Re: Raising DFL

---

• From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
• Date: Sun, 22 Jan 2006 16:24:27 +0100

---

I know some of the answers have already been given... trying to summarize
the stuff.

this is no rocker science and it is strange it is still not working. I setup
the list to see what could be missing. At this moment I'm unaware of what
the situation is. Do you?

What I don't understand is why someone cannot logon after creating an
additional replica and putting it in a separate network... no matter what
the administrator is always able to logon into a DC.

And I have never seen or heard that after increasing the DFL/FFL nobody was
able to log on.... that is strange. so that is why I went back to the
basics.. what has happened so far?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:OgD%23HW2HGHA.3408@xxxxxxxxxxxxxxxxxxxxxxx
> Jorge,
> Most of this already covered in the other half of the thread. He says he
> can't logon and get any info. Whether it is local (AD DS Restore), on the
> dc as a domain member or from a workstation.
>
> I believe he is going to have to logon via DS Restore and start working
> from there.
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Jorge de Almeida Pinto [MVP]"
> <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
> news:%23fMziQvHGHA.376@xxxxxxxxxxxxxxxxxxxxxxx
>> talking about the DC in the lab environment...
>>
>> (1) the DC is a GC?
>> (2) the FSMO roles have been seized?
>> (3) the metadata from other DCs have been cleaned
>> (4) the DC also hosts DNS?
>> (5) the DC also hosts DHCP and provides IPs and options for clients?
>> (6) any errors in the event viewer?
>> (7) output of DCDIAG /D /C /V
>> (8) output of NETDIAG /DEBUG /V
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto #
>> MVP Windows Server - Directory Services
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "mehul" <mehul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:00FB1A84-F975-48E9-A76D-D22789C96EAE@xxxxxxxxxxxxxxxx
>>> Problems on the lab network. I havent changed anything on the production
>>> network yet. And yes, the roles were seized on the lab network.
>>>
>>> "Jorge de Almeida Pinto [MVP]" wrote:
>>>
>>>> where are you having problems? production network or lab network?
>>>>
>>>> on what network did you seize the FSMO roles? I assume on the DC that
>>>> went
>>>> into the lab network?!
>>>>
>>>> --
>>>>
>>>> Cheers,
>>>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>> # Jorge de Almeida Pinto #
>>>> MVP Windows Server - Directory Services
>>>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>>> -----------------------------------------------------------------------------
>>>> * This posting is provided "AS IS" with no warranties and confers no
>>>> rights!
>>>> * Always test before implementing!
>>>> -----------------------------------------------------------------------------
>>>>
>>>>
>>>> -----------------------------------------------------------------------------
>>>> "mehul" <mehul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:2AB15070-9454-4386-AE0E-F9188A5D9259@xxxxxxxxxxxxxxxx
>>>> > Yes. I isntalled an additional DC on the production network. Took it
>>>> > out
>>>> > to
>>>> > an isolated network in the lab and then all the roles were seized. GC
>>>> > was
>>>> > enabled as well.
>>>> >
>>>> > It had no problems authenticating prior to the DFL change.
>>>> >
>>>> >
>>>> >
>>>> > "Jorge de Almeida Pinto [MVP]" wrote:
>>>> >
>>>> >> I don't understand what you are saying here...
>>>> >>
>>>> >> "> we upgraded NT domian to Windows 2003 and it is running in
>>>> >> interim
>>>> >> mode.
>>>> >> > I installed a new DC with win2k3SP1 and put it on an isolated
>>>> >> > network
>>>> >> > in
>>>> >> > lab
>>>> >> > and all the roles were manually seized/transfered since it is the
>>>> >> > only
>>>> >> > DC
>>>> >> > on
>>>> >> > the network"
>>>> >>
>>>> >> I only understand "we upgraded NT domian to Windows 2003 and it is
>>>> >> running
>>>> >> in interim mode"
>>>> >>
>>>> >> after that I cannot see what you mean with (I understand the terms
>>>> >> but
>>>> >> see
>>>> >> how it fits):
>>>> >> "I installed a new DC with win2k3SP1 and put it on an isolated
>>>> >> network in
>>>> >> lab"
>>>> >>
>>>> >> are you saying you first installed it as an additional domain
>>>> >> controller
>>>> >> in
>>>> >> an exxisting domain? then you moved it to a lab network?
>>>> >>
>>>> >> in your production network you should also cleanup the metadata of
>>>> >> the DC
>>>> >> that was moved to the lab network
>>>> >>
>>>> >>
>>>> >> "and all the roles were manually seized/transfered since it is the
>>>> >> only
>>>> >> DC
>>>> >> on the network"
>>>> >>
>>>> >> I guess you mean SEIZED.
>>>> >> If it is the only DC in the lab network you should clean the
>>>> >> metadata of
>>>> >> the
>>>> >> other DC
>>>> >> make it also a GC! (only the first DC in a forest is automatically a
>>>> >> GC)
>>>> >>
>>>> >>
>>>> >> --
>>>> >>
>>>> >> Cheers,
>>>> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>>> >> # Jorge de Almeida Pinto #
>>>> >> MVP Windows Server - Directory Services
>>>> >> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>>>> >> -----------------------------------------------------------------------------
>>>> >> * This posting is provided "AS IS" with no warranties and confers no
>>>> >> rights!
>>>> >> * Always test before implementing!
>>>> >> -----------------------------------------------------------------------------
>>>> >>
>>>> >>
>>>> >> -----------------------------------------------------------------------------
>>>> >> "mehul" <mehul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> >> news:FBDC70A9-0CE8-4484-9E15-2DE44B7684A5@xxxxxxxxxxxxxxxx
>>>> >> > we upgraded NT domian to Windows 2003 and it is running in interim
>>>> >> > mode.
>>>> >> > I installed a new DC with win2k3SP1 and put it on an isolated
>>>> >> > network
>>>> >> > in
>>>> >> > lab
>>>> >> > and all the roles were manually seized/transfered since it is the
>>>> >> > only
>>>> >> > DC
>>>> >> > on
>>>> >> > the network. Then the Domain functioonal level and forrest
>>>> >> > functional
>>>> >> > level
>>>> >> > were raised to highest (windows 2003). After that, no one can log
>>>> >> > on
>>>> >> > from
>>>> >> > any
>>>> >> > clients or on the DC itself. The clients include NT4SP6a and
>>>> >> > win2003SP1.
>>>> >> >
>>>> >> > When I raised the DFL and FFL, no issues were reported. It was
>>>> >> > successful.
>>>> >> > Any ideas/suggestions? I do have the backup so I can alsways go
>>>> >> > back,
>>>> >> > but
>>>> >> > how
>>>> >> > can I raise the levels?
>>>> >> >
>>>> >> > Thanks in advance,
>>>> >> > Mehul.
>>>> >>
>>>> >>
>>>> >>
>>>>
>>>>
>>>>
>>
>>
>
>


