scenario, DC2 has forcefully taken over FSMO roles
> from DC1. All references to DC1 have been removed in AD and DNS. As far
> as DC2 knows, DC1 doesn't exist.
>
> Similarly, DC1 doesn't have any data about DC2 (had some stale data
> which I've removed).
>
> DC1 and DC2 are on different subnets and firewall rules prevent them
> from contacting each other.
>
> I have a couple production servers that still authenticate against DC1
> (in the same subnet) and don't know about DC2. I need to get them using
> DC2 without disrupting the services running (ie: no reboot).
>
> New servers in the DC1 subnet join/auth just fine with DC2, so firewall
> rules are correct there.
>
> I thought I could just stop netlogon, delete the cache file, change the
> DNS server to DC2, fire netlogon back up and away I'd go.
>
> But it's not working.
>
> When netlogon is stopped, if I run nltest /dsgetdc:domainname I get the
> correct answer, DC2. When I start netlogon back up and run the same
> command, it's back to DC1.
>
> I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.
>
> I did notice there were some registry entries that referred to DC1.
> Could those be being used by netlogon?
>
>
> --
> BWPhx
> ------------------------------------------------------------ ------------
> BWPhx's Profile: http://forums.techarena.in/members/159701.htm
> View this thread: http://forums.techarena.in/active-directory/1277119.htm
>
> http://forums.techarena.in
>
Re: netlogon using wrong DC [message #332281 is a reply to message #332061] Tue, 01 December 2009 09:29 Go to previous messageGo to next message
BWPhx  is currently offline BWPhx  United States
Messages: 4
Registered: November 2009
Junior Member
This is where I said it was an odd scenario. DC1 was forcefully removed
from DC2, which resides on a different subnet so there is no chance
they'll communicate with each other because of firewall rules I've
specifically put into place.

However, because of how we were using NAT, I couldn't take DC1 offline
for a small number of servers. I've worked around the NAT issue now and
need to get those few servers talking to DC2 without taking them offline
(critical apps).

Once they've all been changed to see DC2, I can offline DC1 for good.

I'm beyond the point where I can do anything with DC1 as far as dcpromo
is concerned I believe. As far as it knows, its a standalone DC at this
point.

Regarding firewall rules and such, that's not the problem. I have new
servers in that NAT'd subnet talking to DC2 just fine.

I could easily do this by rejoining the domain, but that requires a
reboot when complete that I cannot do at the moment. Additionally, I
have a couple MSCS clusters running SQL and it scares the u-know-what
out of me to rejoin a domain on those servers.

All the computer accounts are in DC2, so I just need to force those
boxes to look at DC2.

I've tried the ipconfig /flushdns and /registerdns to no avail. I
haven't tried the netdiag /fix on the member servers tho. I'll give that
a shot.


--
BWPhx
------------------------------------------------------------ ------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277120.htm

http://forums.techarena.in
Re: netlogon using wrong DC [message #332575 is a reply to message #332281] Tue, 01 December 2009 14:34 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello BWPhx,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> This is where I said it was an odd scenario. DC1 was forcefully
> removed from DC2, which resides on a different subnet so there is no
> chance they'll communicate with each other because of firewall rules
> I've specifically put into place.

You can not remove DC1 from DC2, you can demote a DC from the domain, after
that step there is no AD replicaiton/communication to DC2.

> However, because of how we were using NAT, I couldn't take DC1 offline
> for a small number of servers. I've worked around the NAT issue now
> and need to get those few servers talking to DC2 without taking them
> offline (critical apps).

So DC1 is NOT demoted from the domain and still domain controller? At the
starting post you said DC1 "All references to DC1 have been removed in AD
and DNS"?

> Once they've all been changed to see DC2, I can offline DC1 for good.
>
> I'm beyond the point where I can do anything with DC1 as far as
> dcpromo is concerned I believe. As far as it knows, its a standalone
> DC at this point.

Not possible, either it is disconnected from the domain and if you use it,
it can not replicate all changes with the other domain DCs, which is a not
recommended solution. It will result in problems at least if you are going
over the tombstone lifetime.

