Cincinnerdi Tech Stuff

A mind-numbing read if ever there was one

How NOT to decommission a Active Domain Controller

leave a comment »

This is the story of a nightmare. I simple act, carelessly made, that ended up trashing an entire Active Directory domain. It was only a test domain, but the extent of the efforts attempting to resurrect it taught me just how frail an Active Directory setup is and the importance of backup, research and planning.

Well, the Domain Controller down in the basement only had til the 24th until it became unusable, so I made sure I had any files I needed backed up and zapped it. Installed a fresh copy o fWindows Vista RC1 and completely wiped out the Win server (WinSrv2) AND Ubuntu 6.04 (dual boot). A minute or two later I thought, “Oh, that’s right, WinSrv2 was the first Domain Controller I had established in the forest.” (WinSrv1 is a distant memory) “Gee, I wonder if there was a procedure for demoting it gracefully.”

Oh, well. We’ll see what happens.

A couple days later I’m running my MMC (Scott’s Management Console) and on server Redboot-Lab and receive:

I selected the third choice, “Use any available domain controller” and it seemed to work. In the Domain Controller container, it still lists REDBOOT-LAB (the remaining DC) and WINSRV2. Let’s see, what if I just delete it? I get the nifty message:

And when I click Yes I get:

It seems that the only logical choice in this circumstance is the third since it ain’t comin’ back. Looks like it wanted me to demote it using DCPROMO. Hmm, I need to do a little research. But now I’ll just click it and see what happens.

Hmm, I’ve got some time, I’ll click Yes. Didn’t take long. Let’s close and restart the MMC.

Oops, I’m still getting:

I’ll try 1st choice. Now what the? I get:

Isn’t THIS a domain controller? I also am getting some pretty spooky red x’s in the MMC:

And weren’t those Group Policy Object Editors saying Default Domain Controller Policy…??!!

When I try to add a Group Policy Object now and specify Local Computer I get:

Hmm. I’m going to go back and read above about promoting this machine via DCPROMO.

Okay, thanks for your patience. At NO TIME did I document making this a domain controller. Also, I noticed that I was using the other domain controller as the DNS server. But the other day I took that down and am using a DHCP assigned IP. Yikes. So it seems I need to:

  1. Make THIS machine (Redboot-Lab) a DNS server
  2. Use DCPROMO to make this a Domain Controller.

Just for kicks, I ran DCPROMO and got:

Clicking Next gives you:

Very interesting. I clicked Cancel.

Looking at AD Management and clicking on the properties of the only remain DC we get:

Yikes, down in the bowels of AD and DNS. Look at where this led. I had to delete many winsrv2 entries and change others from winsrv2 to redboot-lab manually. Ugggh.

But, I set the IP address back to 192.168.1.5 and set DNS to look at myselft 192.168.1.5 and it worked! I don’t know why I’m always amazed when something works.

Sunday, November 26, 2006

But wait, we’ve hit a snag. I added an OU for Fam, and sub OUs for Fam computers and Fam users. Then a Group in Fam users call Fam group. But when I tried to create a new user in that OU called Kelse, I got:

WHAT server isn’t running? I clicked OK and it then prompted me for Kelsey’s password, which I set to Kelsey08

I ran DCDIAG and got a bunch of problems. See 1st printout at Appendix A.

More info:

So I went to one level deeper and tried to delete. See branching, message and option chosen below:

I then deleted the WINSRV2 line.

Ran DCDIAG and got a lot of the same messages, but looked worse somehow. See 2nd printout at Appendix A.

I looked at the tree and it seemed to have pruned the reference to Delete: WINSRV2. I decided to check the Global Catalog box seen below. Then reset the server. Let’s cross our fingers.

Didn’t do much. Read from kb article 837513 Method 4 about using adsiedit.msc. Hmm, not on my system. Had to go to z:\support\tools\suptools.msi and install in the C:\Program Files folder.