.

---

• Follow-Ups:
  • Re: Raising DFL
    • From: Paul Bergson

• References:
  • Re: Raising DFL
    • From: Jorge de Almeida Pinto [MVP]
  • Re: Raising DFL
    • From: mehul
  • Re: Raising DFL
    • From: Jorge de Almeida Pinto [MVP]
  • Re: Raising DFL
    • From: mehul
  • Re: Raising DFL
    • From: Jorge de Almeida Pinto [MVP]
  • Re: Raising DFL
    • From: Paul Bergson

• Prev by Date: Re: Raising DFL
• Next by Date: Re: Explicitely Transfering FSMO Roles
• Previous by thread: Re: Raising DFL
• Next by thread: Re: Raising DFL
• Index(es):
  • Date
  • Thread

---

Relevant Pages Possible XP Bug ... I ran into a strange issue this morning that I suspect might be related to ... I installed SP2 a last Friday and had no problems ... When I went to logon this morning my computer rebooted within a couple ... I was finally able to get back up and running by restoring to a previous ... (microsoft.public.windowsxp.general) Re: Raising DFL ... I believe he is going to have to logon via DS Restore and start working from ... > # Jorge de Almeida Pinto # ... the roles were seized on the lab network. ... >>> on what network did you seize the FSMO roles? ... (microsoft.public.windows.server.active_directory) Re: some users take a huge time to logon ... > another strange thing ... > when I change the logon name it works fine ... Peter <X-Files Fan> ... (microsoft.public.windows.server.active_directory) Re: Well done Plumbert! ... Still strange why admins could logon. ... *inserts an entry into his little black book of micro$oft dirty tricks* ... (uk.rec.motorcycles) Re: Forms Authentication to specific folders ... Strange, very strange this is what I have ... after logon the page does not get redirected. ... However if I go to the link for the exe or pdf, ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)