Re: SBS2003 + tombstoned WIN2K DC

On 3 Oct, 18:06, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx> wrote:
jdr.sm...@xxxxxxxxxx wrote:
On 3 Oct, 16:42, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx> wrote:
jdr.sm...@xxxxxxxxxx wrote:
If I ping domain.local I get a response from the IP of the
tombstoned DC not the SBS2003.

Jim.

Time to break out the AD tools (DCDiag, Netdiag) and see what's up.

dcdiag /c / v
and
netdiag

from both servers and post if needed.

SBS2003 DCDIAG servername changed to XYZ etc etc >

Domain Controller Diagnosis

Testing server: Default-First-Site-Name\XYZ-SERVER
The last success occurred at 2006-10-22 15:56:20.
16941 failures have occurred since the last success.
Last replication recieved from WIN2K at 2006-10-22
15:56:20.
WARNING: This latency is over the Tombstone Lifetime
of 60 days!
Warning: DsGetDcName returned information for \
\WIN2K.XYZGB.local, when we were trying to reach XYZ-SERVER.
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2609 to 1073741823
* XYZ-server.XYZGB.local is the RID Master
* Warning :There is less than 0% available RIDs in the
current pool
END....

Any ideas ?

Well your DC's haven't been fully replicating in over a year. You've likely
got some work to do.

First you'll need to demote the 2nd DC (NOT the SBS server), repromote (if
you want to continue with 2 DCs), and verify replication is *100%* before
proceeding.

Next, you'll have to cleanup all the leftover problems from having two out
of sync copies of AD for so long. You likely will have computer accounts
that have changed password with one DC that never replicated to the SBS
server. These computers will need to be rejoined (probably not necessary to
use /connectcomputer if the computer shows up in the SBS server.

You'll probably have issues with user accounts and stale passwords and/or
other attributes that have changed over the last year.

Probably other things as well.

Lesson of the story, if you are going to run more than 1 DC (especially true
in SBS) you must verify replication at least once a month. (A clean run of
dcdiag is the best bet, but repadmin can also be used)



Jim.

--
/kj- Hide quoted text -

- Show quoted text -

Hi,

I was going down that route to start with, but was confused that thw
two AD do seem to be replicating with each other.

Is it possible for the PC's to be using both AD's if they are out of
synch ? ( even though they appear to be in synch)

The only thing that appears to be wrong (outwardly) is that we can;t
make a user with an e-mail address, or even without an e-mail address
in SBS manager.

But..we can create a user in AD on either server and they do show up
on the other server, which I thought was weird.

I'm worried that if I remove the AD from WIN2K then everything will
all fall apart.

Currently I can't change user security on the SBS server either, but I
can from the WIN2K server.

It's as if the WIN2K server thinks it's the master DC.

I inplugged WIN2K from the network this afternoon and then could not
ping XYZGB.local any more and also could not verify SID's or access
any shares, plugged it back in and it all worked again...rather
worrying ?

If i type set at the PC the show WIN2K as the logon server
If I ping XYZGB.local the AD domain I get a reply from the WIN2K
server not the SBS server.

If I dcpromo WIN2K back to just being a member server (don't really
want it setup as a DC again as it a bit old, don't know who's idea it
was in the first place to do this) am I going to end up in no-mans
land ?

Jim.

.

Relevant Pages

  • Re: SBS2003 + tombstoned WIN2K DC
    ... Last replication recieved from WIN2K at 2006-10-22 ... First you'll need to demote the 2nd DC (NOT the SBS server), ... computer shows up in the SBS server. ... I'm worried that if I remove the AD from WIN2K then everything will ...
    (microsoft.public.windows.server.sbs)
  • Re: Secondary domain controller can not talk to SBS server
    ... Firstly, I would like to explain that to backup and restore SBS server, we ... Allow Replication With Divergent and Corrupt Partner ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote office logon script - Long Delay
    ... in the logs and replication is occuring regularly and without error. ... I do not have WINS configured for the remote site, ... GC/AD server with DNS and DHCP for it's area. ... Intersite Messagind service on the SBS server to "Startup: ...
    (microsoft.public.windows.server.sbs)
  • Re: Transfer the forest-Level Operations Master Roles
    ... The new server was never put into production though, ... Now I need to put it into prod and eventually shut down the Win2K DC. ... Force DC replication of a tombstoned DC and dealing with lingering objects: ... "Allow Replication With Divergent and Corrupt Partner" ...
    (microsoft.public.windows.server.active_directory)
  • Windows Server 2K/2K3 DFS setup and interoperability
    ... System between one Win2K domain controller and two new Win2K3 ... Win2K Server machine as our domain controller, ... menu for both the root and the links, the 'replication policy' option ...
    (microsoft.public.win2000.active_directory)