Whoa, this is scary. Here’s an excerpt. the userAccountControl is suppose to be 532480 and it was:

Looks bad. You can look at the listing below for more details, but what became apparent was that I had major league hosed this install of WinServer2003. Good thing it was a test system. There are many relevant pages on Microsoft’s web site about how to do this properly. These pages testify to the importance of not zapping Active Directory stuff in a cavalier manner.

Appendix A – DCDIAG results before and after zapping

1st printout

C:\Documents and Settings\administrator.MNC-DOMAIN>dcdiag

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\REDBOOT-LAB

Starting test: Connectivity

……………………. REDBOOT-LAB passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\REDBOOT-LAB

Starting test: Replications

[Replications Check,REDBOOT-LAB] A recent replication attempt failed:

From WINSRV2 to REDBOOT-LAB

Naming Context: DC=DomainDnsZones,DC=ad,DC=multi,DC=com

The replication generated an error (1256):

The remote system is not available. For information about network troubleshoot

ing, see Windows Help.

The failure occurred at 2006-11-26 13:56:26.

The last success occurred at 2006-11-12 22:47:52.

118 failures have occurred since the last success.

[WINSRV2] DsBindWithSpnEx() failed with error 1722,

The RPC server is unavailable..

[Replications Check,REDBOOT-LAB] A recent replication attempt failed:

From WINSRV2 to REDBOOT-LAB

Naming Context: DC=ForestDnsZones,DC=ad,DC=multi,DC=com

The replication generated an error (1256):

The remote system is not available. For information about network troubleshoot

ing, see Windows Help.

The failure occurred at 2006-11-26 13:56:26.

The last success occurred at 2006-11-12 22:47:52.

118 failures have occurred since the last success.

[Replications Check,REDBOOT-LAB] A recent replication attempt failed:

From WINSRV2 to REDBOOT-LAB

Naming Context: CN=Schema,CN=Configuration,DC=ad,DC=multi,DC=com

The replication generated an error (8524):

The DSA operation is unable to proceed because of a DNS lookup failure.

The failure occurred at 2006-11-26 13:56:31.

The last success occurred at 2006-11-12 22:47:52.

118 failures have occurred since the last success.

The guid-based DNS name fd94186d-370e-485a-ae50-16c88bd83bb4._msdcs.ad.multi.c

om

is not registered on one or more DNS servers.

[Replications Check,REDBOOT-LAB] A recent replication attempt failed:

From WINSRV2 to REDBOOT-LAB

Naming Context: CN=Configuration,DC=ad,DC=multi,DC=com

The replication generated an error (8524):

The DSA operation is unable to proceed because of a DNS lookup failure.

The failure occurred at 2006-11-26 13:56:29.

The last success occurred at 2006-11-12 23:08:23.

118 failures have occurred since the last success.

The guid-based DNS name fd94186d-370e-485a-ae50-16c88bd83bb4._msdcs.ad.multi.c

om

is not registered on one or more DNS servers.

[Replications Check,REDBOOT-LAB] A recent replication attempt failed:

From WINSRV2 to REDBOOT-LAB

Naming Context: DC=ad,DC=multi,DC=com

The replication generated an error (8524):

The DSA operation is unable to proceed because of a DNS lookup failure.

The failure occurred at 2006-11-26 13:56:26.

The last success occurred at 2006-11-12 22:55:37.

148 failures have occurred since the last success.

The guid-based DNS name fd94186d-370e-485a-ae50-16c88bd83bb4._msdcs.ad.multi.c

om

is not registered on one or more DNS servers.

REPLICATION-RECEIVED LATENCY WARNING

REDBOOT-LAB: Current time is 2006-11-26 14:21:56.

DC=DomainDnsZones,DC=ad,DC=multi,DC=com

Last replication recieved from WINSRV2 at 2006-11-12 22:47:52.

DC=ForestDnsZones,DC=ad,DC=multi,DC=com

Last replication recieved from WINSRV2 at 2006-11-12 22:47:52.

CN=Schema,CN=Configuration,DC=ad,DC=multi,DC=com

Last replication recieved from WINSRV2 at 2006-11-12 22:47:52.

