Re: How to rebuild a single AD... Please Help...

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

The default quey policy is not select (blank) by default.

So you have COs like:
IRDC2 <-> IRDC02

what DC is the IRDC2 ?
Did you renamed from IRDC2 to IRDC02 ?


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"MrNewbieNaz" <MrNewbieNaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6A0CE917-1548-445F-81AE-D5358DC2211F@xxxxxxxxxxxxxxxx
Hi

I have hit replicate on both and have restarted one then after it loaded
restrated the other...

In Sites and Serivces, under default-fist-site-name > servers > i have
IRDC01 and IRDC02, when i expand IRDC01 (or IRDC02) and right click
properties on NTDS settings, I have changed the query policy to "Default
Query Policy" for both IRDC01 and IRDC02... this was blank first... would
this be causing my group policy error message i am receiving...? please
see
below...

also on the NTDS settings, on the connection tab, for IRDC01, it says
Replicate from IRDC01 and Replciate to IRDC01
and for IRDC02 NTDS settings, it says Replicate from IRDC2 and Replicate
to
IRDC02.... Is this correct..? does this mean they are replicating with
themselves and NOT each other?

Many thanks for your help...

Errors: >>>>>

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 03/10/2007
Time: 12:52:21
User: NT AUTHORITY\SYSTEM
Computer: IRDC02
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=IRW,DC=com.
The file must be present at the location
<\\IRW.com\sysvol\IRW.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Logon Failure: The target account name is incorrect. ). Group Policy
processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

-----------------------------------

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 03/10/2007
Time: 12:52:15
User: N/A
Computer: IRDC02
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/irdc02.irw.com. The target name used was cifs/IRDC01.IRW.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (IRW.COM), and the
client realm. Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



"Jorge Silva" wrote:

make sure that the 2 servers a fully sync, then reboot one server at the
time.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"MrNewbieNaz" <MrNewbieNaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AD670E0D-F2D9-4255-AEED-047986D3C3A2@xxxxxxxxxxxxxxxx
Many thansk for that clarification Jorge...

I have added a new dc now, made it a gc and dns and have transferred
the
FSMO roles..

Now on the new DC, im getting these same errors messages which im
having
toruble resolving...:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 03/10/2007
Time: 11:08:47
User: NT AUTHORITY\SYSTEM
Computer: IRDC02
Description:
Windows cannot determine the user or computer name. (The target
principal
name is incorrect. ). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Also... lots of this system error >>>>>>>

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 03/10/2007
Time: 11:10:34
User: N/A
Computer: IRDC02
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server
host/irdc02.irw.com. The target name used was . This indicates that
the
password used to encrypt the kerberos service ticket is different than
that
on the target server. Commonly, this is due to identically named
machine
accounts in the target realm (IRW.COM), and the client realm. Please
contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Any advice and help will be much appreciated on this...

Many thanks in advace.


"Jorge Silva" wrote:

There's no Primary and Secondary DC concept in AD.
Bot DCs will be used by all machines, make sure that the machines have
both
available DNS servers in their NIC Preferred DNS and secondary DNS.
The machines will be automatically load balanced by both servers.
you can find more detailed info here:
http://support.microsoft.com/kb/314861

You can point each DNS server to the other as secondary and to itself
as
primary
Sample:
DC01->IP: 10.0.0.1
DC02->IP: 10.0.0.2
---------------------------------------
For example
DC01->Primary DNS: 10.0.0.1
DC01->Secondary DNS: 10.0.0.2
DC02->Primary DNS: 10.0.0.2
DC02->Secondary DNS: 10.0.0.1
---------------------------------------
Of course you can also do it the other way arround:
2nd scenario:
DC01->Primary DNS: 10.0.0.2
DC01->Secondary DNS: 10.0.0.1
DC02->Primary DNS: 10.0.0.1
DC02->Secondary DNS: 10.0.0.2
---------------------------------------

This is only a sample how things could be done, actually depends of
many
other things to consider, in your scenario (only 2 DCs) you should be
fine
with any of these both samples provided, the most common configuration
is
the 1st one.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"MrNewbieNaz" <MrNewbieNaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A5AE23F7-92CC-4614-B6BE-49DC5F384EAE@xxxxxxxxxxxxxxxx
Hi

I was wondering if you can tell me how do the users machines
automatically
connect and authenticate with the second AD if say the primary
fails?
Because
both Primary and Secondary AD in our case have DNS servers and GC
and
all
the
users machines are pointing to the primary DC (which is the primary
ad
and
dns server) only.. there is no mention of the second DC (which is
also
a
DNS
server) on any of the user machines...

