Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD replication issue!!!
AD replication issue!!! [message #395196] Fri, 19 February 2010 09:58 Go to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Help!!!

We have an SBS 2000 server and another win2k3 domain controller in our
environment. The two were replicating and have been for many years now.

Last week our SBS server crashed and I had to rebuild it. The last step was
to restore the system state - which restores AD among other things.

As soon as the machine came back up, I started testing to see if it was
actually fully functional again. Right away I noticed that I could not
access ANY shares - not even administrative shares using the server name
(\\server\share). I could only access them by specifying the ip address of
the SBS like this \\ip_address\share.

I then noticed that when I went into the active dir users and computers app,
it was now connecting automatically to the other domain controller's AD
database - NOT the one on this SBS machine - which is supposed to be the
"primary" DC. I was able to select "Connect to a domain controller" and had
to manually enter the SBS machine name as it was not listed in the window at
the bottom to select from - jsut the win2k3 DC was in there... After I
entered the SBS machine name I was able to connect to it's AD.

I then realized that replication was not happening between the two machines
anymore. I am seeing ID 13508 in the File Replication Service event log.
("THe file replication service is having trouble enabling replicating from
TRUE5 to TRUE3" etc... please note that TRUE5 is the win2k3 DC and TRUE3 is
the SBS machine.) As well, If I go to Active Dir Sites and Services and try
to force a replication, I am getting "Replication Access was denied". I am
also seeing id's 1126 and 1655 in the "Directory Access" event log. 1126 is
an "unable to communicate with global catalog" error. 1655 is "an attempt to
communicate with the global catalog failed - reason ...replication access
was denied"

Where should I start to troubleshoot AD replication errors?? I really
believe the root of the issue is somehow related specifically to screwed up
permissions on the SBS machine that for some reason got screwed up during
the recovery process.

I have never really had to worry about an AD issues before - just set it up
and it works fine... so I am a complete newbie to this.

This issue is leading to many other issues - for example I am unable to
setup new users with exchange mailboxes and have them access them etc...
Exchange doesn';t even see my SBS machine as a domain controller - it only
shows the other win2K3 dc!

Help!!!!

PS.. I recreated the SYSVOL and NETLOGON shares that were missing - not sure
if I should have or not...

Thanks, Brad
Re: AD replication issue!!! [message #395221 is a reply to message #395196] Fri, 19 February 2010 10:16 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
SBS2000 eh?

How old was the system state you restored and when was the last time you
verified that replication completed between the two DC's?

Also, when you 'rebuilt' the SBS server did you join the existing domain or
create a new one?

Suggest using the SBS scpecific groups which I'm adding for you.

Brad Pears wrote:
> Help!!!
>
> We have an SBS 2000 server and another win2k3 domain controller in our
> environment. The two were replicating and have been for many years
> now.
> Last week our SBS server crashed and I had to rebuild it. The last
> step was to restore the system state - which restores AD among other
> things.
> As soon as the machine came back up, I started testing to see if it
> was actually fully functional again. Right away I noticed that I
> could not access ANY shares - not even administrative shares using
> the server name (\\server\share). I could only access them by
> specifying the ip address of the SBS like this \\ip_address\share.
>
> I then noticed that when I went into the active dir users and
> computers app, it was now connecting automatically to the other
> domain controller's AD database - NOT the one on this SBS machine -
> which is supposed to be the "primary" DC. I was able to select
> "Connect to a domain controller" and had to manually enter the SBS
> machine name as it was not listed in the window at the bottom to
> select from - jsut the win2k3 DC was in there... After I entered the
> SBS machine name I was able to connect to it's AD.
> I then realized that replication was not happening between the two
> machines anymore. I am seeing ID 13508 in the File Replication
> Service event log. ("THe file replication service is having trouble
> enabling replicating from TRUE5 to TRUE3" etc... please note that
> TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
> go to Active Dir Sites and Services and try to force a replication, I
> am getting "Replication Access was denied". I am also seeing id's
> 1126 and 1655 in the "Directory Access" event log. 1126 is an "unable
> to communicate with global catalog" error. 1655 is "an attempt to
> communicate with the global catalog failed - reason ...replication
> access was denied"
> Where should I start to troubleshoot AD replication errors?? I really
> believe the root of the issue is somehow related specifically to
> screwed up permissions on the SBS machine that for some reason got
> screwed up during the recovery process.
>
> I have never really had to worry about an AD issues before - just set
> it up and it works fine... so I am a complete newbie to this.
>
> This issue is leading to many other issues - for example I am unable
> to setup new users with exchange mailboxes and have them access them
> etc... Exchange doesn';t even see my SBS machine as a domain
> controller - it only shows the other win2K3 dc!
>
> Help!!!!
>
> PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
> not sure if I should have or not...
>
> Thanks, Brad

--
/kj
Re: AD replication issue!!! [message #395247 is a reply to message #395221] Fri, 19 February 2010 10:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
> SBS2000 eh?
>
> How old was the system state you restored and when was the last time you
> verified that replication completed between the two DC's?
>
> Also, when you 'rebuilt' the SBS server did you join the existing domain
> or create a new one?
>
> Suggest using the SBS scpecific groups which I'm adding for you.
>
> Brad Pears wrote:
>> Help!!!
>>
>> We have an SBS 2000 server and another win2k3 domain controller in our
>> environment. The two were replicating and have been for many years
>> now.
>> Last week our SBS server crashed and I had to rebuild it. The last
>> step was to restore the system state - which restores AD among other
>> things.
>> As soon as the machine came back up, I started testing to see if it
>> was actually fully functional again. Right away I noticed that I
>> could not access ANY shares - not even administrative shares using
>> the server name (\\server\share). I could only access them by
>> specifying the ip address of the SBS like this \\ip_address\share.
>>
>> I then noticed that when I went into the active dir users and
>> computers app, it was now connecting automatically to the other
>> domain controller's AD database - NOT the one on this SBS machine -
>> which is supposed to be the "primary" DC. I was able to select
>> "Connect to a domain controller" and had to manually enter the SBS
>> machine name as it was not listed in the window at the bottom to
>> select from - jsut the win2k3 DC was in there... After I entered the
>> SBS machine name I was able to connect to it's AD.
>> I then realized that replication was not happening between the two
>> machines anymore. I am seeing ID 13508 in the File Replication
>> Service event log. ("THe file replication service is having trouble
>> enabling replicating from TRUE5 to TRUE3" etc... please note that
>> TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
>> go to Active Dir Sites and Services and try to force a replication, I
>> am getting "Replication Access was denied". I am also seeing id's
>> 1126 and 1655 in the "Directory Access" event log. 1126 is an "unable
>> to communicate with global catalog" error. 1655 is "an attempt to
>> communicate with the global catalog failed - reason ...replication
>> access was denied"
>> Where should I start to troubleshoot AD replication errors?? I really
>> believe the root of the issue is somehow related specifically to
>> screwed up permissions on the SBS machine that for some reason got
>> screwed up during the recovery process.
>>
>> I have never really had to worry about an AD issues before - just set
>> it up and it works fine... so I am a complete newbie to this.
>>
>> This issue is leading to many other issues - for example I am unable
>> to setup new users with exchange mailboxes and have them access them
>> etc... Exchange doesn';t even see my SBS machine as a domain
>> controller - it only shows the other win2K3 dc!
>>
>> Help!!!!
>>
>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
>> not sure if I should have or not...
>>
>> Thanks, Brad
>
> --
> /kj
>


How old is the backup that was used to restore the DC?
Did you use a backup, or an image restoration?

This sounds like an NTFRS Journal Wrap issue. See if the following will
help.

http://eventid.net/display.asp?eventid=13508&eventno=349 &source=NtFrs&phase=1

Using the BurFlags registry key to reinitialize File Replication Service
replica sets
http://support.microsoft.com/kb/290762



Here are my notes on Journal Wraps from past troubleshooting steps ... I
hope you find them helpful.

===========================
Journal Wrap - What does it mean?

Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
http://support.microsoft.com/?id=292438

In a generalized summary, a Journal Wrap indicates it's trying to replicate
to another DC and the DC with the error's FRS service may have been shut off
for some reason. The Wrap error is based on the USN log or known as the USN
Journal. Everything and anything that gets replicated has a USN, or Update
Serial Number. Each DC has it's own, and other DCs keep track of them so
they know whether they have the other DCs' latest changes and are up to date
on their own end. So generally, the USN Journal keeps track of changes made
to any NTFR drive, whether for DFS, DC replication of SYSVOL, etc. If
changes are made while the FRS service is shut down, it may get to a point
where the last time something was changed, and when the FRS service is
started, the last USN it's aware of no longer exists (because that much time
has passed by).

---

For your convenience, the steps are:

1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If
the DWORD Value does not exist, create a new one with the exact spelling as
above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
13553 The DC is performing the recovery process
13554 The DC is ready to pull the replica from another DC.
13516 - At this point go to step 6. (the problem is resolved if you
receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and
Sysvol Shares to appear. The Journal Wrap error is only fixed after the
Domain Controller receives the new SYSVOL replica from a peer Domain
Controller. This may take a period of time depending on where your peer DC
is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0.


===========================
Now if it continues after these steps, then you would need to run an
Authoratative Restore, that is if you have a recent backup. Do you have a
backup? If not, and nothing else is running on it, and you have other DCs, I
would force demote it, then re-promote it back into a DC. If this is SBS,
this part won't work, and you need to fix it, period.

Using the BurFlags registry key to reinitialize File Replication
http://support.microsoft.com/kb/290762

How to rebuild the SYSVOL tree and its content in a domain.
If you set Burflags to D4 on a single domain controller and set Burflags to
D2 on all other domain controllers in that domain, you can rebuild the
SYSVOL ... I've also seen folks copy over the Sysvol folder, then set the
Burflag options as mentioned, it worked.
http://support.microsoft.com/kb/315457

How to Troubleshoot the File Replication Service
Check FRS event logs on both computers.
If Event ID 13508 is present, there may be a problem with the RPC service on
either computer
http://support.microsoft.com/kb/272279

Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
http://support.microsoft.com/?id=292438

How to disable the requirement that a global catalog server be available to
validate user logons
http://support.microsoft.com/kb/241789
===========================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: AD replication issue!!! [message #395254 is a reply to message #395221] Fri, 19 February 2010 10:53 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Hi there...

Ya, SBS 2000 - it's an old puppy that we are hoping to replace with SBS 2008
this year - funds permitting... In the meantime I need to keep this old
feller truckin along...

I should have elaborated a little more... When I said "rebuilt"... all I did
was to replace the power supply and two disks in the raid array that had
failed, then reconfigured the raid array, installed Win2K (standard) SP4
from the SBS cd's THEN restored drive c:\ and drive e:\ contents as well as
system state from our most recent backup exec backup sets. What I restored
was from a backup taken the night that it went down - but several hours
before.

So, I didn't have to join it to a domain - the restore should have set all
that back up again...

Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it already is
a domain controller - so it knows some things - just not enough!!!

As well, AD does still show both servers in the "Domain Controllers"
container and the AD Sites and Services still shows both servers there as
well.

