Re: SBS2003 + tombstoned WIN2K DC
- From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Oct 2007 10:47:57 -0700
jdr.smith@xxxxxxxxxx wrote:
On 3 Oct, 18:06, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx> wrote:
jdr.sm...@xxxxxxxxxx wrote:
On 3 Oct, 16:42, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>
wrote:
jdr.sm...@xxxxxxxxxx wrote:
If I ping domain.local I get a response from the IP of the
tombstoned DC not the SBS2003.
Jim.
Time to break out the AD tools (DCDiag, Netdiag) and see what's up.
dcdiag /c / v
and
netdiag
from both servers and post if needed.
SBS2003 DCDIAG servername changed to XYZ etc etc >
Domain Controller Diagnosis
Testing server: Default-First-Site-Name\XYZ-SERVER
The last success occurred at 2006-10-22 15:56:20.
16941 failures have occurred since the last success.
Last replication recieved from WIN2K at 2006-10-22
15:56:20.
WARNING: This latency is over the Tombstone Lifetime
of 60 days!
Warning: DsGetDcName returned information for \
\WIN2K.XYZGB.local, when we were trying to reach XYZ-SERVER.
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2609 to 1073741823
* XYZ-server.XYZGB.local is the RID Master
* Warning :There is less than 0% available RIDs in the
current pool
END....
Any ideas ?
Well your DC's haven't been fully replicating in over a year. You've
likely got some work to do.
First you'll need to demote the 2nd DC (NOT the SBS server),
repromote (if you want to continue with 2 DCs), and verify
replication is *100%* before proceeding.
Next, you'll have to cleanup all the leftover problems from having
two out of sync copies of AD for so long. You likely will have
computer accounts that have changed password with one DC that never
replicated to the SBS server. These computers will need to be
rejoined (probably not necessary to use /connectcomputer if the
computer shows up in the SBS server.
You'll probably have issues with user accounts and stale passwords
and/or other attributes that have changed over the last year.
Probably other things as well.
Lesson of the story, if you are going to run more than 1 DC
(especially true in SBS) you must verify replication at least once a
month. (A clean run of dcdiag is the best bet, but repadmin can also
be used)
Jim.
--
/kj- Hide quoted text -
- Show quoted text -
Hi,
I was going down that route to start with, but was confused that thw
two AD do seem to be replicating with each other.
Maybe partially, but not fully. Replication is by 'partition' (AD) and all
must be in sync with each other.
Is it possible for the PC's to be using both AD's if they are out of
synch ? ( even though they appear to be in synch)
Yes. The Pc's know nothing of this. They locate a logon server (DC) through
DNS. If responds and authenticates, it's good to go.
The only thing that appears to be wrong (outwardly) is that we can;t
make a user with an e-mail address, or even without an e-mail address
in SBS manager.
Netdiag indicates other problems, most noteably RID pool exhaustion. RIDs
are necessary to create new objects. You need to cleanup AD *first*, and
there might be a lot to do. If you're not comfortable, you migth consider a
Microsoft CSS Call.
But..we can create a user in AD on either server and they do show up
on the other server, which I thought was weird.
I'm worried that if I remove the AD from WIN2K then everything will
all fall apart.
Backups, backups, backups. In this case especially, system stateS. Yes BOTH
servers and both system state(s). They are very much different at this
point.
Currently I can't change user security on the SBS server either, but I
can from the WIN2K server.
It's as if the WIN2K server thinks it's the master DC.
netdom query fsmos ( from both DCs)
I inplugged WIN2K from the network this afternoon and then could not
ping XYZGB.local any more and also could not verify SID's or access
any shares, plugged it back in and it all worked again...rather
worrying ?
Ping by name or by address. If by name, your DNS may also be out of date and
out of sync. Normally DNS is integrated, and of course, replicated. So, not
surprising that has problems too.
If i type set at the PC the show WIN2K as the logon server
If I ping XYZGB.local the AD domain I get a reply from the WIN2K
server not the SBS server.
If I dcpromo WIN2K back to just being a member server (don't really
want it setup as a DC again as it a bit old, don't know who's idea it
was in the first place to do this) am I going to end up in no-mans
land ?
Well, before doing anything; do an "ipconfig/all from both servers and post
(edited posts sometimes are difficult to correctly interpret, but if you do
so, do very consistantly), Fully BACKUP both servers AND SYSTEM STATES.
....or call Microsoft.
Jim.
--
/kj
.
- Follow-Ups:
- Re: SBS2003 + tombstoned WIN2K DC
- From: jdr . smith
- Re: SBS2003 + tombstoned WIN2K DC
- References:
- SBS2003 + tombstoned WIN2K DC
- From: jdr . smith
- Re: SBS2003 + tombstoned WIN2K DC
- From: jdr . smith
- Re: SBS2003 + tombstoned WIN2K DC
- From: kj [SBS MVP]
- Re: SBS2003 + tombstoned WIN2K DC
- From: jdr . smith
- Re: SBS2003 + tombstoned WIN2K DC
- From: kj [SBS MVP]
- Re: SBS2003 + tombstoned WIN2K DC
- From: jdr . smith
- SBS2003 + tombstoned WIN2K DC
- Prev by Date: Re: problem with sbs 2003 r2 blocking internet conection
- Next by Date: Re: RWW desktop connection issue
- Previous by thread: Re: SBS2003 + tombstoned WIN2K DC
- Next by thread: Re: SBS2003 + tombstoned WIN2K DC
- Index(es):
Relevant Pages
|
