| Author |
 Topic  |
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
 Posted - 03/20/2012 : 3:19:47 PM
|
I need help and even though I feel dumb and embarrassed for not knowing everything about Active Directory, I have to suck it up and become that terrible warning my signature talks about. 
Backstory: Had a Win2003 home network, consisting of 2 domain controllers one with Exchange 2003 installed. April 2011: old PowerEdge 400 SC, Win2003 DC with Exchange has a motherboard failure. Forced into purchasing new hardware. Win2003 will not install on new hardware. Forced into installing Win2008, chose R2. Configure Win2008R2, Exchange 2010 and VPN. Everything works fine. Now have a Win2008R2 DC and a Win2003 DC/GC. In June 2011, hire Exchange hosting service for mail, pack up and move from CA to AZ. New house does not have office space or cabling for Ethernet.
Fast forward 7 months later, new office installed, Ethernet installed. February 2012: Turn on Win2008R2 and Win2003 DCs. Computers authenticate. Printers print. Then, March 2012, VPN issues. Network Policy Server not installed anymore (for VPN). Hmmmm...how did that happen? Reinstall and reconfigure Network Policy Server. Notice blizzard of errors in Event Viewer. Duplicate SPNs, KDC (did I install anything called KDC?), Kerberos, Replication errors, Information Store will not mount, Exchange Services cannot start, Exceeded Tombstone Life issues. Unsure which problem to tackle first. Thinking there must have been 1 event that started it all, want to think about it a bit and do some research.
I know you guys know what’s coming. So…, both of my DCs, my entire network is tombstoned, I think. From what I’ve read AD tombstones after 90 days. What do I do from here? Can I not turn back the dates on my DCs? I know I can’t do this, but would it work? Should I buy a new computer, install Win2008R2, configure AD, then demote and promote the other DCs? Can I recover from this by resetting the computer account on either DC? I found this article: http://networkadminkb.com/KB/a268/how-to-reset-domain-controller-computer-account.aspx
Which one should I try to reset first – Win2003 or Win2008R2? I’ve searched for this problem on the web but am not coming up with much because no one in an office environment would ever turn off all of their servers for extended periods of time.
Any help would be appreciated. This is one of those times I feel like I’m getting too old for IT!
Edit: grammatical errors/typos
|
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
Edited by - Lisa on 03/29/2012 03:26:31 AM |
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/20/2012 : 3:44:04 PM
|
Relax. Chances are that you can fix this sufficiently to get it working.
- pick one of your DC's as leading. Assume the W2008R2 machine.
- make sure this machine is a global catalog before you proceed.
- on the _other_, remove AD this way: dcpromo /forceremoval
- on the 2008 R2, remove its metadata: ADUC, OU=Domain Controllers, computer account of the 2003 DC: delete it.
- clean up references to the 2003 DC in DNS; all that you can find.
At this point you have a single DC that should be working (sort of). Ping back if you need more help. Good luck! |
Make it as simple as you can, but not simpler -- Albert Einstein |
 |
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 03/20/2012 : 6:08:17 PM
|
| If both DCs are global catalogs, will I have to take Global Catalog off of the Win2003 DC? |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/21/2012 : 03:43:06 AM
|
| Doesn't matter. You are going to remove it from AD anyway. For the record: all DC's should be GC in small network. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
JamesNT
Moderator
USA
3150 Posts
Status: offline |
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/21/2012 : 5:46:20 PM
|
James, are you actually seeing this? From what I heard this should be pretty rare, mostly associated with RODC's?
Also, the fix is included in Win7 Sp1. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
JamesNT
Moderator
USA
3150 Posts
Status: offline |
Posted - 03/22/2012 : 3:11:25 PM
|
I had this problem about six weeks ago when I had two DC's that fell out of sync and UNC roll back occured. The DC's were not RODC's.
Excerpt from closing email:
quote:
It was my pleasure to assist you during your Windows issue. I hope that you were delighted with the service provided to you. I am providing you with a summary of the key points of the case for your records.
PROBLEM: Unable to log into any machine in the domain due to DNS issues on the Domain Controller.
CAUSE: Secure Channel of the domain controller to itself breaks after the domain controller reboots.
RESOLUTION: Reset the secure channel using the Netdom Utility and Hotfix: kb/979495
The above mentioned case has been non-decremented (refunded) as discussed.
We welcome your feedback / suggestion regarding the service provided to you. You can write an email to my Manager at the below mentioned contact details. If you have any questions please feel free to call me. You can reach me using the contact information below and referencing the case ID 112020920809632.
Based on our last conversation, I am closing the case 112020920809632. If your issue has recurred or you are not satisfied with any aspect of this case, please let me know as soon as possible.