Brad
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
> SBS2000 eh?
>
> How old was the system state you restored and when was the last time you
> verified that replication completed between the two DC's?
>
> Also, when you 'rebuilt' the SBS server did you join the existing domain
> or create a new one?
>
> Suggest using the SBS scpecific groups which I'm adding for you.
>
> Brad Pears wrote:
>> Help!!!
>>
>> We have an SBS 2000 server and another win2k3 domain controller in our
>> environment. The two were replicating and have been for many years
>> now.
>> Last week our SBS server crashed and I had to rebuild it. The last
>> step was to restore the system state - which restores AD among other
>> things.
>> As soon as the machine came back up, I started testing to see if it
>> was actually fully functional again. Right away I noticed that I
>> could not access ANY shares - not even administrative shares using
>> the server name (\\server\share). I could only access them by
>> specifying the ip address of the SBS like this \\ip_address\share.
>>
>> I then noticed that when I went into the active dir users and
>> computers app, it was now connecting automatically to the other
>> domain controller's AD database - NOT the one on this SBS machine -
>> which is supposed to be the "primary" DC. I was able to select
>> "Connect to a domain controller" and had to manually enter the SBS
>> machine name as it was not listed in the window at the bottom to
>> select from - jsut the win2k3 DC was in there... After I entered the
>> SBS machine name I was able to connect to it's AD.
>> I then realized that replication was not happening between the two
>> machines anymore. I am seeing ID 13508 in the File Replication
>> Service event log. ("THe file replication service is having trouble
>> enabling replicating from TRUE5 to TRUE3" etc... please note that
>> TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
>> go to Active Dir Sites and Services and try to force a replication, I
>> am getting "Replication Access was denied". I am also seeing id's
>> 1126 and 1655 in the "Directory Access" event log. 1126 is an "unable
>> to communicate with global catalog" error. 1655 is "an attempt to
>> communicate with the global catalog failed - reason ...replication
>> access was denied"
>> Where should I start to troubleshoot AD replication errors?? I really
>> believe the root of the issue is somehow related specifically to
>> screwed up permissions on the SBS machine that for some reason got
>> screwed up during the recovery process.
>>
>> I have never really had to worry about an AD issues before - just set
>> it up and it works fine... so I am a complete newbie to this.
>>
>> This issue is leading to many other issues - for example I am unable
>> to setup new users with exchange mailboxes and have them access them
>> etc... Exchange doesn';t even see my SBS machine as a domain
>> controller - it only shows the other win2K3 dc!
>>
>> Help!!!!
>>
>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
>> not sure if I should have or not...
>>
>> Thanks, Brad
>
> --
> /kj
>
Re: AD replication issue!!! [message #395284 is a reply to message #395254] Fri, 19 February 2010 11:10 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Probably best to start with basic DCdiag, netdiag, etc especially ensuring
that each DC can resolve the other by name and number.

Brad Pears wrote:
> Hi there...
>
> Ya, SBS 2000 - it's an old puppy that we are hoping to replace with
> SBS 2008 this year - funds permitting... In the meantime I need to
> keep this old feller truckin along...
>
> I should have elaborated a little more... When I said "rebuilt"...
> all I did was to replace the power supply and two disks in the raid
> array that had failed, then reconfigured the raid array, installed
> Win2K (standard) SP4 from the SBS cd's THEN restored drive c:\ and
> drive e:\ contents as well as system state from our most recent
> backup exec backup sets. What I restored was from a backup taken the
> night that it went down - but several hours before.
>
> So, I didn't have to join it to a domain - the restore should have
> set all that back up again...
>
> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
> already is a domain controller - so it knows some things - just not
> enough!!!
> As well, AD does still show both servers in the "Domain Controllers"
> container and the AD Sites and Services still shows both servers
> there as well.
>
> Brad
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>> SBS2000 eh?
>>
>> How old was the system state you restored and when was the last time
>> you verified that replication completed between the two DC's?
>>
>> Also, when you 'rebuilt' the SBS server did you join the existing
>> domain or create a new one?
>>
>> Suggest using the SBS scpecific groups which I'm adding for you.
>>
>> Brad Pears wrote:
>>> Help!!!
>>>
>>> We have an SBS 2000 server and another win2k3 domain controller in
>>> our environment. The two were replicating and have been for many
>>> years now.
>>> Last week our SBS server crashed and I had to rebuild it. The last
>>> step was to restore the system state - which restores AD among other
>>> things.
>>> As soon as the machine came back up, I started testing to see if it
>>> was actually fully functional again. Right away I noticed that I
>>> could not access ANY shares - not even administrative shares using
>>> the server name (\\server\share). I could only access them by
>>> specifying the ip address of the SBS like this \\ip_address\share.
>>>
>>> I then noticed that when I went into the active dir users and
>>> computers app, it was now connecting automatically to the other
>>> domain controller's AD database - NOT the one on this SBS machine -
>>> which is supposed to be the "primary" DC. I was able to select
>>> "Connect to a domain controller" and had to manually enter the SBS
>>> machine name as it was not listed in the window at the bottom to
>>> select from - jsut the win2k3 DC was in there... After I entered the
>>> SBS machine name I was able to connect to it's AD.
>>> I then realized that replication was not happening between the two
>>> machines anymore. I am seeing ID 13508 in the File Replication
>>> Service event log. ("THe file replication service is having trouble
>>> enabling replicating from TRUE5 to TRUE3" etc... please note that
>>> TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
>>> go to Active Dir Sites and Services and try to force a replication,
>>> I am getting "Replication Access was denied". I am also seeing id's
>>> 1126 and 1655 in the "Directory Access" event log. 1126 is an
>>> "unable to communicate with global catalog" error. 1655 is "an
>>> attempt to communicate with the global catalog failed - reason
>>> ...replication access was denied"
>>> Where should I start to troubleshoot AD replication errors?? I
>>> really believe the root of the issue is somehow related
>>> specifically to screwed up permissions on the SBS machine that for
>>> some reason got screwed up during the recovery process.
>>>
>>> I have never really had to worry about an AD issues before - just
>>> set it up and it works fine... so I am a complete newbie to this.
>>>
>>> This issue is leading to many other issues - for example I am unable
>>> to setup new users with exchange mailboxes and have them access them
>>> etc... Exchange doesn';t even see my SBS machine as a domain
>>> controller - it only shows the other win2K3 dc!
>>>
>>> Help!!!!
>>>
>>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
>>> not sure if I should have or not...
>>>
>>> Thanks, Brad
>>
>> --
>> /kj

--
/kj
Re: AD replication issue!!! [message #395314 is a reply to message #395284] Fri, 19 February 2010 11:42 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
OK, I'll do that... Where do I find these tools? Are they part of the
win2000 support tools?

I did check the DNS entries on both DC's and indeed there are proper PTR and
A records there for each machine in both forward and reverse lookup zones.
Everything else in there looks ok, but again, I have not ventured into this
very far so can't say that it is 100% correct - what I see makes sense to me
though...

Thanks, Brad
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:uE7Wk7YsKHA.4652@TK2MSFTNGP02.phx.gbl...
> Probably best to start with basic DCdiag, netdiag, etc especially ensuring
> that each DC can resolve the other by name and number.
>
> Brad Pears wrote:
>> Hi there...
>>
>> Ya, SBS 2000 - it's an old puppy that we are hoping to replace with
>> SBS 2008 this year - funds permitting... In the meantime I need to
>> keep this old feller truckin along...
>>
>> I should have elaborated a little more... When I said "rebuilt"...
>> all I did was to replace the power supply and two disks in the raid
>> array that had failed, then reconfigured the raid array, installed
>> Win2K (standard) SP4 from the SBS cd's THEN restored drive c:\ and
>> drive e:\ contents as well as system state from our most recent
>> backup exec backup sets. What I restored was from a backup taken the
>> night that it went down - but several hours before.
>>
>> So, I didn't have to join it to a domain - the restore should have
>> set all that back up again...
>>
>> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
>> already is a domain controller - so it knows some things - just not
>> enough!!!
>> As well, AD does still show both servers in the "Domain Controllers"
>> container and the AD Sites and Services still shows both servers
>> there as well.
>>
>> Brad
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>>> SBS2000 eh?
>>>
>>> How old was the system state you restored and when was the last time
>>> you verified that replication completed between the two DC's?
>>>
>>> Also, when you 'rebuilt' the SBS server did you join the existing
>>> domain or create a new one?
>>>
>>> Suggest using the SBS scpecific groups which I'm adding for you.
>>>
>>> Brad Pears wrote:
>>>> Help!!!
>>>>
>>>> We have an SBS 2000 server and another win2k3 domain controller in
>>>> our environment. The two were replicating and have been for many
>>>> years now.
>>>> Last week our SBS server crashed and I had to rebuild it. The last
>>>> step was to restore the system state - which restores AD among other
>>>> things.
>>>> As soon as the machine came back up, I started testing to see if it
>>>> was actually fully functional again. Right away I noticed that I
>>>> could not access ANY shares - not even administrative shares using
>>>> the server name (\\server\share). I could only access them by
>>>> specifying the ip address of the SBS like this \\ip_address\share.
>>>>
>>>> I then noticed that when I went into the active dir users and
>>>> computers app, it was now connecting automatically to the other
>>>> domain controller's AD database - NOT the one on this SBS machine -
>>>> which is supposed to be the "primary" DC. I was able to select
>>>> "Connect to a domain controller" and had to manually enter the SBS
>>>> machine name as it was not listed in the window at the bottom to
>>>> select from - jsut the win2k3 DC was in there... After I entered the
>>>> SBS machine name I was able to connect to it's AD.
>>>> I then realized that replication was not happening between the two
>>>> machines anymore. I am seeing ID 13508 in the File Replication
>>>> Service event log. ("THe file replication service is having trouble
>>>> enabling replicating from TRUE5 to TRUE3" etc... please note that
>>>> TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.) As well, If I
>>>> go to Active Dir Sites and Services and try to force a replication,
>>>> I am getting "Replication Access was denied". I am also seeing id's
>>>> 1126 and 1655 in the "Directory Access" event log. 1126 is an
>>>> "unable to communicate with global catalog" error. 1655 is "an
>>>> attempt to communicate with the global catalog failed - reason
>>>> ...replication access was denied"
>>>> Where should I start to troubleshoot AD replication errors?? I
>>>> really believe the root of the issue is somehow related
>>>> specifically to screwed up permissions on the SBS machine that for
>>>> some reason got screwed up during the recovery process.
>>>>
>>>> I have never really had to worry about an AD issues before - just
>>>> set it up and it works fine... so I am a complete newbie to this.
>>>>
>>>> This issue is leading to many other issues - for example I am unable
>>>> to setup new users with exchange mailboxes and have them access them
>>>> etc... Exchange doesn';t even see my SBS machine as a domain
>>>> controller - it only shows the other win2K3 dc!
>>>>
>>>> Help!!!!
>>>>
>>>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing -
>>>> not sure if I should have or not...
>>>>
>>>> Thanks, Brad
>>>
>>> --
>>> /kj
>
> --
> /kj
>
Re: AD replication issue!!! [message #395351 is a reply to message #395314] Fri, 19 February 2010 12:29 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Yep part of the support tools but you might want to get the update
version(s) from MS downloads;

http://www.microsoft.com/downloads/details.aspx?FamilyID=238 70A87-8422-408C-9375-2D9AAF939FA3&amp;displaylang=en&displaylang=en

Did you have any errors on restore, system state in particular?

