RE: DCpromo issue. Health check on AD and group policy.
- From: Garry Starck-MCITP Enterprise Admin <vjsparx@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 27 Jun 2009 16:05:01 -0700
Hi IT Team @ Queensbridge.bham.sch.uk
Before I go on, are you logging on with a user account that is part of the
Enterprise Admins group, or at the least a domain admin account of the domain
in question? Can you please post more data from the following commandline
utils:
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag /v > c:\netdiag.log (On each dc)
-> repadmin /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
Try running MS Sonar to check you SYSVOL replication status: Download Sonar
@
http://www.microsoft.com/downloads/details.aspx?FamilyID=158cb0fb-fe09-477c-8148-25ae02cf15d8&displaylang=en
Use sonar to check if the sysvols (File Replication Service) is replicating.
Sometimes if you update a GPO on a DC, the GPO points to a GPT.INI file in
the SYSVOL which if the faulting DC is not replicating FRS (SYSVOL), but AD
is replicating, then the actual data that to AD's GPO object loads is
outdated. --- SO: CHECK the FRS services eventlogs under computer management.
Run REPADMIN /replsum to ascertain AD replication status.
If AD is replcated (Converged), has the FRS (Sysvol) completed repl. Check
DC1,2 and 3's SYSVOL size per each DC. Should be the same size.
Does the FRS eventlog have and event along the lines of a "Journal Wrap"
etc. If so, on the faulting DC, you could follow
http://support.microsoft.com/kb/316790 (The D2) option, not D4, and restart
the FRS service
Has the faulting DC time sych'd with the other 2 "GOOD" dc's.
Have you logged on recently and not just unlocked the DC?
If all above does not help, remove the DC from the Network phyically, and
manually remove the DC via following
http://support.microsoft.com/default.aspx/kb/216498
What give's you the idea that the Harddrive is going to crash, any Event ID
etc??
I would ensure that the SYSVOL on the 2 Good DC's is fine and most up to date.
I would copy the SYSVOL from the faulty DC to a safe location incase you
realise that one or 2 GPO's were directly modified/created on the faulty DC.
(Just incase).
I would try logging of then on with an account that has enterprise rights to
the faulty DC. Then Try DCPROMO out of AD. If still not working, then run the
NTDSUTIL as previously proposed. But please do rather post the
DCDIAG/NETDIAG/REPADMIN results before incase this is sometime minor
Regards
--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA
"IT Team @ Queensbridge.bham.sch.uk" wrote:
Hi Folks.
we have 3 domain controllers all running windows 2003 (DC with FMSO roles
has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer an
imminent hard drive failure and I wanted to decommission it before it dies.
We have also had intermittent issues with some workstations on the domain not
picking up policies and correctly logging people on. I suspect that these
workstations are trying to authenticate to this problem DC and the
communication between the two isn't happening hence why users cant get their
settings and policies not being applied.
The problem is I tryed to DCpromo this server yesterday and couldn't remove
it as a DC. when I ran dcpromo it seemed like it was going to decommision
itself until I got the following error:
The operation failed because: Active Directory could not configure the
computer account SERVER$ on the remote domain controller
firstDCindomain.domain.com. "Access is denied."
Specify an account with Enterprise Adminstrator privileges to the forest,
home.domain.com.
I have checked thisI keep getting the same error message over and over. Its
odd because I have done various promotion and decommison of DC's and never
had this trouble in the past. In fact a year ago I had to decommision this
exact server and repromote this exact server after some maintenance and never
had a problem.
My worry is I have got a feeling that either active directory may be in a
slight mess or its related to group policy objects. I have seen a few issues
appearing on some of our workstations which relate to not picking up gpo
objects and gpo.ini.
I have read that i can do a dcpromo/force removal and this is likely to
work, my worry is this could cause issues as I have to use a util called
ntsdutil to clear out active direcory, this sounds scary and I am not
comfortable with doing this method in case I make the problem worse.
Is there something I could run which could check active directory and group
policy for all the DC's to help me identify the problem. I have run dcdiag on
all 3 domain controllers and the problem server did bring up more issues than
the other 2, and it was pointing to the File replication service and
replication issues. Its like it cannot communicate with the other DC's. I
have manually tried to do replication through sites and services and this
works without any errors.
So I am confused. Has anyone suffered this issue?
Please help!
- Follow-Ups:
- RE: DCpromo issue. Health check on AD and group policy.
- From: IT Team @ Queensbridge.bham.sch.uk
- RE: DCpromo issue. Health check on AD and group policy.
- References:
- DCpromo issue. Health check on AD and group policy.
- From: IT Team @ Queensbridge.bham.sch.uk
- DCpromo issue. Health check on AD and group policy.
- Prev by Date: DCpromo issue. Health check on AD and group policy.
- Next by Date: RE: Inconstant netlogon folders
- Previous by thread: DCpromo issue. Health check on AD and group policy.
- Next by thread: RE: DCpromo issue. Health check on AD and group policy.
- Index(es):
Relevant Pages
|
Loading