CN=Configuration,DC=ad,DC=multi,DC=com

Last replication recieved from WINSRV2 at 2006-11-12 23:08:23.

DC=ad,DC=multi,DC=com

Last replication recieved from WINSRV2 at 2006-11-12 22:55:37.

……………………. REDBOOT-LAB passed test Replications

Starting test: NCSecDesc

……………………. REDBOOT-LAB passed test NCSecDesc

Starting test: NetLogons

……………………. REDBOOT-LAB passed test NetLogons

Starting test: Advertising

Warning: REDBOOT-LAB is not advertising as a time server.

……………………. REDBOOT-LAB failed test Advertising

Starting test: KnowsOfRoleHolders

Warning: WINSRV2 is the Schema Owner, but is not responding to DS RPC Bind.

[WINSRV2] LDAP search failed with error 58,

The specified server cannot perform the requested operation..

Warning: WINSRV2 is the Schema Owner, but is not responding to LDAP Bind.

Warning: WINSRV2 is the Domain Owner, but is not responding to DS RPC Bind.

Warning: WINSRV2 is the Domain Owner, but is not responding to LDAP Bind.

Warning: WINSRV2 is the PDC Owner, but is not responding to DS RPC Bind.

Warning: WINSRV2 is the PDC Owner, but is not responding to LDAP Bind.

Warning: WINSRV2 is the Rid Owner, but is not responding to DS RPC Bind.

Warning: WINSRV2 is the Rid Owner, but is not responding to LDAP Bind.

Warning: WINSRV2 is the Infrastructure Update Owner, but is not responding to DS

RPC Bind.

Warning: WINSRV2 is the Infrastructure Update Owner, but is not responding to LDA

P Bind.

……………………. REDBOOT-LAB failed test KnowsOfRoleHolders

Starting test: RidManager

……………………. REDBOOT-LAB failed test RidManager

Starting test: MachineAccount

……………………. REDBOOT-LAB passed test MachineAccount

Starting test: Services

……………………. REDBOOT-LAB passed test Services

Starting test: ObjectsReplicated

……………………. REDBOOT-LAB passed test ObjectsReplicated

Starting test: frssysvol

……………………. REDBOOT-LAB passed test frssysvol

Starting test: frsevent

There are warning or error events within the last 24 hours after the SYSVOL has

been shared. Failing SYSVOL replication problems may cause Group Policy

problems.

……………………. REDBOOT-LAB failed test frsevent

Starting test: kccevent

……………………. REDBOOT-LAB passed test kccevent

Starting test: systemlog

……………………. REDBOOT-LAB passed test systemlog

Starting test: VerifyReferences

……………………. REDBOOT-LAB passed test VerifyReferences

Running partition tests on : DomainDnsZones

Starting test: CrossRefValidation

……………………. DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. DomainDnsZones passed test CheckSDRefDom

Running partition tests on : ForestDnsZones

Starting test: CrossRefValidation

……………………. ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. ForestDnsZones passed test CheckSDRefDom

Running partition tests on : Schema

Starting test: CrossRefValidation

……………………. Schema passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. Schema passed test CheckSDRefDom

Running partition tests on : Configuration

Starting test: CrossRefValidation

……………………. Configuration passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. Configuration passed test CheckSDRefDom

Running partition tests on : ad

Starting test: CrossRefValidation

……………………. ad passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. ad passed test CheckSDRefDom

Running enterprise tests on : ad.multi.com

Starting test: Intersite

……………………. ad.multi.com passed test Intersite

Starting test: FsmoCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located – All GC’s are down.

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

A Primary Domain Controller could not be located.

The server holding the PDC role is down.

^C

===========================================================

2nd printout- Then I deleted entry in Active Directory Sites and Services and got:

C:\Documents and Settings\administrator.MNC-DOMAIN>dcdiag

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\REDBOOT-LAB

Starting test: Connectivity

……………………. REDBOOT-LAB passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\REDBOOT-LAB

Starting test: Replications

……………………. REDBOOT-LAB passed test Replications

Starting test: NCSecDesc

……………………. REDBOOT-LAB passed test NCSecDesc

Starting test: NetLogons

……………………. REDBOOT-LAB passed test NetLogons

Starting test: Advertising

Warning: REDBOOT-LAB is not advertising as a time server.