Brad Pears wrote:
> OK, I'll do that... Where do I find these tools? Are they part of the
> win2000 support tools?
>
> I did check the DNS entries on both DC's and indeed there are proper
> PTR and A records there for each machine in both forward and reverse
> lookup zones. Everything else in there looks ok, but again, I have
> not ventured into this very far so can't say that it is 100% correct
> - what I see makes sense to me though...
>
> Thanks, Brad
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:uE7Wk7YsKHA.4652@TK2MSFTNGP02.phx.gbl...
>> Probably best to start with basic DCdiag, netdiag, etc especially
>> ensuring that each DC can resolve the other by name and number.
>>
>> Brad Pears wrote:
>>> Hi there...
>>>
>>> Ya, SBS 2000 - it's an old puppy that we are hoping to replace with
>>> SBS 2008 this year - funds permitting... In the meantime I need to
>>> keep this old feller truckin along...
>>>
>>> I should have elaborated a little more... When I said "rebuilt"...
>>> all I did was to replace the power supply and two disks in the raid
>>> array that had failed, then reconfigured the raid array, installed
>>> Win2K (standard) SP4 from the SBS cd's THEN restored drive c:\ and
>>> drive e:\ contents as well as system state from our most recent
>>> backup exec backup sets. What I restored was from a backup taken the
>>> night that it went down - but several hours before.
>>>
>>> So, I didn't have to join it to a domain - the restore should have
>>> set all that back up again...
>>>
>>> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
>>> already is a domain controller - so it knows some things - just not
>>> enough!!!
>>> As well, AD does still show both servers in the "Domain Controllers"
>>> container and the AD Sites and Services still shows both servers
>>> there as well.
>>>
>>> Brad
>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>>>> SBS2000 eh?
>>>>
>>>> How old was the system state you restored and when was the last
>>>> time you verified that replication completed between the two DC's?
>>>>
>>>> Also, when you 'rebuilt' the SBS server did you join the existing
>>>> domain or create a new one?
>>>>
>>>> Suggest using the SBS scpecific groups which I'm adding for you.
>>>>
>>>> Brad Pears wrote:
>>>>> Help!!!
>>>>>
>>>>> We have an SBS 2000 server and another win2k3 domain controller in
>>>>> our environment. The two were replicating and have been for many
>>>>> years now.
>>>>> Last week our SBS server crashed and I had to rebuild it. The last
>>>>> step was to restore the system state - which restores AD among
>>>>> other things.
>>>>> As soon as the machine came back up, I started testing to see if
>>>>> it was actually fully functional again. Right away I noticed that
>>>>> I could not access ANY shares - not even administrative shares
>>>>> using the server name (\\server\share). I could only access them
>>>>> by specifying the ip address of the SBS like this
>>>>> \\ip_address\share. I then noticed that when I went into the active
>>>>> dir users and
>>>>> computers app, it was now connecting automatically to the other
>>>>> domain controller's AD database - NOT the one on this SBS machine
>>>>> - which is supposed to be the "primary" DC. I was able to select
>>>>> "Connect to a domain controller" and had to manually enter the SBS
>>>>> machine name as it was not listed in the window at the bottom to
>>>>> select from - jsut the win2k3 DC was in there... After I entered
>>>>> the SBS machine name I was able to connect to it's AD.
>>>>> I then realized that replication was not happening between the two
>>>>> machines anymore. I am seeing ID 13508 in the File Replication
>>>>> Service event log. ("THe file replication service is having
>>>>> trouble enabling replicating from TRUE5 to TRUE3" etc... please
>>>>> note that TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.)
>>>>> As well, If I go to Active Dir Sites and Services and try to
>>>>> force a replication, I am getting "Replication Access was
>>>>> denied". I am also seeing id's 1126 and 1655 in the "Directory
>>>>> Access" event log. 1126 is an "unable to communicate with global
>>>>> catalog" error. 1655 is "an attempt to communicate with the
>>>>> global catalog failed - reason ...replication access was denied"
>>>>> Where should I start to troubleshoot AD replication errors?? I
>>>>> really believe the root of the issue is somehow related
>>>>> specifically to screwed up permissions on the SBS machine that for
>>>>> some reason got screwed up during the recovery process.
>>>>>
>>>>> I have never really had to worry about an AD issues before - just
>>>>> set it up and it works fine... so I am a complete newbie to this.
>>>>>
>>>>> This issue is leading to many other issues - for example I am
>>>>> unable to setup new users with exchange mailboxes and have them
>>>>> access them etc... Exchange doesn';t even see my SBS machine as a
>>>>> domain controller - it only shows the other win2K3 dc!
>>>>>
>>>>> Help!!!!
>>>>>
>>>>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing
>>>>> - not sure if I should have or not...
>>>>>
>>>>> Thanks, Brad
>>>>
>>>> --
>>>> /kj
>>
>> --
>> /kj

--
/kj
Re: AD replication issue!!! [message #395475 is a reply to message #395351] Fri, 19 February 2010 14:48 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Thanks, I found them on the SBS cd and installed them...

System state appeared to restore just fine during my "rebuilding " process
(well - it didn't report any errors at least...) I'll have to look into
doing an authoritative restore now that I have the DC running... I do have
another fairly recent backup of the system state that I could try to restore
from...

I ran dcdiag from the system tools and geting some interesting entries in
the log regarding replication errors... It says that replication access was
denied (saw that in the logs) and that "the machine account for the
destination TRUE3 (our sbs server) is not configured properly. Check the
userAccountControl field. Kerberos error. The machine account is not present
or does not match on the destination, source or KDC servers."

Also, I get an error when testing MachineAccount. It says "TRUE3 is not a
server trust account"

Then I ran dcdiag /v on TRUE5 which is our windows 2003 server - it showed
even more intersting errors... I've attached the dcdiag log from that
here... There is a lot of stuff in there - some really interesting
things...

Can you make any heads or tails from that??

Thanks, Brad



"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:uICOSnZsKHA.3536@TK2MSFTNGP06.phx.gbl...
> Yep part of the support tools but you might want to get the update
> version(s) from MS downloads;
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=238 70A87-8422-408C-9375-2D9AAF939FA3&amp;displaylang=en&displaylang=en
>
> Did you have any errors on restore, system state in particular?
>
> Brad Pears wrote:
>> OK, I'll do that... Where do I find these tools? Are they part of the
>> win2000 support tools?
>>
>> I did check the DNS entries on both DC's and indeed there are proper
>> PTR and A records there for each machine in both forward and reverse
>> lookup zones. Everything else in there looks ok, but again, I have
>> not ventured into this very far so can't say that it is 100% correct
>> - what I see makes sense to me though...
>>
>> Thanks, Brad
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:uE7Wk7YsKHA.4652@TK2MSFTNGP02.phx.gbl...
>>> Probably best to start with basic DCdiag, netdiag, etc especially
>>> ensuring that each DC can resolve the other by name and number.
>>>
>>> Brad Pears wrote:
>>>> Hi there...
>>>>
>>>> Ya, SBS 2000 - it's an old puppy that we are hoping to replace with
>>>> SBS 2008 this year - funds permitting... In the meantime I need to
>>>> keep this old feller truckin along...
>>>>
>>>> I should have elaborated a little more... When I said "rebuilt"...
>>>> all I did was to replace the power supply and two disks in the raid
>>>> array that had failed, then reconfigured the raid array, installed
>>>> Win2K (standard) SP4 from the SBS cd's THEN restored drive c:\ and
>>>> drive e:\ contents as well as system state from our most recent
>>>> backup exec backup sets. What I restored was from a backup taken the
>>>> night that it went down - but several hours before.
>>>>
>>>> So, I didn't have to join it to a domain - the restore should have
>>>> set all that back up again...
>>>>
>>>> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
>>>> already is a domain controller - so it knows some things - just not
>>>> enough!!!
>>>> As well, AD does still show both servers in the "Domain Controllers"
>>>> container and the AD Sites and Services still shows both servers
>>>> there as well.
>>>>
>>>> Brad
>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>>>>> SBS2000 eh?
>>>>>
>>>>> How old was the system state you restored and when was the last
>>>>> time you verified that replication completed between the two DC's?
>>>>>
>>>>> Also, when you 'rebuilt' the SBS server did you join the existing
>>>>> domain or create a new one?
>>>>>
>>>>> Suggest using the SBS scpecific groups which I'm adding for you.
>>>>>
>>>>> Brad Pears wrote:
>>>>>> Help!!!
>>>>>>
>>>>>> We have an SBS 2000 server and another win2k3 domain controller in
>>>>>> our environment. The two were replicating and have been for many
>>>>>> years now.
>>>>>> Last week our SBS server crashed and I had to rebuild it. The last
>>>>>> step was to restore the system state - which restores AD among
>>>>>> other things.
>>>>>> As soon as the machine came back up, I started testing to see if
>>>>>> it was actually fully functional again. Right away I noticed that
>>>>>> I could not access ANY shares - not even administrative shares
>>>>>> using the server name (\\server\share). I could only access them
>>>>>> by specifying the ip address of the SBS like this
>>>>>> \\ip_address\share. I then noticed that when I went into the active
>>>>>> dir users and
>>>>>> computers app, it was now connecting automatically to the other
>>>>>> domain controller's AD database - NOT the one on this SBS machine
>>>>>> - which is supposed to be the "primary" DC. I was able to select
>>>>>> "Connect to a domain controller" and had to manually enter the SBS
>>>>>> machine name as it was not listed in the window at the bottom to
>>>>>> select from - jsut the win2k3 DC was in there... After I entered
>>>>>> the SBS machine name I was able to connect to it's AD.
>>>>>> I then realized that replication was not happening between the two
>>>>>> machines anymore. I am seeing ID 13508 in the File Replication
>>>>>> Service event log. ("THe file replication service is having
>>>>>> trouble enabling replicating from TRUE5 to TRUE3" etc... please
>>>>>> note that TRUE5 is the win2k3 DC and TRUE3 is the SBS machine.)
>>>>>> As well, If I go to Active Dir Sites and Services and try to
>>>>>> force a replication, I am getting "Replication Access was
>>>>>> denied". I am also seeing id's 1126 and 1655 in the "Directory
>>>>>> Access" event log. 1126 is an "unable to communicate with global
>>>>>> catalog" error. 1655 is "an attempt to communicate with the
>>>>>> global catalog failed - reason ...replication access was denied"
>>>>>> Where should I start to troubleshoot AD replication errors?? I
>>>>>> really believe the root of the issue is somehow related
>>>>>> specifically to screwed up permissions on the SBS machine that for
>>>>>> some reason got screwed up during the recovery process.
>>>>>>
>>>>>> I have never really had to worry about an AD issues before - just
>>>>>> set it up and it works fine... so I am a complete newbie to this.
>>>>>>
>>>>>> This issue is leading to many other issues - for example I am
>>>>>> unable to setup new users with exchange mailboxes and have them
>>>>>> access them etc... Exchange doesn';t even see my SBS machine as a
>>>>>> domain controller - it only shows the other win2K3 dc!
>>>>>>
>>>>>> Help!!!!
>>>>>>
>>>>>> PS.. I recreated the SYSVOL and NETLOGON shares that were missing
>>>>>> - not sure if I should have or not...
>>>>>>
>>>>>> Thanks, Brad
>>>>>
>>>>> --
>>>>> /kj
>>>
>>> --
>>> /kj
>
> --
> /kj
>
>


  • Attachment: dcdiag.log
    (Size: 16.19KB, Downloaded 62 times)
Re: AD replication issue!!! [message #395485 is a reply to message #395475] Fri, 19 February 2010 15:08 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
You did boot into DSRM mode and did a non-authoritative restore, right?

Please attach the dcdiag from your SBS server which should tell us more...
but I don't think your system state restored correctly or the correct
procedure was followed.

I'd advise against an authoritative restore at this point.