> Regarding firewall rules and such, that's not the problem. I have new
> servers in that NAT'd subnet talking to DC2 just fine.
>
> I could easily do this by rejoining the domain, but that requires a
> reboot when complete that I cannot do at the moment. Additionally, I
> have a couple MSCS clusters running SQL and it scares the u-know-what
> out of me to rejoin a domain on those servers.

As said before if DC1 is still domain controller you can not rejoin it to
the domain, it is in the domain.

> All the computer accounts are in DC2, so I just need to force those
> boxes to look at DC2.

Authentication requires a configured DNS server that is known from all clients
and then the DCLocator process is used to find a DC.
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&a mp;p=1

> I've tried the ipconfig /flushdns and /registerdns to no avail. I
> haven't tried the netdiag /fix on the member servers tho. I'll give
> that a shot.

So please describe the amount of DCs you have and how they are connected
and what you have done with the DCs until now.
Re: netlogon using wrong DC [message #332801 is a reply to message #332575] Tue, 01 December 2009 17:20 Go to previous messageGo to next message
BWPhx  is currently offline BWPhx  United States
Messages: 4
Registered: November 2009
Junior Member
Thanks Meinolf. I know this is a bit confusing.


> This is where I said it was an odd scenario. DC1 was forcefully
> removed from DC2, which resides on a different subnet so there is no
> chance they'll communicate with each other because of firewall rules
> I've specifically put into place.

You can not remove DC1 from DC2, you can demote a DC from the domain,
after
that step there is no AD replicaiton/communication to DC2.


Correct. In the beginning, DC1 and 2 were on the same network and were
fully replicating. DC2 was moved to it's current network, firewall rules
put in place, and forcefully promoted to FSMO as if DC1 had fell off the
face of the earth. Basically, followed MS instructions on what to do if
a domain controller has kicked the bucket and will never come back to
life.

The twist here is that DC1 wasn't really turned off, but I make 100%
sure DC1 and DC2 can't talk. All references to DC1 on DC2 were removed
as part of the cleanup from forcing the promotion. Since DC2 changed
networks and never replicated afterwards, DC1 just fails replication.

> However, because of how we were using NAT, I couldn't take DC1
offline
> for a small number of servers. I've worked around the NAT issue now
> and need to get those few servers talking to DC2 without taking them
> offline (critical apps).

So DC1 is NOT demoted from the domain and still domain controller? At
the
starting post you said DC1 "All references to DC1 have been removed in
AD
and DNS"?


Maybe this makes more sense:

Old:
DC1 is FMSO for forest root domain.local.
DC2 was a second AD DC.

Current:
DC1 is FMSO for forest root domain.local.
DC2 is FMSO for forest root domain.local.

All the member servers I'm trying to point to DC2 existed prior to my
severing the replication between DC1 and DC2. So the computer
accounts/sids/DNS entires are all the same. I'll probably need to reset
their securechannel, but otherwise, they should just be ok.

> Once they've all been changed to see DC2, I can offline DC1 for
good.
>
> I'm beyond the point where I can do anything with DC1 as far as
> dcpromo is concerned I believe. As far as it knows, its a standalone
> DC at this point.

Not possible, either it is disconnected from the domain and if you use
it,
it can not replicate all changes with the other domain DCs, which is a
not
recommended solution. It will result in problems at least if you are
going
over the tombstone lifetime.


Hence the reason I need those few servers to use DC2, and the sooner
the better.

> Regarding firewall rules and such, that's not the problem. I have
new
> servers in that NAT'd subnet talking to DC2 just fine.
>
> I could easily do this by rejoining the domain, but that requires a
> reboot when complete that I cannot do at the moment. Additionally, I
> have a couple MSCS clusters running SQL and it scares the
u-know-what
> out of me to rejoin a domain on those servers.

As said before if DC1 is still domain controller you can not rejoin it
to
the domain, it is in the domain.


I don't want to. I want to turn DC1 off. I was referring to the member
servers above, not DC1.

> All the computer accounts are in DC2, so I just need to force those
> boxes to look at DC2.

Authentication requires a configured DNS server that is known from all
clients
and then the DCLocator process is used to find a DC.
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&a mp;p=1


I read those posts and now it seems really confusing to me it won't
pick up DC2.

> I've tried the ipconfig /flushdns and /registerdns to no avail. I
> haven't tried the netdiag /fix on the member servers tho. I'll give
> that a shot.