……………………. REDBOOT-LAB failed test Advertising

Starting test: KnowsOfRoleHolders

Warning: CN=NTDS SettingsADEL:fd94186d-370e-485a-ae50-16c88bd83bb4,CN=WINSRV2

ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C

N=Configuration,DC=ad,DC=multi,DC=com is the Schema Owner, but is deleted.

Warning: CN=NTDS SettingsADEL:fd94186d-370e-485a-ae50-16c88bd83bb4,CN=WINSRV2

ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C

N=Configuration,DC=ad,DC=multi,DC=com is the Domain Owner, but is deleted.

Warning: CN=NTDS SettingsADEL:fd94186d-370e-485a-ae50-16c88bd83bb4,CN=WINSRV2

ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C

N=Configuration,DC=ad,DC=multi,DC=com is the PDC Owner, but is deleted.

Warning: CN=NTDS SettingsADEL:fd94186d-370e-485a-ae50-16c88bd83bb4,CN=WINSRV2

ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C

N=Configuration,DC=ad,DC=multi,DC=com is the Rid Owner, but is deleted.

Warning: CN=NTDS SettingsADEL:fd94186d-370e-485a-ae50-16c88bd83bb4,CN=WINSRV2

ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C

N=Configuration,DC=ad,DC=multi,DC=com is the Infrastructure Update Owner, but is deleted.

……………………. REDBOOT-LAB failed test KnowsOfRoleHolders

Starting test: RidManager

Warning: FSMO Role Owner is deleted.

ldap_search_sW of CN=WINSRV2ADEL:fe870347-4bf0-4411-9004-a283432800f2,CN=Server

s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=multi,DC=com for hostname

failed with 2: The system cannot find the file specified.

……………………. REDBOOT-LAB failed test RidManager

Starting test: MachineAccount

……………………. REDBOOT-LAB passed test MachineAccount

Starting test: Services

……………………. REDBOOT-LAB passed test Services

Starting test: ObjectsReplicated

……………………. REDBOOT-LAB passed test ObjectsReplicated

Starting test: frssysvol

……………………. REDBOOT-LAB passed test frssysvol

Starting test: frsevent

There are warning or error events within the last 24 hours after the SYSVOL has

been shared. Failing SYSVOL replication problems may cause Group Policy

problems.

……………………. REDBOOT-LAB failed test frsevent

Starting test: kccevent

……………………. REDBOOT-LAB passed test kccevent

Starting test: systemlog

……………………. REDBOOT-LAB passed test systemlog

Starting test: VerifyReferences

……………………. REDBOOT-LAB passed test VerifyReferences

Running partition tests on : DomainDnsZones

Starting test: CrossRefValidation

……………………. DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. DomainDnsZones passed test CheckSDRefDom

Running partition tests on : ForestDnsZones

Starting test: CrossRefValidation

……………………. ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. ForestDnsZones passed test CheckSDRefDom

Running partition tests on : Schema

Starting test: CrossRefValidation

……………………. Schema passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. Schema passed test CheckSDRefDom

Running partition tests on : Configuration

Starting test: CrossRefValidation

……………………. Configuration passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. Configuration passed test CheckSDRefDom

Running partition tests on : ad

Starting test: CrossRefValidation

……………………. ad passed test CrossRefValidation

Starting test: CheckSDRefDom

……………………. ad passed test CheckSDRefDom

Running enterprise tests on : ad.multi.com

Starting test: Intersite

……………………. ad.multi.com passed test Intersite

Starting test: FsmoCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

A Global Catalog Server could not be located – All GC’s are down.

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

A Primary Domain Controller could not be located.

The server holding the PDC role is down.

^C

Advertisements

Written by scottledyard

2006, November 22nd at 10:19 pm

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: