Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?

Hi Paul. Thanks for the information. Unfortunately the process we went
through to create our test network was different to what you have suggested
on your site. Our live network at the time only had one 2000 DC. We took a
NTBackup of the DC and restored it onto a server with the same hardware.
There were no errors apart from the decomissioned signature for the first
DC. I have ran dcdiag, netdiag and repadmin testing throughout the test
upgrade to 2003 and have not had any errors. When we started having
problems with the test network at the point of demoting the 2000 DC we
stopped any parallel upgrades on the Live network. Subsequently both
networks now have one 2000 DC and one 2003 DC, the 2003 has all the roles.

Unfortunately we aren't having much luck with this upgrade. The new
2000/2003 have been running without problem but over the weekend we have
started generating LicenseService (ID 213) warnings on what appears to be a
random selection of member servers (License Service is running on the 2003
DC and AD Sites & Services Licensing Site Settings points to DC2). More
concerning we have also started to get NTDSReplication ID 1083, NTDS
Replication ID 1955 and SAM 12294 for the Domain Administrator account. I
have just posted about this in a new post but if I could resolve these two
issues on the Live network I don't think we would have any further problems
with the demotion and addition of new 2003 DC.

Thanks,
Alex.


"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:O89OrWjIHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
How did you build the test network. Have a look at a build doc I have and
see if you missed out on any steps.

http://www.pbbergs.com
Select articles and click on Create a Test Domain



Once you have the domain created run diagnostics against it

If you don't have the tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be
output in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Alex" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uHnDDHfIHHA.2456@xxxxxxxxxxxxxxxxxxxxxxx
Hi. We have been having a problem with a test network which we are using
to test an upgrade from 2000 to 2003. The network was built from a
restored 2000 DC image before the first 2003 DC was added. The restore
completed successfully on slightly different hardware with no errors and
everything working correctly. On running repadmin /showsig the 2000 DC
(DC1) has generated a new signature and the old signature has been
retired. Unfortunately although repadmin is showing this DC as having and
using a new signature, it registers it's CNAME entry in DNS with the old
signature and the NTDS Replication DNS Alias (visible from AD Sites and
Services on the 2003 DC) is also listing the old signature. Subsequently
when we attempt to demote this server the demotion is not clean. BUT
even after we clear out any left over DNS and AD entries for the 2000 DC
(no server entry is left from the demotion in ntdsutil), when we then
install 2003 on the same server hardware, same IP address and same name,
after running dcpromo and rebooting the server it generates replication
errors. These errors are indicating that the 2003 DC(DC2) is attempting
to replicate with the now new 2003 DC1 but they fail to authenticate with
each other because the 2003 DC2 appearing to be trying to contact DC1
using its old retired signature. I have posted about this in a similar
post previously and Jorge made the suggestions below but this is still
occurring:

*Clear the DNS cache
- rightclick the DNS server and clear the cache.
- run from cmd: ipconfig /flushdns
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*run ipconfig /registerdns
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run netdiag /fix
Check again the DNS entries.


This is only happening on our test network. When I run repadmin
/showsigs on the live network the current 2000 DC has only 1 signature
with non retired and the newer 2003 DC also has 1 signature. I would
really like to cleanup the test network so I can confirm the demotion and
addition of the replacement 2003 DC works successfully.

Thanks,
Alex.





.

Relevant Pages
Loading