So please describe the amount of DCs you have and how they are
connected
and what you have done with the DCs until now.


More info:

DC1 and DC2 are both DNS servers.
Additionally, on the DC1 network, I have a new DNS server (not AD, just a
simple DNS server) that has all the relevant SRV records pull from DC2 and
contains no information about DC1. This is the DNS server I changed the
member server to use instead of DC1. I can ipconfig /flushdns and
/registerdns and do lookups against this DNS server without issue. When
netlogon isn't running, the NLTEST /DSGETDC finds DC2 like I want. But
when I fire netlogon service back up, NLTEST /DSGETDC shows DC1. So it's
not doing a new DNS lookup like I would expect. And, like I mentioned
earlier, I'd deleted the netlogon cache file (which I see reappear after
starting netlogon back up).

This additional DNS server was necessary because of the NATing I
discussed earlier. The NAT ip of the member server was manually entered
into DC2's DNS. Again, I know this setup works as new member servers are
working fine from the same network DC1 and the member servers in question
are on.

Hopefully this completes the picture. If not, I'm wondering if posting a
couple pictures would help.


--
BWPhx
------------------------------------------------------------ ------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277120.htm

http://forums.techarena.in
Re: netlogon using wrong DC [message #332857 is a reply to message #332801] Tue, 01 December 2009 19:36 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"BWPhx" <BWPhx.42jm3b@DoNotSpam.com> wrote in message
news:BWPhx.42jm3b@DoNotSpam.com...
>
> Thanks Meinolf. I know this is a bit confusing.
>
>
>> This is where I said it was an odd scenario. DC1 was forcefully
>> removed from DC2, which resides on a different subnet so there is no
>> chance they'll communicate with each other because of firewall rules
>> I've specifically put into place.
>
> You can not remove DC1 from DC2, you can demote a DC from the domain,
> after
> that step there is no AD replicaiton/communication to DC2.
>
>
> Correct. In the beginning, DC1 and 2 were on the same network and were
> fully replicating. DC2 was moved to it's current network, firewall rules
> put in place, and forcefully promoted to FSMO as if DC1 had fell off the
> face of the earth. Basically, followed MS instructions on what to do if
> a domain controller has kicked the bucket and will never come back to
> life.
>
> The twist here is that DC1 wasn't really turned off, but I make 100%
> sure DC1 and DC2 can't talk. All references to DC1 on DC2 were removed
> as part of the cleanup from forcing the promotion. Since DC2 changed
> networks and never replicated afterwards, DC1 just fails replication.
>
>> However, because of how we were using NAT, I couldn't take DC1
> offline
>> for a small number of servers. I've worked around the NAT issue now
>> and need to get those few servers talking to DC2 without taking them
>> offline (critical apps).
>
> So DC1 is NOT demoted from the domain and still domain controller? At
> the
> starting post you said DC1 "All references to DC1 have been removed in
> AD
> and DNS"?
>
>
> Maybe this makes more sense:
>
> Old:
> DC1 is FMSO for forest root domain.local.
> DC2 was a second AD DC.
>
> Current:
> DC1 is FMSO for forest root domain.local.
> DC2 is FMSO for forest root domain.local.
>
> All the member servers I'm trying to point to DC2 existed prior to my
> severing the replication between DC1 and DC2. So the computer
> accounts/sids/DNS entires are all the same. I'll probably need to reset
> their securechannel, but otherwise, they should just be ok.
>
>> Once they've all been changed to see DC2, I can offline DC1 for
> good.
>>
>> I'm beyond the point where I can do anything with DC1 as far as
>> dcpromo is concerned I believe. As far as it knows, its a standalone
>> DC at this point.
>
> Not possible, either it is disconnected from the domain and if you use
> it,
> it can not replicate all changes with the other domain DCs, which is a
> not
> recommended solution. It will result in problems at least if you are
> going
> over the tombstone lifetime.
>
>
> Hence the reason I need those few servers to use DC2, and the sooner
> the better.
>
>> Regarding firewall rules and such, that's not the problem. I have
> new
>> servers in that NAT'd subnet talking to DC2 just fine.
>>
>> I could easily do this by rejoining the domain, but that requires a
>> reboot when complete that I cannot do at the moment. Additionally, I
>> have a couple MSCS clusters running SQL and it scares the
> u-know-what
>> out of me to rejoin a domain on those servers.
>
> As said before if DC1 is still domain controller you can not rejoin it
> to
> the domain, it is in the domain.
>
>
> I don't want to. I want to turn DC1 off. I was referring to the member
> servers above, not DC1.
>
>> All the computer accounts are in DC2, so I just need to force those
>> boxes to look at DC2.
>
> Authentication requires a configured DNS server that is known from all
> clients
> and then the DCLocator process is used to find a DC.
> http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&a mp;p=1
>
>
> I read those posts and now it seems really confusing to me it won't
> pick up DC2.
>
>> I've tried the ipconfig /flushdns and /registerdns to no avail. I
>> haven't tried the netdiag /fix on the member servers tho. I'll give
>> that a shot.
>
> So please describe the amount of DCs you have and how they are
> connected
> and what you have done with the DCs until now.
>
>
> More info:
>
> DC1 and DC2 are both DNS servers.
> Additionally, on the DC1 network, I have a new DNS server (not AD, just a
> simple DNS server) that has all the relevant SRV records pull from DC2 and
> contains no information about DC1. This is the DNS server I changed the
> member server to use instead of DC1. I can ipconfig /flushdns and
> /registerdns and do lookups against this DNS server without issue. When
> netlogon isn't running, the NLTEST /DSGETDC finds DC2 like I want. But
> when I fire netlogon service back up, NLTEST /DSGETDC shows DC1. So it's
> not doing a new DNS lookup like I would expect. And, like I mentioned
> earlier, I'd deleted the netlogon cache file (which I see reappear after
> starting netlogon back up).
>
> This additional DNS server was necessary because of the NATing I
> discussed earlier. The NAT ip of the member server was manually entered
> into DC2's DNS. Again, I know this setup works as new member servers are
> working fine from the same network DC1 and the member servers in question
> are on.
>
> Hopefully this completes the picture. If not, I'm wondering if posting a
> couple pictures would help.
>
>
> --
> BWPhx