Also, in the DNS settings for the primary DC its is pointing to its
self
only and in the DNS settings for the seconday DC it is pointing to
its
self...

Please let me know..

Many thanks

"Jorge Silva" wrote:

correct, you use add remove programs to do that, or you can use the
"Manage
your Server" under Administrative tools to add a new role to that
server
and
then choose DNS.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"MrNewbieNaz" <MrNewbieNaz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:E5E7A18D-D79C-408E-83D3-4F96C403DDE8@xxxxxxxxxxxxxxxx
Thanks for the article links...

I have now replicated the new domain controller and made it a
global
catalogue..

I now need to make it a DNS.. DO i do this from the Add/remove
programs>
Windows Components> Netowrk Services>DNS or is there another??
And
if I
do
it
this way, how will the DNS replicate with the existing DNS server
on
the
faulty DC?

Many thanks in advance!

"Jorge Silva" wrote:

More info here

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspx

--

I hope that the information above helps you.
Have a Nice day.


Jorge Silva
MCSE, MVP Directory Services

"Naz" <Naz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BBA2E95C-01A8-4EA5-8CC3-C0EFFFAAEAB5@xxxxxxxxxxxxxxxx
Hi

Thanks for the replies..

Once we demote the old DC, can we change the IP address of the
new
DC
back
to the old DC ip...? as this will save us going around all the
machines
and
changing the DNS server for each machine..

Also how easy is it to demote the domain controller.. is there
a
kb
for
that
also..?

Many thanks.

"Z" wrote:

Hi

Yes you can build a new server and install it as a second
domain
controller
then you can transfer all FSMO roles from the old server to
the
new
if
it's
still up. Then demote it as a DC "domain controller" How to
transfer
FSMO
roles see this http://support.microsoft.com/kb/324801. You
might
consider
contact a Consult in this matter if you have no experience in
this.
--
Z


"Naz" wrote:

Hello,

We have a simple single Win2k3 Active Directiory domain
which
is
not
yet
being fully utilised apart from Sharepoint authentication
for
users...

The problem is recently we discovered a series of system
errors
(one
windows
sytem error is displayed below..) which is causing the
system
to
reboot
every
other day....

HP IML Viewer shows a series of: Blue Screen Trap
(BugCheck,
STOP:
0x00000024 (0x00...., 0xF78....., 0xF78....., 0xF72......)

System Error

Event ID: 1003

Error code 00000024, parameter1 0019033d, parameter2
f78d67e4,
parameter3
f78d64e0, parameter4 f7222d40.


What will be the best way to rebuld this server? As the AD
is
still
running
is it possible to build a new Win2k3 server and do some
sort
of
replication
and then terminate the original faulty DC?

Please could you help me and put me in the right
direction..
as I
am
fairly
new to this technology..?

Many thanks in advance.














.

Relevant Pages

  • Re: How to enable communication between Two different lans (subnets)/ domains 2003 server based? Ass
    ... You will also almost certainly have DNS problems running a domain behind ... server domain, with a DHCP server running on one of the 2003 boxes. ... the "inner" subnet can see the original subnet and the Internet, ... The .227 machines can see the machines on the 192.168.1.0 subnet and the ...
    (microsoft.public.windows.server.networking)
  • Re: Help with Swing Migration
    ... you can't use your server name references consistently in the ... then the IP address for the Primary DNS Server ... >> the SBSnameDC, then the IP address I should enter into the Primary DNS ... >> DNS entries for the two machines. ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy and DNS
    ... > is our only server so it is doing DNS, DHCP, AD, etc. ... I narrowed down to a DNS issue, ... > The machines that are getting the policies ping the server ...
    (microsoft.public.win2000.dns)
  • Issues migrating SBS 2003 domain to Server 2008 Standard
    ... We are stuck migrating our SBS 2003 domain to Server 2008. ... Fatal Error:DsGetDcName (SRV-EXCH) call failed, ... Verify your Domain Name Sysytem (DNS) is ... network connectivity to a domain controller. ...
    (microsoft.public.windows.server.sbs)
  • Re: AD management snap in cannot find DC (netdiag /v workstation)
    ... The name.local entries are used by my apache server to implement ... change button, more button, the "Primary DNS suffix of this ... Attr: subschemaSubentry ... Owner of the binding path: ...
    (microsoft.public.windows.server.active_directory)