Brad Pears wrote:
> Thanks, I found them on the SBS cd and installed them...
>
> System state appeared to restore just fine during my "rebuilding "
> process (well - it didn't report any errors at least...) I'll have to
> look into doing an authoritative restore now that I have the DC
> running... I do have another fairly recent backup of the system
> state that I could try to restore from...
>
> I ran dcdiag from the system tools and geting some interesting
> entries in the log regarding replication errors... It says that
> replication access was denied (saw that in the logs) and that "the
> machine account for the destination TRUE3 (our sbs server) is not
> configured properly. Check the userAccountControl field. Kerberos
> error. The machine account is not present or does not match on the
> destination, source or KDC servers."
> Also, I get an error when testing MachineAccount. It says "TRUE3 is
> not a server trust account"
>
> Then I ran dcdiag /v on TRUE5 which is our windows 2003 server - it
> showed even more intersting errors... I've attached the dcdiag log
> from that here... There is a lot of stuff in there - some really
> interesting things...
>
> Can you make any heads or tails from that??
>
> Thanks, Brad
>
>
>
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:uICOSnZsKHA.3536@TK2MSFTNGP06.phx.gbl...
>> Yep part of the support tools but you might want to get the update
>> version(s) from MS downloads;
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=238 70A87-8422-408C-9375-2D9AAF939FA3&amp;displaylang=en&displaylang=en
>>
>> Did you have any errors on restore, system state in particular?
>>
>> Brad Pears wrote:
>>> OK, I'll do that... Where do I find these tools? Are they part of
>>> the win2000 support tools?
>>>
>>> I did check the DNS entries on both DC's and indeed there are proper
>>> PTR and A records there for each machine in both forward and reverse
>>> lookup zones. Everything else in there looks ok, but again, I have
>>> not ventured into this very far so can't say that it is 100% correct
>>> - what I see makes sense to me though...
>>>
>>> Thanks, Brad
>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>> news:uE7Wk7YsKHA.4652@TK2MSFTNGP02.phx.gbl...
>>>> Probably best to start with basic DCdiag, netdiag, etc especially
>>>> ensuring that each DC can resolve the other by name and number.
>>>>
>>>> Brad Pears wrote:
>>>>> Hi there...
>>>>>
>>>>> Ya, SBS 2000 - it's an old puppy that we are hoping to replace
>>>>> with SBS 2008 this year - funds permitting... In the meantime I
>>>>> need to keep this old feller truckin along...
>>>>>
>>>>> I should have elaborated a little more... When I said "rebuilt"...
>>>>> all I did was to replace the power supply and two disks in the
>>>>> raid array that had failed, then reconfigured the raid array,
>>>>> installed Win2K (standard) SP4 from the SBS cd's THEN restored
>>>>> drive c:\ and drive e:\ contents as well as system state from our
>>>>> most recent backup exec backup sets. What I restored was from a
>>>>> backup taken the night that it went down - but several hours
>>>>> before. So, I didn't have to join it to a domain - the restore should
>>>>> have
>>>>> set all that back up again...
>>>>>
>>>>> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
>>>>> already is a domain controller - so it knows some things - just
>>>>> not enough!!!
>>>>> As well, AD does still show both servers in the "Domain
>>>>> Controllers" container and the AD Sites and Services still shows
>>>>> both servers there as well.
>>>>>
>>>>> Brad
>>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>>> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>>>>>> SBS2000 eh?
>>>>>>
>>>>>> How old was the system state you restored and when was the last
>>>>>> time you verified that replication completed between the two
>>>>>> DC's? Also, when you 'rebuilt' the SBS server did you join the
>>>>>> existing
>>>>>> domain or create a new one?
>>>>>>
>>>>>> Suggest using the SBS scpecific groups which I'm adding for you.
>>>>>>
>>>>>> Brad Pears wrote:
>>>>>>> Help!!!
>>>>>>>
>>>>>>> We have an SBS 2000 server and another win2k3 domain controller
>>>>>>> in our environment. The two were replicating and have been for
>>>>>>> many years now.
>>>>>>> Last week our SBS server crashed and I had to rebuild it. The
>>>>>>> last step was to restore the system state - which restores AD
>>>>>>> among other things.
>>>>>>> As soon as the machine came back up, I started testing to see if
>>>>>>> it was actually fully functional again. Right away I noticed
>>>>>>> that I could not access ANY shares - not even administrative
>>>>>>> shares using the server name (\\server\share). I could only
>>>>>>> access them by specifying the ip address of the SBS like this
>>>>>>> \\ip_address\share. I then noticed that when I went into the
>>>>>>> active dir users and
>>>>>>> computers app, it was now connecting automatically to the other
>>>>>>> domain controller's AD database - NOT the one on this SBS
>>>>>>> machine - which is supposed to be the "primary" DC. I was able
>>>>>>> to select "Connect to a domain controller" and had to manually
>>>>>>> enter the SBS machine name as it was not listed in the window
>>>>>>> at the bottom to select from - jsut the win2k3 DC was in
>>>>>>> there... After I entered the SBS machine name I was able to
>>>>>>> connect to it's AD. I then realized that replication was not
>>>>>>> happening between the
>>>>>>> two machines anymore. I am seeing ID 13508 in the File
>>>>>>> Replication Service event log. ("THe file replication service
>>>>>>> is having trouble enabling replicating from TRUE5 to TRUE3"
>>>>>>> etc... please note that TRUE5 is the win2k3 DC and TRUE3 is the
>>>>>>> SBS machine.) As well, If I go to Active Dir Sites and Services and
>>>>>>> try to
>>>>>>> force a replication, I am getting "Replication Access was
>>>>>>> denied". I am also seeing id's 1126 and 1655 in the "Directory
>>>>>>> Access" event log. 1126 is an "unable to communicate with global
>>>>>>> catalog" error. 1655 is "an attempt to communicate with the
>>>>>>> global catalog failed - reason ...replication access was denied"
>>>>>>> Where should I start to troubleshoot AD replication errors?? I
>>>>>>> really believe the root of the issue is somehow related
>>>>>>> specifically to screwed up permissions on the SBS machine that
>>>>>>> for some reason got screwed up during the recovery process.
>>>>>>>
>>>>>>> I have never really had to worry about an AD issues before -
>>>>>>> just set it up and it works fine... so I am a complete newbie
>>>>>>> to this. This issue is leading to many other issues - for example I
>>>>>>> am
>>>>>>> unable to setup new users with exchange mailboxes and have them
>>>>>>> access them etc... Exchange doesn';t even see my SBS machine as
>>>>>>> a domain controller - it only shows the other win2K3 dc!
>>>>>>>
>>>>>>> Help!!!!
>>>>>>>
>>>>>>> PS.. I recreated the SYSVOL and NETLOGON shares that were
>>>>>>> missing - not sure if I should have or not...
>>>>>>>
>>>>>>> Thanks, Brad
>>>>>>
>>>>>> --
>>>>>> /kj
>>>>
>>>> --
>>>> /kj
>>
>> --
>> /kj

--
/kj
Re: AD replication issue!!! [message #395527 is a reply to message #395485] Fri, 19 February 2010 16:11 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
No I did not - because I was restoring the SBS machine from scratch (had to
replace some hardware) so the server was not a DC when I did the SBS
restore. I did a fresh install of win2k server using the SBS cd's, then
brought that installation up to SP4. I did NOT join it to the domain - left
it in the wrokgroup. At that point I restored the c: contents and the system
state from our backup exec backups taken the night it crashed and then
rebooted. Once it was started up I had to restore my exchange databases
etc... This was the disaster recovery procedures for SBS 2000 that I
followed from Backup Exec tecch support. It wasn't until I had to add a new
user the next day that I realized there were serious problems...

I've attached the SBS dcdiag.log file here as well...

Brad

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:uNXnaAbsKHA.4360@TK2MSFTNGP05.phx.gbl...
> You did boot into DSRM mode and did a non-authoritative restore, right?
>
> Please attach the dcdiag from your SBS server which should tell us more...
> but I don't think your system state restored correctly or the correct
> procedure was followed.
>
> I'd advise against an authoritative restore at this point.
>
> Brad Pears wrote:
>> Thanks, I found them on the SBS cd and installed them...
>>
>> System state appeared to restore just fine during my "rebuilding "
>> process (well - it didn't report any errors at least...) I'll have to
>> look into doing an authoritative restore now that I have the DC
>> running... I do have another fairly recent backup of the system
>> state that I could try to restore from...
>>
>> I ran dcdiag from the system tools and geting some interesting
>> entries in the log regarding replication errors... It says that
>> replication access was denied (saw that in the logs) and that "the
>> machine account for the destination TRUE3 (our sbs server) is not
>> configured properly. Check the userAccountControl field. Kerberos
>> error. The machine account is not present or does not match on the
>> destination, source or KDC servers."
>> Also, I get an error when testing MachineAccount. It says "TRUE3 is
>> not a server trust account"
>>
>> Then I ran dcdiag /v on TRUE5 which is our windows 2003 server - it
>> showed even more intersting errors... I've attached the dcdiag log
>> from that here... There is a lot of stuff in there - some really
>> interesting things...
>>
>> Can you make any heads or tails from that??
>>
>> Thanks, Brad
>>
>>
>>
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:uICOSnZsKHA.3536@TK2MSFTNGP06.phx.gbl...
>>> Yep part of the support tools but you might want to get the update
>>> version(s) from MS downloads;
>>>
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=238 70A87-8422-408C-9375-2D9AAF939FA3&amp;displaylang=en&displaylang=en
>>>
>>> Did you have any errors on restore, system state in particular?
>>>
>>> Brad Pears wrote:
>>>> OK, I'll do that... Where do I find these tools? Are they part of
>>>> the win2000 support tools?
>>>>
>>>> I did check the DNS entries on both DC's and indeed there are proper
>>>> PTR and A records there for each machine in both forward and reverse
>>>> lookup zones. Everything else in there looks ok, but again, I have
>>>> not ventured into this very far so can't say that it is 100% correct
>>>> - what I see makes sense to me though...
>>>>
>>>> Thanks, Brad
>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>> news:uE7Wk7YsKHA.4652@TK2MSFTNGP02.phx.gbl...
>>>>> Probably best to start with basic DCdiag, netdiag, etc especially
>>>>> ensuring that each DC can resolve the other by name and number.
>>>>>
>>>>> Brad Pears wrote:
>>>>>> Hi there...
>>>>>>
>>>>>> Ya, SBS 2000 - it's an old puppy that we are hoping to replace
>>>>>> with SBS 2008 this year - funds permitting... In the meantime I
>>>>>> need to keep this old feller truckin along...
>>>>>>
>>>>>> I should have elaborated a little more... When I said "rebuilt"...
>>>>>> all I did was to replace the power supply and two disks in the
>>>>>> raid array that had failed, then reconfigured the raid array,
>>>>>> installed Win2K (standard) SP4 from the SBS cd's THEN restored
>>>>>> drive c:\ and drive e:\ contents as well as system state from our
>>>>>> most recent backup exec backup sets. What I restored was from a
>>>>>> backup taken the night that it went down - but several hours
>>>>>> before. So, I didn't have to join it to a domain - the restore should
>>>>>> have
>>>>>> set all that back up again...
>>>>>>
>>>>>> Incidentally, if I do a DCPROMO on teh SBS box, it thinks that it
>>>>>> already is a domain controller - so it knows some things - just
>>>>>> not enough!!!
>>>>>> As well, AD does still show both servers in the "Domain
>>>>>> Controllers" container and the AD Sites and Services still shows
>>>>>> both servers there as well.
>>>>>>
>>>>>> Brad
>>>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>>>> news:%23jleQdYsKHA.5356@TK2MSFTNGP02.phx.gbl...
>>>>>>> SBS2000 eh?
>>>>>>>
>>>>>>> How old was the system state you restored and when was the last
>>>>>>> time you verified that replication completed between the two
>>>>>>> DC's? Also, when you 'rebuilt' the SBS server did you join the
>>>>>>> existing
>>>>>>> domain or create a new one?
>>>>>>>
>>>>>>> Suggest using the SBS scpecific groups which I'm adding for you.
>>>>>>>
>>>>>>> Brad Pears wrote:
>>>>>>>> Help!!!
>>>>>>>>
>>>>>>>> We have an SBS 2000 server and another win2k3 domain controller
>>>>>>>> in our environment. The two were replicating and have been for
>>>>>>>> many years now.
>>>>>>>> Last week our SBS server crashed and I had to rebuild it. The
>>>>>>>> last step was to restore the system state - which restores AD
>>>>>>>> among other things.
>>>>>>>> As soon as the machine came back up, I started testing to see if
>>>>>>>> it was actually fully functional again. Right away I noticed
>>>>>>>> that I could not access ANY shares - not even administrative
>>>>>>>> shares using the server name (\\server\share). I could only
>>>>>>>> access them by specifying the ip address of the SBS like this
>>>>>>>> \\ip_address\share. I then noticed that when I went into the
>>>>>>>> active dir users and
>>>>>>>> computers app, it was now connecting automatically to the other
>>>>>>>> domain controller's AD database - NOT the one on this SBS
>>>>>>>> machine - which is supposed to be the "primary" DC. I was able
>>>>>>>> to select "Connect to a domain controller" and had to manually
>>>>>>>> enter the SBS machine name as it was not listed in the window
>>>>>>>> at the bottom to select from - jsut the win2k3 DC was in
>>>>>>>> there... After I entered the SBS machine name I was able to
>>>>>>>> connect to it's AD. I then realized that replication was not
>>>>>>>> happening between the
>>>>>>>> two machines anymore. I am seeing ID 13508 in the File
>>>>>>>> Replication Service event log. ("THe file replication service
>>>>>>>> is having trouble enabling replicating from TRUE5 to TRUE3"
>>>>>>>> etc... please note that TRUE5 is the win2k3 DC and TRUE3 is the
>>>>>>>> SBS machine.) As well, If I go to Active Dir Sites and Services and
>>>>>>>> try to
>>>>>>>> force a replication, I am getting "Replication Access was
>>>>>>>> denied". I am also seeing id's 1126 and 1655 in the "Directory
>>>>>>>> Access" event log. 1126 is an "unable to communicate with global
>>>>>>>> catalog" error. 1655 is "an attempt to communicate with the
>>>>>>>> global catalog failed - reason ...replication access was denied"
>>>>>>>> Where should I start to troubleshoot AD replication errors?? I
>>>>>>>> really believe the root of the issue is somehow related
>>>>>>>> specifically to screwed up permissions on the SBS machine that
>>>>>>>> for some reason got screwed up during the recovery process.
>>>>>>>>
>>>>>>>> I have never really had to worry about an AD issues before -
>>>>>>>> just set it up and it works fine... so I am a complete newbie
>>>>>>>> to this. This issue is leading to many other issues - for example I
>>>>>>>> am
>>>>>>>> unable to setup new users with exchange mailboxes and have them
>>>>>>>> access them etc... Exchange doesn';t even see my SBS machine as
>>>>>>>> a domain controller - it only shows the other win2K3 dc!
>>>>>>>>
>>>>>>>> Help!!!!
>>>>>>>>
>>>>>>>> PS.. I recreated the SYSVOL and NETLOGON shares that were
>>>>>>>> missing - not sure if I should have or not...
>>>>>>>>
>>>>>>>> Thanks, Brad
>>>>>>>
>>>>>>> --
>>>>>>> /kj
>>>>>
>>>>> --
>>>>> /kj
>>>
>>> --
>>> /kj
>
> --
> /kj
>
>