BWPhx,

With all due respect, I'm sorry to say, but this is one of the worst
scenarios/predicaments I've read.

Honestly if a DC has been disconnected past the tombstone lifetime period
(Win2003 AD is 180 days), it will no longer replicate nor communicate wtih
other DCs or members (other server or clients).

You mentioned a couple of times that you:
" [...] and forcefully promoted to FSMO as if DC1 had fell off the face of
the earth."

So what you've essentially done is create two totally separate Forests, DC1
in it's own Forest, and DC2 in it's own Forest, but both with the same exact
names. The two DCs cannot communicate with each other in this type of
scenario.

I take this to mean that you've SEIZED all five FSMO roles to the existing
DC2 domain controller. Once a seize operation has been performed on any of
the 5 roles, you can never bring the other DC back on line. No matter what
you do with nltest or netdom to try and reset the communication channel,
there is no way it will work.

Once you've seized the roles, it is a done DC.

What you can do is run dcpromo with the /forceremoval switch to make DC1 a
member server. Once that is done, you can re-promote it back into the
domain. But the key thing is that it must stay up and communicate with the
other DC. This way any app on the server can be used again.

There is no option with AD to drop communications between DCs and expect
them to work (replicate, communicate, etc).

If any of the DCs are behind a NAT, that won't be able to work either unless
there is a VPN tunnel going through the NAT. This is because AD
communications between DCs and between clients do not work across a NAT.

Sorry to be abrupt, but I just wanted to directly point out the issues here
and what you're attempting or contemplating is impossible.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: netlogon using wrong DC [message #333288 is a reply to message #332801] Wed, 02 December 2009 08:04 Go to previous messageGo to next message
Meinolf Weber MVP-DS  is currently offline Meinolf Weber MVP-DS  Germany
Messages: 129
Registered: July 2009
Senior Member
Hello BWPhx,

Again inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks Meinolf. I know this is a bit confusing.
>
>> This is where I said it was an odd scenario. DC1 was forcefully
>> removed from DC2, which resides on a different subnet so there is no
>> chance they'll communicate with each other because of firewall rules
>> I've specifically put into place.
>>
> You can not remove DC1 from DC2, you can demote a DC from the domain,
> after
> that step there is no AD replicaiton/communication to DC2.
> Correct. In the beginning, DC1 and 2 were on the same network and were
> fully replicating. DC2 was moved to it's current network, firewall
> rules put in place, and forcefully promoted to FSMO as if DC1 had fell
> off the face of the earth. Basically, followed MS instructions on what
> to do if a domain controller has kicked the bucket and will never come
> back to life.
>
> The twist here is that DC1 wasn't really turned off, but I make 100%
> sure DC1 and DC2 can't talk. All references to DC1 on DC2 were removed
> as part of the cleanup from forcing the promotion. Since DC2 changed
> networks and never replicated afterwards, DC1 just fails replication.

