Nightmare on Active Directory Street, revisited.
- From: remaker@xxxxxxxxx
- Date: 26 Feb 2007 12:45:14 -0800
Lets flash back to 2005. There is a USENET post called Nightmare on
Active Directory Street whereby I had ignorantly mangled my SYSVOL
because I had run out of disk space after a service pack quietly
increased the journal size from 128M to 512M. I tried to just drag-
and-drop the overflowing directory to another place (d'ohh!) and
REALLY screwed the pooch. Until that time, I had no idea what a
junction point was, and the fact that I only had one DC allowed me to
hack together a junction-less solution that got me running again after
I spent a number of deperate hours (and an unscheduled day off from my
day job) thrashing madly to restore the system to operation. That
was my first exposure to sysvol, and junction points. With some help
from a only slightly more competent friend, I managed to rebuild the
SYSVOL directory, but WITHOUT junction points. I had \winnt\sysvol
\sysvol\<domain> as an ordinary directory. But for ONE domain
controller, that works fine; it makes NO DIFFERENCE. The system
sprang up as a domain controller, I breathed a sigh of relief, and I
went home. I had no idea that I just laid a land mine that I would
step on two years later
Now it is 2007, and the disk on the DC died. I restored from system
state (which is a nightmare unto itself) and vowed to add a second DC
to prevent such a catastrophe in the future. So I dust off an old
machine and set it up, promote to a domain controller, and everything
is cool. Username database copied, check. Logins work? Check.
Cool! Yay, second DC.
Wait.. I'm getting group policy errors. WTF? Turns out that the
wounded SYSVOL directory from my last AD misadventure is not
replicating! I have inconsistent policy between the two DCs, and I
can't make replication happen! Crap!! After dozens of abortive
attempts to force proper replication with BurlFlags, I only manage to
create morphed directories in C:\winnt\sysvol\domain. Crap crap
crappity crap!!! Demote second DC. Disable it's DNS.
Then the echoes of 2005 rang in my ears. Did I screw up SYSVOL?
Irrevocably? I spent the past few days using time I didn't have
reading a ton on NTFRS, GPO, and SYSVOL.
FRSDIAG indicated that I was missing needed junction points. I dug up
a KB article on how to make the proper SYSVOL junction points with
linkd. I shut down the NTFRS service and copied the Policy and
Scripts directories (Using xcopy /o /x /e /h /k /s) and used linkd to
place in the junction points. I restart NTFRS and the machine becomes
a domain controller again. Phew. GPUDPATE and GPOTOOL confirm that
all is good. Members of the domain can GPUPDATE against the
policies. \\<domain>\sysvol\Policies is visible all over the
network. I hate to touch ANYTHING with AD, since I have had too many
times where I sent the system tumbling down on my head. Looks like
this one worked out.
I promoted DC2 back to a domain controller and the repaired NTFRS
works like a champ. I now know more about replication than I ever
wanted to.
The original server (DC1) has been from NT4 through 2000 to 2003, had
its domain name changed. I have had its hard drives cloned/swapped,
and restored from a system state backup. This is one BATTLE WORN
server, doing DNS. DHCP, and supporting Exchange running on another
server. Once I get DC2 settled, I may even add DC3, let DC2 and DC3
be the real servers and RETIRE this one! It has really just seen too
much action and I can hardly believe it still runs.
So: THANKS for your help, especially Herb Martin who patiently plowed
through this hairball corner case and pointed me in the right
direction more than once. If I ever decide to get real training, I'd
have to look seriously at http://www.LearnQuick.Com.
And I learned the ever important chant:
2DCs, 2DCs, 2DCs....
Now if I could just work out a stable way to mack up a DHCP server
without clustering or the 60-40 rule ;-)
Cheers,
Phil
.
- Prev by Date: No Password Expire
- Next by Date: Re: No Password Expire
- Previous by thread: No Password Expire
- Next by thread: Re: LastLogon attribute
- Index(es):
Relevant Pages
|