Re: AD replication issue!!! [message #395655 is a reply to message #395527] Fri, 19 February 2010 20:02 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:OQeYTjbsKHA.4752@TK2MSFTNGP04.phx.gbl...
> No I did not - because I was restoring the SBS machine from scratch (had
> to replace some hardware) so the server was not a DC when I did the SBS
> restore. I did a fresh install of win2k server using the SBS cd's, then
> brought that installation up to SP4. I did NOT join it to the domain -
> left it in the wrokgroup. At that point I restored the c: contents and the
> system state from our backup exec backups taken the night it crashed and
> then rebooted. Once it was started up I had to restore my exchange
> databases etc... This was the disaster recovery procedures for SBS 2000
> that I followed from Backup Exec tecch support. It wasn't until I had to
> add a new user the next day that I realized there were serious problems...
>
> I've attached the SBS dcdiag.log file here as well...
>
> Brad
>


To properly bring the machine back up to the previous state after restoring
the whole C, D, etc, drives, a system state restore in your scenario must be
done as a non-authoratative restore using DSRM.

Ace
Re: AD replication issue!!! [message #397441 is a reply to message #395655] Mon, 22 February 2010 12:46 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Ok, so it sounds like maybe a non-authoritative restore at this point in
time is what I should be trying... THere are so many things that are so
screwed up with my SBS I don't really think that I have much of a choice...

The latest issue I am having today is that a new user that I added after the
restore of the SBS, who was been able to log into the domain since I set him
up, and was able to as recently as Saturday, can now no longer log on at all
to do anything - so the heat is on me.

I am just starting to look into this issue...
..
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OVjshkdsKHA.6140@TK2MSFTNGP05.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:OQeYTjbsKHA.4752@TK2MSFTNGP04.phx.gbl...
>> No I did not - because I was restoring the SBS machine from scratch (had
>> to replace some hardware) so the server was not a DC when I did the SBS
>> restore. I did a fresh install of win2k server using the SBS cd's, then
>> brought that installation up to SP4. I did NOT join it to the domain -
>> left it in the wrokgroup. At that point I restored the c: contents and
>> the system state from our backup exec backups taken the night it crashed
>> and then rebooted. Once it was started up I had to restore my exchange
>> databases etc... This was the disaster recovery procedures for SBS 2000
>> that I followed from Backup Exec tecch support. It wasn't until I had to
>> add a new user the next day that I realized there were serious
>> problems...
>>
>> I've attached the SBS dcdiag.log file here as well...
>>
>> Brad
>>
>
>
> To properly bring the machine back up to the previous state after
> restoring the whole C, D, etc, drives, a system state restore in your
> scenario must be done as a non-authoratative restore using DSRM.
>
> Ace
>
Re: AD replication issue!!! [message #397483 is a reply to message #397441] Mon, 22 February 2010 13:30 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Yep. Do a non-authoritative resrote in DSRM asap. It's only going to get
expotentially worse until you do.

Restart the server and do the dcdiag on both DC's with verification that
bidirectional replicational is working before making *any* changes to AD
objects.

Brad Pears wrote:
> Ok, so it sounds like maybe a non-authoritative restore at this point
> in time is what I should be trying... THere are so many things that
> are so screwed up with my SBS I don't really think that I have much
> of a choice...
> The latest issue I am having today is that a new user that I added
> after the restore of the SBS, who was been able to log into the
> domain since I set him up, and was able to as recently as Saturday,
> can now no longer log on at all to do anything - so the heat is on me.
>
> I am just starting to look into this issue...
> .
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
> message news:OVjshkdsKHA.6140@TK2MSFTNGP05.phx.gbl...
>> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
>> news:OQeYTjbsKHA.4752@TK2MSFTNGP04.phx.gbl...
>>> No I did not - because I was restoring the SBS machine from scratch
>>> (had to replace some hardware) so the server was not a DC when I
>>> did the SBS restore. I did a fresh install of win2k server using
>>> the SBS cd's, then brought that installation up to SP4. I did NOT
>>> join it to the domain - left it in the wrokgroup. At that point I
>>> restored the c: contents and the system state from our backup exec
>>> backups taken the night it crashed and then rebooted. Once it was
>>> started up I had to restore my exchange databases etc... This was
>>> the disaster recovery procedures for SBS 2000 that I followed from
>>> Backup Exec tecch support. It wasn't until I had to add a new user
>>> the next day that I realized there were serious problems...
>>>
>>> I've attached the SBS dcdiag.log file here as well...
>>>
>>> Brad
>>>
>>
>>
>> To properly bring the machine back up to the previous state after
>> restoring the whole C, D, etc, drives, a system state restore in your
>> scenario must be done as a non-authoratative restore using DSRM.
>>
>> Ace

--
/kj
Re: AD replication issue!!! [message #397596 is a reply to message #397483] Mon, 22 February 2010 15:32 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:eGiwg3$sKHA.6004@TK2MSFTNGP04.phx.gbl...
> Yep. Do a non-authoritative resrote in DSRM asap. It's only going to get
> expotentially worse until you do.
>
> Restart the server and do the dcdiag on both DC's with verification that
> bidirectional replicational is working before making *any* changes to AD
> objects.
>

Let's hope Brad does it ASAP. Brad, let us know how you make out.

Ace
Re: AD replication issue!!! [message #397713 is a reply to message #397596] Mon, 22 February 2010 19:09 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
I am going to attempt this tomorrow (Tuesday) morning. I will jsut do a
system state restore - not a drive c: restore - as nothing there should be
an issue - it's all an AD issue...

Once I have completed the restore, if everything worked, will my other
win2k3 domain controller replicate it's existing AD structure back to the
SBS machine or will the SBS replicate it's restored structure out to the
other dc?? At this point it really doesn;t matter what happens really - the
structure has not changed at all other than the new users I added last week
won't exist in the restored AD structure - but they do exisit currently in
the backup DC's structure only. Might this cause an issue?? Should I remove
them from the other DC's structure before doing the restore??

I'm guessing leave it alone??

One other question I have.... if the restore doesn;t wind up working, can
I make my win2k dc the PDC, RID master etc... so that I can just have the
one DC in the domain? That would allow me to set up a win2K machine with
Exchange only on it and then later set up another win2k3 backup DC thus
getting rid of SBS altogether... Is that what one would call "seizing the
FSMO roles"??? Not sure f this can actually be done when it comes to SBS
2000

Thanks, Brad

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23d$Dq7AtKHA.1796@TK2MSFTNGP02.phx.gbl...
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:eGiwg3$sKHA.6004@TK2MSFTNGP04.phx.gbl...
>> Yep. Do a non-authoritative resrote in DSRM asap. It's only going to get
>> expotentially worse until you do.
>>
>> Restart the server and do the dcdiag on both DC's with verification that
>> bidirectional replicational is working before making *any* changes to AD
>> objects.
>>
>
> Let's hope Brad does it ASAP. Brad, let us know how you make out.
>
> Ace
>
>
>
Re: AD replication issue!!! [message #397763 is a reply to message #397713] Mon, 22 February 2010 20:23 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Brad Pears wrote:
> I am going to attempt this tomorrow (Tuesday) morning. I will jsut do
> a system state restore - not a drive c: restore - as nothing there
> should be an issue - it's all an AD issue...
>
> Once I have completed the restore, if everything worked, will my other
> win2k3 domain controller replicate it's existing AD structure back to
> the SBS machine or will the SBS replicate it's restored structure out
> to the other dc??

The SBS server will initially be like it was at System State backup time.
The other DC will replicate all it's changes and bring the SBS server up to
date. Then the SBS server can be used to make changes to the domain again.

At this point it really doesn;t matter what
> happens really - the structure has not changed at all other than the
> new users I added last week won't exist in the restored AD structure
> - but they do exisit currently in the backup DC's structure only.

Well, there are still things changing in the domain. Computer accounts are
changing passwords, users may be changing passwords, .... some of it matters
and some of it might not, but changes are a happening.

> Might this cause an issue?? Should I remove them from the other DC's
> structure before doing the restore??

No. Do nothing to the other DC. Just do a non authoritative restore to the
SBS server. Check with dcdiag and validate replication.

>
> I'm guessing leave it alone??
>
> One other question I have.... if the restore doesn;t wind up
> working, can I make my win2k dc the PDC, RID master etc... so that I
> can just have the one DC in the domain? That would allow me to set up
> a win2K machine with Exchange only on it and then later set up
> another win2k3 backup DC thus getting rid of SBS altogether... Is
> that what one would call "seizing the FSMO roles"??? Not sure f this
> can actually be done when it comes to SBS 2000

You really don't wanto to have to do that with SBS. Just do the non
authoritative restore and you should be good.

>
> Thanks, Brad
>
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
> message news:%23d$Dq7AtKHA.1796@TK2MSFTNGP02.phx.gbl...
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:eGiwg3$sKHA.6004@TK2MSFTNGP04.phx.gbl...
>>> Yep. Do a non-authoritative resrote in DSRM asap. It's only going
>>> to get expotentially worse until you do.
>>>
>>> Restart the server and do the dcdiag on both DC's with verification
>>> that bidirectional replicational is working before making *any*
>>> changes to AD objects.
>>>
>>
>> Let's hope Brad does it ASAP. Brad, let us know how you make out.
>>
>> Ace

--
/kj
Re: AD replication issue!!! [message #398162 is a reply to message #397763] Tue, 23 February 2010 10:24 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
OK, so do the non-authoritative restore and then after the reboot, run
dcdiag on the SBS machine to check that everything is replicating properly?

Thanks, Brad

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:eYOWFeDtKHA.5840@TK2MSFTNGP04.phx.gbl...
> Brad Pears wrote:
>> I am going to attempt this tomorrow (Tuesday) morning. I will jsut do
>> a system state restore - not a drive c: restore - as nothing there
>> should be an issue - it's all an AD issue...
>>
>> Once I have completed the restore, if everything worked, will my other
>> win2k3 domain controller replicate it's existing AD structure back to
>> the SBS machine or will the SBS replicate it's restored structure out
>> to the other dc??
>
> The SBS server will initially be like it was at System State backup time.
> The other DC will replicate all it's changes and bring the SBS server up
> to date. Then the SBS server can be used to make changes to the domain
> again.
>
> At this point it really doesn;t matter what
>> happens really - the structure has not changed at all other than the
>> new users I added last week won't exist in the restored AD structure
>> - but they do exisit currently in the backup DC's structure only.
>
> Well, there are still things changing in the domain. Computer accounts are
> changing passwords, users may be changing passwords, .... some of it
> matters and some of it might not, but changes are a happening.
>
>> Might this cause an issue?? Should I remove them from the other DC's
>> structure before doing the restore??
>
> No. Do nothing to the other DC. Just do a non authoritative restore to the
> SBS server. Check with dcdiag and validate replication.
>
>>
>> I'm guessing leave it alone??
>>
>> One other question I have.... if the restore doesn;t wind up
>> working, can I make my win2k dc the PDC, RID master etc... so that I
>> can just have the one DC in the domain? That would allow me to set up
>> a win2K machine with Exchange only on it and then later set up
>> another win2k3 backup DC thus getting rid of SBS altogether... Is
>> that what one would call "seizing the FSMO roles"??? Not sure f this
>> can actually be done when it comes to SBS 2000
>
> You really don't wanto to have to do that with SBS. Just do the non
> authoritative restore and you should be good.
>
>>
>> Thanks, Brad
>>
>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>> message news:%23d$Dq7AtKHA.1796@TK2MSFTNGP02.phx.gbl...
>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>> news:eGiwg3$sKHA.6004@TK2MSFTNGP04.phx.gbl...
>>>> Yep. Do a non-authoritative resrote in DSRM asap. It's only going
>>>> to get expotentially worse until you do.
>>>>
>>>> Restart the server and do the dcdiag on both DC's with verification
>>>> that bidirectional replicational is working before making *any*
>>>> changes to AD objects.
>>>>
>>>
>>> Let's hope Brad does it ASAP. Brad, let us know how you make out.
>>>
>>> Ace
>
> --
> /kj
>
Re: AD replication issue!!! [message #398169 is a reply to message #398162] Tue, 23 February 2010 10:34 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Brad Pears wrote:
> OK, so do the non-authoritative restore and then after the reboot, run
> dcdiag on the SBS machine to check that everything is replicating
> properly?

Yep, but not a bad idea to run dcdiag on both DC's.

> Thanks, Brad
>
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:eYOWFeDtKHA.5840@TK2MSFTNGP04.phx.gbl...
>> Brad Pears wrote:
>>> I am going to attempt this tomorrow (Tuesday) morning. I will jsut
>>> do a system state restore - not a drive c: restore - as nothing
>>> there should be an issue - it's all an AD issue...
>>>
>>> Once I have completed the restore, if everything worked, will my
>>> other win2k3 domain controller replicate it's existing AD structure
>>> back to the SBS machine or will the SBS replicate it's restored
>>> structure out to the other dc??
>>
>> The SBS server will initially be like it was at System State backup
>> time. The other DC will replicate all it's changes and bring the SBS
>> server up to date. Then the SBS server can be used to make changes
>> to the domain again.
>>
>> At this point it really doesn;t matter what
>>> happens really - the structure has not changed at all other than the
>>> new users I added last week won't exist in the restored AD structure
>>> - but they do exisit currently in the backup DC's structure only.
>>
>> Well, there are still things changing in the domain. Computer
>> accounts are changing passwords, users may be changing passwords,
>> .... some of it matters and some of it might not, but changes are a
>> happening.
>>> Might this cause an issue?? Should I remove them from the other
>>> DC's structure before doing the restore??
>>
>> No. Do nothing to the other DC. Just do a non authoritative restore
>> to the SBS server. Check with dcdiag and validate replication.
>>
>>>
>>> I'm guessing leave it alone??
>>>
>>> One other question I have.... if the restore doesn;t wind up
>>> working, can I make my win2k dc the PDC, RID master etc... so that
>>> I can just have the one DC in the domain? That would allow me to
>>> set up a win2K machine with Exchange only on it and then later set
>>> up another win2k3 backup DC thus getting rid of SBS altogether... Is
>>> that what one would call "seizing the FSMO roles"??? Not sure f
>>> this can actually be done when it comes to SBS 2000
>>
>> You really don't wanto to have to do that with SBS. Just do the non
>> authoritative restore and you should be good.
>>
>>>
>>> Thanks, Brad
>>>
>>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>>> message news:%23d$Dq7AtKHA.1796@TK2MSFTNGP02.phx.gbl...
>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>> news:eGiwg3$sKHA.6004@TK2MSFTNGP04.phx.gbl...
>>>>> Yep. Do a non-authoritative resrote in DSRM asap. It's only going
>>>>> to get expotentially worse until you do.
>>>>>
>>>>> Restart the server and do the dcdiag on both DC's with
>>>>> verification that bidirectional replicational is working before
>>>>> making *any* changes to AD objects.
>>>>>
>>>>
>>>> Let's hope Brad does it ASAP. Brad, let us know how you make out.
>>>>
>>>> Ace
>>
>> --
>> /kj

--
/kj
Re: AD replication issue!!! [message #398170 is a reply to message #398169] Tue, 23 February 2010 10:39 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
> Brad Pears wrote:
>> OK, so do the non-authoritative restore and then after the reboot, run
>> dcdiag on the SBS machine to check that everything is replicating
>> properly?
>
> Yep, but not a bad idea to run dcdiag on both DC's.
>


I agree. Run dcdiag /v (for verbose info).

Ace
Re: AD replication issue!!! [message #398231 is a reply to message #398170] Tue, 23 February 2010 11:19 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
great - thanks guys... I have never had a problem with a domain controller
before - EVER, so this is all new to me!!!! unfortunately this is when you
wind up learning the most!!!!

Thanks Brad

PS... I'll keep you guys posted on how it goes...
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>> Brad Pears wrote:
>>> OK, so do the non-authoritative restore and then after the reboot, run
>>> dcdiag on the SBS machine to check that everything is replicating
>>> properly?
>>
>> Yep, but not a bad idea to run dcdiag on both DC's.
>>
>
>
> I agree. Run dcdiag /v (for verbose info).
>
> Ace
>
Re: AD replication issue!!! [message #398285 is a reply to message #398170] Tue, 23 February 2010 12:41 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
WHen I currently run dcdiag on either of my domain controllers, it tells me
that a recent replication attempt failed from TRUE3 to TRUE5 (true3 is the
sbs, true5 is hte other dc) and indicates that the target principal name is
incorrect...

Where do I check what the principal name is and what exactly is it supposed
to be???

Thanks, Brad

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>> Brad Pears wrote:
>>> OK, so do the non-authoritative restore and then after the reboot, run
>>> dcdiag on the SBS machine to check that everything is replicating
>>> properly?
>>
>> Yep, but not a bad idea to run dcdiag on both DC's.
>>
>
>
> I agree. Run dcdiag /v (for verbose info).
>
> Ace
>
Re: AD replication issue!!! [message #398308 is a reply to message #398285] Tue, 23 February 2010 13:16 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Brad Pears wrote:
> WHen I currently run dcdiag on either of my domain controllers, it
> tells me that a recent replication attempt failed from TRUE3 to TRUE5
> (true3 is the sbs, true5 is hte other dc) and indicates that the
> target principal name is incorrect...
>
> Where do I check what the principal name is and what exactly is it
> supposed to be???

One of the reasons replication is not working. Do your restore *then* check!

>
> Thanks, Brad
>
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
> message news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>>> Brad Pears wrote:
>>>> OK, so do the non-authoritative restore and then after the reboot,
>>>> run dcdiag on the SBS machine to check that everything is
>>>> replicating properly?
>>>
>>> Yep, but not a bad idea to run dcdiag on both DC's.
>>>
>>
>>
>> I agree. Run dcdiag /v (for verbose info).
>>
>> Ace

--
/kj
Re: AD replication issue!!! [message #398339 is a reply to message #398308] Tue, 23 February 2010 13:56 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
LOL, got ya... doing that in 5 minutes.... will keep you posted...

Brad
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23Oa9VUMtKHA.5276@TK2MSFTNGP02.phx.gbl...
> Brad Pears wrote:
>> WHen I currently run dcdiag on either of my domain controllers, it
>> tells me that a recent replication attempt failed from TRUE3 to TRUE5
>> (true3 is the sbs, true5 is hte other dc) and indicates that the
>> target principal name is incorrect...
>>
>> Where do I check what the principal name is and what exactly is it
>> supposed to be???
>
> One of the reasons replication is not working. Do your restore *then*
> check!
>
>>
>> Thanks, Brad
>>
>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>> message news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>>>> Brad Pears wrote:
>>>>> OK, so do the non-authoritative restore and then after the reboot,
>>>>> run dcdiag on the SBS machine to check that everything is
>>>>> replicating properly?
>>>>
>>>> Yep, but not a bad idea to run dcdiag on both DC's.
>>>>
>>>
>>>
>>> I agree. Run dcdiag /v (for verbose info).
>>>
>>> Ace
>
> --
> /kj
>
Re: AD replication issue!!! [message #398456 is a reply to message #398308] Tue, 23 February 2010 16:21 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
bad news, I did the restore , rebooted, logged in and did the dcdiag... the
first dcdiag showed good results... and then it went south. FRS shows
replication errors (unable to replicate) in teh event log, the ne4xt dcdiag
shows errors replicating, incorrect principal name etc... etc...

dcdiag on my other domain controller shows the same types of errors... I
wonder if that directory is toast. Maybe I should attempt a restore of it's
system state. I do have a recent backup of it's system state from jsut prior
to my SBS crash...

If I try that, should restore it, see what happens, and if that doesn;t
clear things up - then restore my SBS system state again do you think??

The other option is to dig in there and try to fix things... but I will need
a lot of help doing that...

Brad

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23Oa9VUMtKHA.5276@TK2MSFTNGP02.phx.gbl...
> Brad Pears wrote:
>> WHen I currently run dcdiag on either of my domain controllers, it
>> tells me that a recent replication attempt failed from TRUE3 to TRUE5
>> (true3 is the sbs, true5 is hte other dc) and indicates that the
>> target principal name is incorrect...
>>
>> Where do I check what the principal name is and what exactly is it
>> supposed to be???
>
> One of the reasons replication is not working. Do your restore *then*
> check!
>
>>
>> Thanks, Brad
>>
>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>> message news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>>>> Brad Pears wrote:
>>>>> OK, so do the non-authoritative restore and then after the reboot,
>>>>> run dcdiag on the SBS machine to check that everything is
>>>>> replicating properly?
>>>>
>>>> Yep, but not a bad idea to run dcdiag on both DC's.
>>>>
>>>
>>>
>>> I agree. Run dcdiag /v (for verbose info).
>>>
>>> Ace
>
> --
> /kj
>
Re: AD replication issue!!! [message #398515 is a reply to message #398456] Tue, 23 February 2010 18:04 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Post the dcdiags from the SBS and the other DC. Make no changes to the other
DC.

Assuming that no errors occured on the DSRM non autroitative restore, right?



Brad Pears wrote:
> bad news, I did the restore , rebooted, logged in and did the
> dcdiag... the first dcdiag showed good results... and then it went
> south. FRS shows replication errors (unable to replicate) in teh
> event log, the ne4xt dcdiag shows errors replicating, incorrect
> principal name etc... etc...
> dcdiag on my other domain controller shows the same types of
> errors... I wonder if that directory is toast. Maybe I should
> attempt a restore of it's system state. I do have a recent backup of
> it's system state from jsut prior to my SBS crash...
>
> If I try that, should restore it, see what happens, and if that
> doesn;t clear things up - then restore my SBS system state again do
> you think??
> The other option is to dig in there and try to fix things... but I
> will need a lot of help doing that...
>
> Brad
>
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:%23Oa9VUMtKHA.5276@TK2MSFTNGP02.phx.gbl...
>> Brad Pears wrote:
>>> WHen I currently run dcdiag on either of my domain controllers, it
>>> tells me that a recent replication attempt failed from TRUE3 to
>>> TRUE5 (true3 is the sbs, true5 is hte other dc) and indicates that
>>> the target principal name is incorrect...
>>>
>>> Where do I check what the principal name is and what exactly is it
>>> supposed to be???
>>
>> One of the reasons replication is not working. Do your restore *then*
>> check!
>>
>>>
>>> Thanks, Brad
>>>
>>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>>> message news:OXtfz8KtKHA.1796@TK2MSFTNGP02.phx.gbl...
>>>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>>>> news:uwn5E6KtKHA.3656@TK2MSFTNGP06.phx.gbl...
>>>>> Brad Pears wrote:
>>>>>> OK, so do the non-authoritative restore and then after the
>>>>>> reboot, run dcdiag on the SBS machine to check that everything is
>>>>>> replicating properly?
>>>>>
>>>>> Yep, but not a bad idea to run dcdiag on both DC's.
>>>>>
>>>>
>>>>
>>>> I agree. Run dcdiag /v (for verbose info).
>>>>
>>>> Ace
>>
>> --
>> /kj

--
/kj
Re: AD replication issue!!! [message #398530 is a reply to message #398515] Tue, 23 February 2010 18:21 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:%23CA0C1OtKHA.3536@TK2MSFTNGP06.phx.gbl...
> Post the dcdiags from the SBS and the other DC. Make no changes to the
> other DC.
>
> Assuming that no errors occured on the DSRM non autroitative restore,
> right?
>

I agree, that would be helpful to know.

I suggest for Brad to check the event logs too, if there were any errors
regarding the non-authoratative restore. Also, it would be helpful to see
all event log errors in any of the logs regarding AD (FRS, etc). Post the
EventID# and Source names.

I think it's time as well to see:

1. ipconfig /all from both DCs, too, please.
2. repadmin.exe /showrepl dc* /verbose /all /intersite (on both DCs)
3. ntfrsutl ds your_dc_name (on both DCs)

Ace
Re: AD replication issue!!! [message #398594 is a reply to message #398530] Tue, 23 February 2010 20:38 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Hey guys, I wound up doing a non authoritative restore of my other DC and
that screwed things up even more - to the point where NO ONE could even log
onto the domain. OUCH!!! SO then I figured I'd better do an authoritative
restore of my SBS to try to get it back and guess what.... It is now up and
running! My other DC is in safe mode (DFRS) as we speak (I was gonna attempt
another restore to it but decided against that once my SBS was up again.)
I'm kind of scared to boot it back up normally in case it causes havoc on
the network again and somehow replicates something that screwws it all up
again. It shoudn;t really becasue of the authoritative restore but I'm
nervous as heck!

Here's what I am thinking... Right now my sbs 2000 machine is the only DC
running and everything seems to be working wiothout digging really deep -
cuz I am getting tired... been more than 12 hours now. I am thinking I want
to demote the other DC, clean it up and then either re-promote it OR promote
another one of my win2k3 servers to be a DC instead. I bet if I do this,
replication may just work...

Can you give me some instructions and/or suggestions on what I need to do
with that other DC to eliminate it as a dc, then clean it up and then
re-prmote etc...??

What do you think?

Thanks fellas...

Brad

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uGzVi%23OtKHA.712@TK2MSFTNGP04.phx.gbl...
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:%23CA0C1OtKHA.3536@TK2MSFTNGP06.phx.gbl...
>> Post the dcdiags from the SBS and the other DC. Make no changes to the
>> other DC.
>>
>> Assuming that no errors occured on the DSRM non autroitative restore,
>> right?
>>
>
> I agree, that would be helpful to know.
>
> I suggest for Brad to check the event logs too, if there were any errors
> regarding the non-authoratative restore. Also, it would be helpful to see
> all event log errors in any of the logs regarding AD (FRS, etc). Post the
> EventID# and Source names.
>
> I think it's time as well to see:
>
> 1. ipconfig /all from both DCs, too, please.
> 2. repadmin.exe /showrepl dc* /verbose /all /intersite (on both DCs)
> 3. ntfrsutl ds your_dc_name (on both DCs)
>
> Ace
>
>
>
Re: AD replication issue!!! [message #398651 is a reply to message #398594] Tue, 23 February 2010 23:28 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:elSIXLQtKHA.732@TK2MSFTNGP06.phx.gbl...
> Hey guys, I wound up doing a non authoritative restore of my other DC and
> that screwed things up even more - to the point where NO ONE could even
> log onto the domain. OUCH!!! SO then I figured I'd better do an
> authoritative restore of my SBS to try to get it back and guess what....
> It is now up and running! My other DC is in safe mode (DFRS) as we speak
> (I was gonna attempt another restore to it but decided against that once
> my SBS was up again.) I'm kind of scared to boot it back up normally in
> case it causes havoc on the network again and somehow replicates something
> that screwws it all up again. It shoudn;t really becasue of the
> authoritative restore but I'm nervous as heck!
>
> Here's what I am thinking... Right now my sbs 2000 machine is the only DC
> running and everything seems to be working wiothout digging really deep -
> cuz I am getting tired... been more than 12 hours now. I am thinking I
> want to demote the other DC, clean it up and then either re-promote it OR
> promote another one of my win2k3 servers to be a DC instead. I bet if I do
> this, replication may just work...
>
> Can you give me some instructions and/or suggestions on what I need to do
> with that other DC to eliminate it as a dc, then clean it up and then
> re-prmote etc...??
>
> What do you think?
>
> Thanks fellas...
>
> Brad

Hmm, you got lucky!

On the other DC, run:
dcpromo /forcedemote
Then delete it's reference in Sites and Services

Just in case there are any references to the that DC, run a MetaData
Cleanup:

How to remove data in Active Directory after an unsuccessful domain
controller demotion Windows 2000 and 2003
http://support.microsoft.com/kb/216498

Ace
Re: AD replication issue!!! [message #398943 is a reply to message #398651] Wed, 24 February 2010 09:29 Go to previous messageGo to next message
Phillip Windell  is currently offline Phillip Windell  United States
Messages: 526
Registered: July 2009
Senior Member
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:eE8rIqRtKHA.1440@TK2MSFTNGP06.phx.gbl...

> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:elSIXLQtKHA.732@TK2MSFTNGP06.phx.gbl...
>> Hey guys, I wound up doing a non authoritative restore of my other DC and
>> that screwed things up even more - to the point where NO ONE could even
>
> Hmm, you got lucky!
>
> On the other DC, run:
> dcpromo /forcedemote
> Then delete it's reference in Sites and Services
>
> Just in case there are any references to the that DC, run a MetaData
> Cleanup:
>
> How to remove data in Active Directory after an unsuccessful domain
> controller demotion Windows 2000 and 2003
> http://support.microsoft.com/kb/216498


Kinda proves the point that:

1. a second DC with SBS is about worthless.
2. Good backups are the primary means of DR with SBS
3. Fatal flaw in the SBS concept of only one DC in that if there was a
hardware failure and identical hardware couldn't be found to replace
it,...your only good means of DR would be nearly worthless.
4. As soon as someone learns enough about SBS to deal with it effectively
then they have kinda outgrown either SBS or they have outgrown their job at
a place so small that they run SBS.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Re: AD replication issue!!! [message #399044 is a reply to message #398651] Wed, 24 February 2010 11:29 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Thanks Ace!

A couple questions...

1) Can I run the "demote" command in DFRS mode or do I have to boot it back
up regularly and then run it? I am very scared to start that puppy back up
in regular mode and have it connected to the network for fear of what might
happen once it connects. The AD I restored (authoritatively) last night
should be the newst version of AD so it shouldn't atttempt a replication the
other way but I am still a little worried...

2) Can I delete the other DC I am demoting from AD Sites and Services BEFORE
I "demote" it or do I need to wait until after I have tried the demotion? I
realize the the demotion will attempt to remove it from AD but I am worried
about what it might do to my AD now that I have AD back up and running. I am
thinking I could just manually remove it from AD using the "AD cleanup" link
you supplied and run the demote on the other server with it not connected
at all to the network.

Thoughts?

Brad


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:eE8rIqRtKHA.1440@TK2MSFTNGP06.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:elSIXLQtKHA.732@TK2MSFTNGP06.phx.gbl...
>> Hey guys, I wound up doing a non authoritative restore of my other DC and
>> that screwed things up even more - to the point where NO ONE could even
>> log onto the domain. OUCH!!! SO then I figured I'd better do an
>> authoritative restore of my SBS to try to get it back and guess what....
>> It is now up and running! My other DC is in safe mode (DFRS) as we speak
>> (I was gonna attempt another restore to it but decided against that once
>> my SBS was up again.) I'm kind of scared to boot it back up normally in
>> case it causes havoc on the network again and somehow replicates
>> something that screwws it all up again. It shoudn;t really becasue of
>> the authoritative restore but I'm nervous as heck!
>>
>> Here's what I am thinking... Right now my sbs 2000 machine is the only DC
>> running and everything seems to be working wiothout digging really deep -
>> cuz I am getting tired... been more than 12 hours now. I am thinking I
>> want to demote the other DC, clean it up and then either re-promote it OR
>> promote another one of my win2k3 servers to be a DC instead. I bet if I
>> do this, replication may just work...
>>
>> Can you give me some instructions and/or suggestions on what I need to do
>> with that other DC to eliminate it as a dc, then clean it up and then
>> re-prmote etc...??
>>
>> What do you think?
>>
>> Thanks fellas...
>>
>> Brad
>
> Hmm, you got lucky!
>
> On the other DC, run:
> dcpromo /forcedemote
> Then delete it's reference in Sites and Services
>
> Just in case there are any references to the that DC, run a MetaData
> Cleanup:
>
> How to remove data in Active Directory after an unsuccessful domain
> controller demotion Windows 2000 and 2003
> http://support.microsoft.com/kb/216498
>
> Ace
>
>
>
>
Re: AD replication issue!!! [message #399056 is a reply to message #399044] Wed, 24 February 2010 11:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:etHXA9XtKHA.3904@TK2MSFTNGP02.phx.gbl...
> Thanks Ace!
>
> A couple questions...
>
> 1) Can I run the "demote" command in DFRS mode or do I have to boot it
> back up regularly and then run it? I am very scared to start that puppy
> back up in regular mode and have it connected to the network for fear of
> what might happen once it connects. The AD I restored (authoritatively)
> last night should be the newst version of AD so it shouldn't atttempt a
> replication the other way but I am still a little worried...

You have to have it up in normal mode to demote it. The /forcedemote switch
forces it out of AD, therefore it needs the other DC (SBS) up and running.
It won;t cause any problems other than what you already have!

>
> 2) Can I delete the other DC I am demoting from AD Sites and Services
> BEFORE I "demote" it or do I need to wait until after I have tried the
> demotion? I realize the the demotion will attempt to remove it from AD but
> I am worried about what it might do to my AD now that I have AD back up
> and running. I am thinking I could just manually remove it from AD using
> the "AD cleanup" link you supplied and run the demote on the other server
> with it not connected at all to the network.

Remove it after the demotion. That is a post-task.

Then run the metadata cleanup procedure to make sure it's reference no
longer exists in the AD database. It's a rather simple procedure if you
follow the steps verbatim. If you miss a step, then it will cause confusion.

> Thoughts?
>
> Brad

Brad, hang in there, you are almost there. Don't read into it what's not
there. Just follow the process I've recommended, and you should be ok.

Ace
Re: AD replication issue!!! [message #399164 is a reply to message #399056] Wed, 24 February 2010 14:07 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Thanks Ace... I am going to give it a go now... I really appreciate your
help!

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23zLNfDYtKHA.4752@TK2MSFTNGP04.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:etHXA9XtKHA.3904@TK2MSFTNGP02.phx.gbl...
>> Thanks Ace!
>>
>> A couple questions...
>>
>> 1) Can I run the "demote" command in DFRS mode or do I have to boot it
>> back up regularly and then run it? I am very scared to start that puppy
>> back up in regular mode and have it connected to the network for fear of
>> what might happen once it connects. The AD I restored (authoritatively)
>> last night should be the newst version of AD so it shouldn't atttempt a
>> replication the other way but I am still a little worried...
>
> You have to have it up in normal mode to demote it. The /forcedemote
> switch forces it out of AD, therefore it needs the other DC (SBS) up and
> running. It won;t cause any problems other than what you already have!
>
>>
>> 2) Can I delete the other DC I am demoting from AD Sites and Services
>> BEFORE I "demote" it or do I need to wait until after I have tried the
>> demotion? I realize the the demotion will attempt to remove it from AD
>> but I am worried about what it might do to my AD now that I have AD back
>> up and running. I am thinking I could just manually remove it from AD
>> using the "AD cleanup" link you supplied and run the demote on the other
>> server with it not connected at all to the network.
>
> Remove it after the demotion. That is a post-task.
>
> Then run the metadata cleanup procedure to make sure it's reference no
> longer exists in the AD database. It's a rather simple procedure if you
> follow the steps verbatim. If you miss a step, then it will cause
> confusion.
>
>> Thoughts?
>>
>> Brad
>
> Brad, hang in there, you are almost there. Don't read into it what's not
> there. Just follow the process I've recommended, and you should be ok.
>
> Ace
>
>
>
>
Re: AD replication issue!!! [message #399174 is a reply to message #399164] Wed, 24 February 2010 14:13 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:%23fR4oVZtKHA.4860@TK2MSFTNGP05.phx.gbl...
> Thanks Ace... I am going to give it a go now... I really appreciate your
> help!
>


You are welcome! Don't forget KJ and anyone else that was helping, too.

Ace
Re: AD replication issue!!! [message #399175 is a reply to message #398651] Wed, 24 February 2010 14:13 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Ace, the FRS service is stopped on my SBS (I did this) Does this need to be
started before I "demote" the other DC??

Brad
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:eE8rIqRtKHA.1440@TK2MSFTNGP06.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:elSIXLQtKHA.732@TK2MSFTNGP06.phx.gbl...
>> Hey guys, I wound up doing a non authoritative restore of my other DC and
>> that screwed things up even more - to the point where NO ONE could even
>> log onto the domain. OUCH!!! SO then I figured I'd better do an
>> authoritative restore of my SBS to try to get it back and guess what....
>> It is now up and running! My other DC is in safe mode (DFRS) as we speak
>> (I was gonna attempt another restore to it but decided against that once
>> my SBS was up again.) I'm kind of scared to boot it back up normally in
>> case it causes havoc on the network again and somehow replicates
>> something that screwws it all up again. It shoudn;t really becasue of
>> the authoritative restore but I'm nervous as heck!
>>
>> Here's what I am thinking... Right now my sbs 2000 machine is the only DC
>> running and everything seems to be working wiothout digging really deep -
>> cuz I am getting tired... been more than 12 hours now. I am thinking I
>> want to demote the other DC, clean it up and then either re-promote it OR
>> promote another one of my win2k3 servers to be a DC instead. I bet if I
>> do this, replication may just work...
>>
>> Can you give me some instructions and/or suggestions on what I need to do
>> with that other DC to eliminate it as a dc, then clean it up and then
>> re-prmote etc...??
>>
>> What do you think?
>>
>> Thanks fellas...
>>
>> Brad
>
> Hmm, you got lucky!
>
> On the other DC, run:
> dcpromo /forcedemote
> Then delete it's reference in Sites and Services
>
> Just in case there are any references to the that DC, run a MetaData
> Cleanup:
>
> How to remove data in Active Directory after an unsuccessful domain
> controller demotion Windows 2000 and 2003
> http://support.microsoft.com/kb/216498
>
> Ace
>
>
>
>
Re: AD replication issue!!! [message #399193 is a reply to message #399174] Wed, 24 February 2010 14:41 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
Yes absolutely, thanks to everyone for helping me out... I know it was an
effort by several folks!!! You guys have likely all been in the same boat
as me at one time or another so this you can't google!! It's nice to be
able to talk with someone who has actually been there!!

Thanks to all for you efforts in helping me get this resolved...

Brad
"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:u6IC4YZtKHA.4568@TK2MSFTNGP05.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:%23fR4oVZtKHA.4860@TK2MSFTNGP05.phx.gbl...
>> Thanks Ace... I am going to give it a go now... I really appreciate your
>> help!
>>
>
>
> You are welcome! Don't forget KJ and anyone else that was helping, too.
>
> Ace
>
Re: AD replication issue!!! [message #399208 is a reply to message #399174] Wed, 24 February 2010 14:56 Go to previous messageGo to next message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
HOLY CRAP!!!!

I restarted my other domain controller, and guess what??? Everything seems
to be working!! Both dc's are replicating and I'm not getting a bunch of
errors in either of the event logs!!! Things are looking pretty clean...

I'll leave it like this for bit and we'll see what happens...

Thanks again for all your help!!!!


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:u6IC4YZtKHA.4568@TK2MSFTNGP05.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:%23fR4oVZtKHA.4860@TK2MSFTNGP05.phx.gbl...
>> Thanks Ace... I am going to give it a go now... I really appreciate your
>> help!
>>
>
>
> You are welcome! Don't forget KJ and anyone else that was helping, too.
>
> Ace
>
Re: AD replication issue!!! [message #399237 is a reply to message #399208] Wed, 24 February 2010 15:42 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:uLPs$wZtKHA.4624@TK2MSFTNGP02.phx.gbl...
> HOLY CRAP!!!!
>
> I restarted my other domain controller, and guess what??? Everything
> seems to be working!! Both dc's are replicating and I'm not getting a
> bunch of errors in either of the event logs!!! Things are looking pretty
> clean...
>
> I'll leave it like this for bit and we'll see what happens...
>
> Thanks again for all your help!!!!
>


A restart did it?? Hmm, interesting. Maybe a simple netlogon restart could
have done the trick? Well, keep tabs on it, and let us know what happens.

Ace
Re: AD replication issue!!! [message #399238 is a reply to message #399193] Wed, 24 February 2010 15:43 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Brad Pears" <bradp@truenorthloghomes.com> wrote in message
news:ejL9aoZtKHA.4624@TK2MSFTNGP02.phx.gbl...
> Yes absolutely, thanks to everyone for helping me out... I know it was an
> effort by several folks!!! You guys have likely all been in the same boat
> as me at one time or another so this you can't google!! It's nice to be
> able to talk with someone who has actually been there!!
>
> Thanks to all for you efforts in helping me get this resolved...
>


I knew all of this because I slept at a Holiday Inn last night. :-)

You are welcome.

Ace
Re: AD replication issue!!! [message #399247 is a reply to message #399238] Wed, 24 February 2010 15:51 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Ace Fekay [MVP-DS, MCT] wrote:
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:ejL9aoZtKHA.4624@TK2MSFTNGP02.phx.gbl...
>> Yes absolutely, thanks to everyone for helping me out... I know it
>> was an effort by several folks!!! You guys have likely all been in
>> the same boat as me at one time or another so this you can't
>> google!! It's nice to be able to talk with someone who has actually
>> been there!! Thanks to all for you efforts in helping me get this
>> resolved...
>>
>
>
> I knew all of this because I slept at a Holiday Inn last night. :-)

....and being a very *patient* and dedicated professional. Kudos Ace.

>
> You are welcome.
>
> Ace

--
/kj
Re: AD replication issue!!! [message #399248 is a reply to message #399237] Wed, 24 February 2010 15:59 Go to previous messageGo to previous message
Brad Pears  is currently offline Brad Pears  United States
Messages: 100
Registered: August 2009
Senior Member
funny you should say that... the sysvol and netlogon shares were not
present on the other win2k3 dc - and the scripts and policies folders were
missing. I had made a copy of them previously and placed them on the c:
drive as a backup, so I copied them back to where they belong, stopped frs,
changed burflags to "d4", (changed burflags to d2 on my sbs) and then
restarted frs on teh other DC. Now I have the sysvol and netlogon shares but
it has also created duplicates of the sysvol and netlogon directories - and
given them different names. As well, these duplicate directories have
replicated over to the SBS machine... What is the best way to clean all of
this up?? The good ness is that the shares are functional and the proper
dirs (scripts and policies) are present. Do I need to worry about getting
rid of the other duplicate scripts and policies folders that it created??
Should I just deleted them from one of the machines - which should remove
them through replication on the other right???

Thanks, Brad


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%239sRqKatKHA.3656@TK2MSFTNGP06.phx.gbl...
> "Brad Pears" <bradp@truenorthloghomes.com> wrote in message
> news:uLPs$wZtKHA.4624@TK2MSFTNGP02.phx.gbl...
>> HOLY CRAP!!!!
>>
>> I restarted my other domain controller, and guess what??? Everything
>> seems to be working!! Both dc's are replicating and I'm not getting a
>> bunch of errors in either of the event logs!!! Things are looking pretty
>> clean...
>>
>> I'll leave it like this for bit and we'll see what happens...
>>
>> Thanks again for all your help!!!!
>>
>
>
> A restart did it?? Hmm, interesting. Maybe a simple netlogon restart could
> have done the trick? Well, keep tabs on it, and let us know what happens.
>
> Ace
>
Previous Topic:Password lists
Next Topic:Maximum password age question
Goto Forum:
  


Current Time: Wed Jan 17 05:44:35 MST 2018

Total time taken to generate the page: 0.02753 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software