You have 2 options, either remove a DC complete from the domain or let them
replicate, there is nothing in between running without problems. After the
tombstone lifetime is expired, the real trouble starts.

>> However, because of how we were using NAT, I couldn't take DC1
>>
> offline
>
>> for a small number of servers. I've worked around the NAT issue now
>> and need to get those few servers talking to DC2 without taking them
>> offline (critical apps).
>>
> So DC1 is NOT demoted from the domain and still domain controller? At
> the
> starting post you said DC1 "All references to DC1 have been removed in
> AD
> and DNS"?
> Maybe this makes more sense:
>
> Old:
> DC1 is FMSO for forest root domain.local.
> DC2 was a second AD DC.
> Current:
> DC1 is FMSO for forest root domain.local.
> DC2 is FMSO for forest root domain.local.

Not possible to have 2 DCs in th same forest with all FSMO roles. Unsupported
configuration which definitely run into trouble.

> All the member servers I'm trying to point to DC2 existed prior to my
> severing the replication between DC1 and DC2. So the computer
> accounts/sids/DNS entires are all the same. I'll probably need to
> reset their securechannel, but otherwise, they should just be ok.

Even if the AD content is the same you can not move machines between the
2 forests. User/machine account changes are not equal, passwords for example.

>> Once they've all been changed to see DC2, I can offline DC1 for
>>
> good.
>
>> I'm beyond the point where I can do anything with DC1 as far as
>> dcpromo is concerned I believe. As far as it knows, its a standalone
>> DC at this point.
>>
> Not possible, either it is disconnected from the domain and if you use
> it,
> it can not replicate all changes with the other domain DCs, which is a
> not
> recommended solution. It will result in problems at least if you are
> going
> over the tombstone lifetime.
> Hence the reason I need those few servers to use DC2, and the sooner
> the better.
>
>> Regarding firewall rules and such, that's not the problem. I have
>>
> new
>
>> servers in that NAT'd subnet talking to DC2 just fine.
>>
>> I could easily do this by rejoining the domain, but that requires a
>> reboot when complete that I cannot do at the moment. Additionally, I
>> have a couple MSCS clusters running SQL and it scares the
>>
> u-know-what
>
>> out of me to rejoin a domain on those servers.
>>
> As said before if DC1 is still domain controller you can not rejoin it
> to
> the domain, it is in the domain.
> I don't want to. I want to turn DC1 off. I was referring to the member
> servers above, not DC1.
>
>> All the computer accounts are in DC2, so I just need to force those
>> boxes to look at DC2.
>>
> Authentication requires a configured DNS server that is known from all
> clients
> and then the DCLocator process is used to find a DC.
> http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&a mp;p=1
> I read those posts and now it seems really confusing to me it won't
> pick up DC2.
>
>> I've tried the ipconfig /flushdns and /registerdns to no avail. I
>> haven't tried the netdiag /fix on the member servers tho. I'll give
>> that a shot.
>>
> So please describe the amount of DCs you have and how they are
> connected
> and what you have done with the DCs until now.
> More info:
>
> DC1 and DC2 are both DNS servers.
> Additionally, on the DC1 network, I have a new DNS server (not AD,
> just a
> simple DNS server) that has all the relevant SRV records pull from DC2
> and
> contains no information about DC1. This is the DNS server I changed
> the
> member server to use instead of DC1. I can ipconfig /flushdns and
> /registerdns and do lookups against this DNS server without issue.
> When
> netlogon isn't running, the NLTEST /DSGETDC finds DC2 like I want. But
> when I fire netlogon service back up, NLTEST /DSGETDC shows DC1. So
> it's
> not doing a new DNS lookup like I would expect. And, like I mentioned
> earlier, I'd deleted the netlogon cache file (which I see reappear
> after
> starting netlogon back up).
> This additional DNS server was necessary because of the NATing I
> discussed earlier. The NAT ip of the member server was manually
> entered into DC2's DNS. Again, I know this setup works as new member
> servers are working fine from the same network DC1 and the member
> servers in question are on.
>
> Hopefully this completes the picture. If not, I'm wondering if posting
> a couple pictures would help.

Your current network setup is a design that is a not workable solution. You
have to create either a complete new second forest or go back to the starting
point of the forest with a correct domain setup.

> http://forums.techarena.in
>
Re: netlogon using wrong DC [message #333411 is a reply to message #331613] Wed, 02 December 2009 09:40 Go to previous messageGo to next message
BWPhx  is currently offline BWPhx  United States
Messages: 4
Registered: November 2009
Junior Member
Thank you all for your input, but it's clear I've been unable to
represent my intentions or situation correctly. Everyone here is talking
about re-introducing DC1 into the domain and that is not at all what I
want or need to do. I'm talking solely about the
members/clients/computers/servers - whatever you want to call them.


--
BWPhx
------------------------------------------------------------ ------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277120.htm

http://forums.techarena.in
Re: netlogon using wrong DC [message #333632 is a reply to message #333411] Wed, 02 December 2009 13:23 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello BWPhx,

Sorry that we are not able to give you a solution for your design. BUT that
design as you described it, which we understand, will still not work. It
is NOT recommended nor supported to break a domain that way and use both
of them further.

If clients are not able to use the correct DCs this belongs to the DCLocator
process. See here about, maybe this gives some additional information:
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&a mp;p=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you all for your input, but it's clear I've been unable to
> represent my intentions or situation correctly. Everyone here is
> talking about re-introducing DC1 into the domain and that is not at
> all what I want or need to do. I'm talking solely about the
> members/clients/computers/servers - whatever you want to call them.
>
> http://forums.techarena.in
>
Re: netlogon using wrong DC [message #333703 is a reply to message #333411] Wed, 02 December 2009 14:35 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"BWPhx" <BWPhx.42kujb@DoNotSpam.com> wrote in message
news:BWPhx.42kujb@DoNotSpam.com...
>
> Thank you all for your input, but it's clear I've been unable to
> represent my intentions or situation correctly. Everyone here is talking
> about re-introducing DC1 into the domain and that is not at all what I
> want or need to do. I'm talking solely about the
> members/clients/computers/servers - whatever you want to call them.
>
>
> --
> BWPhx

I guess your description of your intentions were not clear, possibly due to
DC1 being pulled out of the domain, terminology, etc.

If the problem is just the workstation latching on to the wrong DC, then it
indicates the old DC1 box is still referenced in either the AD database if
you haven't removed it physically by performing a Metadata Cleanup process.

The reason your clients are still 'finding' DC1, which I am assuming you
don't want them to find DC1 to use as a logon server or as a server to
authenticate to, is because AD still thinks it exists.

This is because when you seize the 5 FSMO roles (PDC Emulator, RID Master,
Schema Master, Domain Name Master and Infrastructure Master), it doesn't
pull the reference out of the AD database nor does it pull it out of DNS
(the entries will still exist because the server still exists in it's eyes),
nor out of Sites and Services, server list. It have to be manually deleted
from Sites and Services and DNS only after you run the Metadata Cleanup
procedure.

How to remove data in Active Directory after an unsuccessful domain
controller demotion Windows 2000 and 2003
http://support.microsoft.com/kb/216498
or
Cleanup Metadata Windows 2003
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

If Windows 2008:
Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Also, if any of the workstations are at the other subnet or location where
DC1 still exists, and you try to move them to the DC2's location, the
security channel is skewed because a number of reasons, one being the secure
password, Kerberos and the time stamp of the Kerb ticket, etc. Nltest and
netdom may not be able to fix that. You will literally need to disjoin and
rejoin the workstation.

I hope I was able to understand the problem.

Ace
Previous Topic:How to parse msExchRecordedName?
Next Topic:Windows Time Drift
Goto Forum:
  


Current Time: Thu Jan 18 20:43:35 MST 2018

Total time taken to generate the page: 0.04047 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software