Re: Missing NTDS Settings object
- From: Harj <cisqokid@xxxxxxxxx>
- Date: 23 Apr 2007 12:39:22 -0700
On Apr 23, 11:28 am, Geni <G...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Sites don't have NTDS settings -- DCs do.
I'm referring to the NTDS Site Settings object that appears for each site at
the top level. The ISTG is blank when viewed from any device other than
those that are part of the affected domain/site.
I've run replmon, repadmin, dcdiag, etc., and promoted/demoted DCs until
I'm
blue in the face. I'm about out of ideas. I can't move the user accounts
to
another domain, because you come up with a DSA object does not exist
error.
Chances are you also have Site and Subnet definition errors, otherwise the
re-Promotion of a DC would put in into the correct site.
This site/subnet had been working up until two weeks ago (it had been
working for four years). The problem is that DCs had to be reloaded, and in
the course of the reloads, the AD database on ALL the DCs within that domain
got corrupted. To make a (very) long story short, the RID master became
invalid. It was seized on a DC other than the original one - but a DC was
brought up with the name of the original RID master after that happened.
That's when the replication broke and the ISTG settings in the NTDS Site
Settings disappeared.
What I know for sure:
DNS diagnostics show no errors (dcdiag dns tests, ping, manual
verification)
You have run "DCDiag /c" on every DC INDIVIDUALLY while working from
that DC, and captured the output into a text file? Then searching for FAIL
and
WARN found no such messages?
Yes, that's what is causing my headaches. The affected site thinks it's
fine; it just doesn't have any outbound replication partners. It replicates
fine intrasite. The other sites are fine; they just don't think there are
any domain controllers in that site.
There are no old servers that shouldn't be there when you look using
ntdsutil
Everything looks fine in ADUC
repadmin shows NO outbound connections from this site. Inbound
connections
look fine, and replications appear to be happening without a problem.
It can't unless there are DCs there -- DCs have the Connections, not Sits.
I know. My question is how to force the DCs to reappear. I've demoted and
promoted every server in that site. I even tried bringing up a new DC for
that domain in another site, so that I could manually move it to that site to
force it to become the ISTG - unfortunately, it never appears in any site.
NO server for that domain appears in ANY site, unless you're looking at sites
and services on one of the domain controllers in that domain - then they show
up just fine.
If I look in adsiedit, on that site's OWN configuration, I can see the
ISTG,
the bridgehead, etc., and it shows the bridgehead correctly as inbound and
outbound partner. If I look in adsiedit on any other site's configuration
and drill down to that site...it's empty. No server entries. I can't
manually add connection objects between the sites, because they just ...
aren't there.
What am I missing? I can't add new users in this site, because Exchange
can't see their AD objects.
You seem to have a replication problem but your claim of DCDiag passing
makes it seem that you do not.
DCdiag thinks everything's fine - because everything it knows about is
replicating. The problem is, I can't make these DCs appear.
You apparently have your DCs in the wrong sites (somehow).
No. These DCs won't show up in ANY site, no matter how many times I demote
and promote them.
What does the DNS for each such problem site show? Are the DCs listed
there correctly?
Yes. I went through every CNAME, SVR, and A record for these servers and
manually verified the GUIDs, DNs and IPs.
If the DCs are not appearing in the correct site they need to be manually
moved there - but this is a sign that the subnet definitions are incorrect.
That's not the issue. They aren't appearing anywhere since this site/domain
got corrupted. I've loaded new DCs, and reloaded these DCs to no avail. I
am literally out of ideas.
Hi,
"loading" "unloading" domain controllers...hmmm, I wonder if you have
any replication issues?
Look at the eventlogs on the domain controllers under FRS for any
errors.
If your replication is not functioning correctly and you have "loaded,
unloaded" domain controllers....(promoted, and demoted), you have
issues as the demotion, promotion did not replicate to the domain
controllers.
I am guessing there are much more issues here now.
First, validate DNS...I know, I know everyone states DNS is find
because they can "ping" the server but in the end DNS is indeed
mashed.
Verify we do not now have domain controllers that are not supposed to
be in AD anymore as loading and unloading domain controllers just does
not sound right.
Verify your sites and subnets are set up correctly.
Remember, the KCC does great things automatically on it's own. One of
them being connection points
As the AD motto goes, when in doubt it's name resolution.....
Good luck
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
.
- References:
- Re: Missing NTDS Settings object
- From: Herb Martin
- Re: Missing NTDS Settings object
- From: Geni
- Re: Missing NTDS Settings object
- Prev by Date: Re: change the name and ip address of a new primary DC???
- Next by Date: Re: Active Directory - Move DC to new hardware with Acronis True Image Universal Restore
- Previous by thread: Re: Missing NTDS Settings object
- Next by thread: cannot connect to domain controller.
- Index(es):
Relevant Pages
|
Loading