JamesNT |
James Summerlin
www.jamessummerlin.com |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/23/2012 : 05:31:23 AM
|
| Thanks James, I need to look at this again. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 03/28/2012 : 8:47:04 PM
|
Ok - I finally had time to do all of those things in one chunk of time. What's next?
My Win2003 is still a server and was wondering if later, I could promote it again. In a small network, redundancy is key.
My Win2008R2 DC is getting group policy errors. Is this the least of my problems? Should I be nervous about this error?
Event ID 1006: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 3/28/2012 5:12:40 PM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: servername.domainname.com
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1006</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-03-29T00:12:40.233498100Z" />
<EventRecordID>2834217</EventRecordID>
<Correlation ActivityID="{314DE6A7-CB7B-428A-8947-0E906A075C48}" />
<Execution ProcessID="156" ThreadID="1592" />
<Channel>System</Channel>
<Computer>servername.domainname.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">5012</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">1654</Data>
<Data Name="ErrorCode">49</Data>
<Data Name="ErrorDescription">Invalid Credentials</Data>
<Data Name="DCName">
</Data>
</EventData>
</Event>
Thank you SO much for all the help you've given me so far. Really! I didn't know where to turn!  |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/29/2012 : 03:22:59 AM
|
> My Win2008R2 DC is getting group policy errors. Is this the least of my problems? Should I be nervous about this error?
It basically says that AD is not running or unreachable. That would be acceptable during boot. It can also mean that your DNS has not been cleaned, so have a look at that.
> Really! I didn't know where to turn!
Sure you did ;-)
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 03/29/2012 : 03:25:53 AM
|
Ok - do you mean I should reboot my Win2008R2 server? I haven't done that yet. I feel nervous about it.
But, yes, thank you for being there! |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/29/2012 : 04:11:52 AM
|
> Ok - do you mean I should reboot my Win2008R2 server?
No, I meant that this error may occur shortly after booting. If you get it during normal operation there is a problem somewhere. The most likely place to look in this case would be DNS. It should contain no trace of the old DC, except its A or PTR record. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 03/30/2012 : 02:03:21 AM
|
I will check into that, thanks for the tip.
Now, afterwards, if there are no other errors in Event Viewer, does this mean my AD is working properly again? Or what? I don't know where to go from here.
And, should I invest in new hardware to add another Win2008R2 DC to my network and leave the Win2003 as a member server? Or, can I just promote my old Win2003 server back to a DC? It seems like that wouldn't be a good idea, but I need to know what you think about it. Thank you! |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 03/30/2012 : 04:00:11 AM
|
> Now, afterwards, if there are no other errors in Event Viewer, does this mean my AD is working properly again? Or what? I don't know where to go from here.
Run dcdiag. It should catch most of the serious errors.
If your 2003 hardware is stable, by all means promote it back to a DC. If the hardware is EoL, I'd take the opportunity go get something new. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
aval
Honorable But Hopeless Addict
USA
3272 Posts
Status: offline |
Posted - 03/31/2012 : 8:37:02 PM
|
quote:
Now, afterwards, if there are no other errors in Event Viewer, does this mean my AD is working properly again? Or what? I don't know where to go from here.
Lisa,
Besides dcdiag, if you have a W2K8 R2 domain controller,you could run the best practices analyzer. It should flag any glaring problems.
The image in this link should show you where to locate that. The article is actually about some new BPAs (which may nor may not be useful to you as well). BTW, you should be able to find Server Manager itself in Administration Tools.
http://blogs.technet.com/b/askds/archive/2010/04/28/win2008-r2-bpa-updates-released-for-april-2010-wave.aspx |
|
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 04/01/2012 : 01:53:32 AM
|
Will do.
Thank you guys!
I'm just about to get a truckload of visitors, so I'll have to do a little at a time.
The Win2003 server is an old Sony laptop, probably more than 6 years old! Hey, you have to use what you have on hand sometimes. And, some type of server is better than none, especially in a small network! 
I'll probably do both, get new hardware and keep the old server. |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
|
Lisa
Old Timer
USA
507 Posts
Status: offline |
Posted - 09/26/2012 : 11:47:25 PM
|
Update: All is well with my network. Thank you all of you for your help and input. I really appreciate having a place to go and ask questions and get help. I'm not in IT anymore and sometimes it feels like I'm losing my skills and fading into obscurity. It's scary how fast this happens.
I have disabled Exchange 2010 on my server and am thinking that I'll just keep the hosting service. Less headaches for me - no active sync (iPhone), spam, viruses, IIS, SSLs, etc. That's someone else's problem.
While I'm not active in IT anymore, I do appreciate stopping by now and then and sucking up all the info/knowledge. Usually, right after I read something on the forum, I need it for my network. Funny how that happens.
Thank you!! |
Lisa O'Hara
If you can't be a good example, then you'll just have to be a horrible warning. --Catherine Aird |
|
|
| |
Topic |
|
Entire Network Tombstoned? Help!
