Re: DCpromo issue. Health check on AD and group policy.

---

• From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 27 Jun 2009 20:40:18 -0400

---

"IT Team @ Queensbridge.bham.sch.uk" <ITTeamQueensbridgebhamschuk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:549DDD68-7147-468F-A292-0EDF3FE5CAB9@xxxxxxxxxxxxxxxx

Hi Folks

we have 3 domain controllers all running windows 2003 (DC with FMSO roles
has SP1 and the other 2 have SP2). One of the SP2 DC's is about to suffer an
imminent hard drive failure and I wanted to decommission it before it dies.
We have also had intermittent issues with some workstations on the domain not
picking up policies and correctly logging people on. I suspect that these
workstations are trying to authenticate to this problem DC and the
communication between the two isn't happening hence why users cant get their
settings and policies not being applied.

The problem is I tryed to DCpromo this server yesterday and couldn't remove
it as a DC. when I ran dcpromo it seemed like it was going to decommision
itself until I got the following error:

The operation failed because: Active Directory could not configure the
computer account SERVER$ on the remote domain controller
firstDCindomain.domain.com. "Access is denied."
Specify an account with Enterprise Adminstrator privileges to the forest,
home.domain.com.

I have checked thisI keep getting the same error message over and over. Its
odd because I have done various promotion and decommison of DC's and never
had this trouble in the past. In fact a year ago I had to decommision this
exact server and repromote this exact server after some maintenance and never
had a problem.

My worry is I have got a feeling that either active directory may be in a
slight mess or its related to group policy objects. I have seen a few issues
appearing on some of our workstations which relate to not picking up gpo
objects and gpo.ini.

I have read that i can do a dcpromo/force removal and this is likely to
work, my worry is this could cause issues as I have to use a util called
ntsdutil to clear out active direcory, this sounds scary and I am not
comfortable with doing this method in case I make the problem worse.

Is there something I could run which could check active directory and group
policy for all the DC's to help me identify the problem. I have run dcdiag on
all 3 domain controllers and the problem server did bring up more issues than
the other 2, and it was pointing to the File replication service and
replication issues. Its like it cannot communicate with the other DC's. I
have manually tried to do replication through sites and services and this
works without any errors.

So I am confused. Has anyone suffered this issue?

Please help!

Hello IT Team,

Garry gave you plenty of useful information to help you with this. And as he stated, if you need to simply remove it if you can't get it to work, make sure you follow that article he posted to remove its reference from the AD database using ntdsutil after you unplug it. This is important if you unplug the machine and never expect to return it before promoting anything new into the domain.

I would like to add, that the lack of this DC replicating, or the ability to remove it by the normal process of using dcpromo, can be due to numerous factors. This may also cause problems with your other existing DCs.

Things that can cause AD problems:

1. Multihomed DC (DC has more than one NIC and/or IP, which is NOT recommended or advised). This is due to the additional IPs registered into DNS that will cause problems with AD communications.

2. Single label AD DNS domain name ('domain' vs the required minimum of 'domain.net,' 'domain.local,' etc).

3. Using your ISP, router or some other DNS as an address in the DC's IP properties. Rule of thumb is to NEVER use a DNS server that does not host a copy of the AD zone, or that does not have a reference to it such as using Secondary zones, conditional forwarding or a stub. This rule also applies to all machines in a domain. Only use the ISP's DNS as a Forwarder in DNS properties.

4. Local Windows or third party firewall blocking necessary ports.

5. Firewall between Sites blocking necessary ports. (There are over 30 ports that need to be opened in addition to the UDP Service ports - 1004 - 65536).

6. IPSec policy on the DC preventing communications.

7. RRAS installed on a DC. Not advised or recommended. This goes back to the no-multihomed rule because of the additional IPs RRAS registers into DNS.


If you feel you can handle it with the information provided by Garry and I, that would be great. Otherwise, if you need additional specific assistance to get communication working, we'll need specific config info from your machines. Please post the following information to get us started in diagnosing this.

1. Unedited ipconfig /all from your three DCs. You can change your domain name to hide it, but don't change the IPs or the format of the domain name, please. Simply copy and paste if from a CMD prompt.

2. Any Event log errors from all three DCs in the app and System logs.

3. Are the DCs all in one site, or in different Sites?
If so, do you have AD Sites configured?
If so, any firewalls rules between locations?

4. What issues are you seeing on the workstations regarding GPOs? Please post the event ID as well as an ipconfig /all of a sample workstation this is occuring on.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

.

---

• References:
  • DCpromo issue. Health check on AD and group policy.
    • From: IT Team @ Queensbridge.bham.sch.uk

• Prev by Date: RE: LDAP issues - mimesweeper for web & Active Directory
• Next by Date: Re: W2K3 / W2K8 DCDIAG
• Previous by thread: RE: DCpromo issue. Health check on AD and group policy.
• Next by thread: Re: DCpromo issue. Health check on AD and group policy.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: DNS Question ... If on my internal LAN I have workstations that are members of the ... External DNS resolution is done by the SBS, and those ISP DNS server IP ... Ethernet adapter Wireless Network Connection: ... (microsoft.public.windows.server.sbs) Re: Strange Issue Moving from SBS 2000 to Server 2003 R2 ... The following error occurred when DNS was queried for the service location ... Errors in your event logs on the workstations or W2k3 server? ... the workstations still know anything about the old SBS 2000 ISA server. ... (microsoft.public.backoffice.smallbiz2000) Re: Strange Issue Moving from SBS 2000 to Server 2003 R2 ... The following error occurred when DNS was queried for the service location ... What happens if you just turn the SBS 2000 off or remove it from the wires. ... Errors in your event logs on the workstations or W2k3 server? ... (microsoft.public.backoffice.smallbiz2000) Re: No DNS ... "The Internet Assigned Numbers Authority has reserved private IP ... The workstations assigned themselves an address when DHCP failed. ... I enabled dhcp and dns on the server and insured my scope was ... (microsoft.public.windows.server.sbs) Re: Configure DNS ... Subject: Configure DNS ... Default Server: ns1.methodisthealth.org ... When i have configured one of the win2k box as a DNS client, ... If you wish to confirm the origin or content of this communication, ... (AIX-L)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-06