DC DOWN :Adding Domain Controller

[Julian]

I had a primary domain controller w/ exchange that became
unstable. I added another Windows Server and joined it to
the Domain as additional Domain Controller. The primary
crashed before I could demote it's status from the
Primary. I have now rebuilt the primary domain controller
however the secondary DC which I installed after the frst
one became unstable will not let this new DC join as an
additional dcomain controller (it's still looking for the
Primary which doesn't exit anymore).

How can I add this new Domain Controller into the Domain?
Do I have to create a new domain and add all the users,
etc.?

We are currently DOWN. Any help is appreciated

 

[Mike Aubert]

First, go to a command prompt and type NETDOM QUERY FSMO. Write down the
roles that were held by the old domain controller (which is probably all of
them). Next you will need to seize these roles to the working domain
controller. This link contains the information you need to seize the various
roles:



http://www.microsoft.com/windows2000/en/server/help/sag_ADrespondFSMOfailures.htm



Next, I would clean up the failed domain controller's metadata in the
directory. Steps can be found here:



http://support.microsoft.com/default.aspx?scid=kb;en-us;216498





Ensure that DNS is configured correctly and you should be good to go.



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)


Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

I ran the NETDOM QUERY FSMO on the cmd prompt DC that's
running right now, and it's not recognizing it as an
internal or external command

 

[Julian]

I also tried running the commands from the first link you
mentioned and it says it cannot bind to server becaue the
RPS server is unavailable

 

[Mike Aubert]

Ooops, brain cramp, that's right - netdom is part of the support tools (here
is a link on how to install the support tools:
http://support.microsoft.com/default.aspx?scid=kb;en-us;301423 )

Alternatively, you can use Ntdsutil.

At the command prompt, type ntdsutil.
At the ntdsutil prompt, type domain management.
At the domain management prompt, type connections.
At the server connections prompt, type connect to server, followed by the
fully qualified domain name.
At the server connections prompt, type quit.
At the domain management prompt, type select operation target.

At the select operation target prompt, type list roles for connected server.



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Aubert]

You need to specify the domain controller that is still online - not the one
that has failed. Which DC are you trying to connect to?



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Julian]

i tried using ntdsutil

when i try connecting to the server, it says DSbindW
Error "RPC Server is unavailable"

I have only one DC right now and it was the backup.

Since I don't mind rebuilding everything and Exchang is
actually the most important thing I want to restore... Can
I do the following...

Shut off this backup DC, recreate a new domain on the
Primary which I am trying to add to this domain with the
same domain name, and install exchange, users, computers,
etc?

 

[Mike Aubert]

Julian,



Assuming you are trying to connect to the domain controller that is still
online (not the server that has failed) the "RPC Server is unavailable"
error is typically a DNS issue. Have you checked to see that DNS is
configured correctly after the first server failed? If you let me know how
DNS is setup on both servers (i.e. the TCP/IP settings and the configuration
in the DNS snap-in) I can tell you if it is correct or not.


If you really want to rebuild the domain from scratch you can - but that
would be a little drastic at this point. For example, if DNS is not
configured correctly you are still going to run into problems even if you
rebuild AD.



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Mike,

DNS is not installed on the server that is still running.
I assume I have to install it on the box that's still
running. But how do I configure it?

Thanks for all your help Mike. Any chance I could get an
email address, it's about a half hour turnaround. Thanks

 

[Julian]

I setup the DNS on the new server that still isn't joined
though. Because, that machine was hosting the original
DNS. For that one I created a new domain to see if I could
get Exchange up & just set it up with defalt settings.

 

[Mike Aubert]

Julian,

If the DNS zone for your domain was configured as Active Directory
Integrated, simply install DNS on the server (use Add or remove Programs in
control panel). If you're not sure, go ahead and install the DNS server
service and then open the DNS admin tool. If a forward lookup zone appears
for the name of your domain - you're all set for the most part. Just
configure both servers' TCP/IP settings to point at the working domain
controller. You will then need to run ipconfig /registerdns at a command
prompt and then restart the NETLOGON service on the working domain
controller.

If you install the DNS server service and no zones appear under forward
lookup zones you will need to create a new forward lookup zone using the DNS
name of your domain. When configuring the zone be sure to allow dynamic
updates. You will then need to run ipconfig /registerdns at a command prompt
and then restart the NETLOGON service on the working domain controller.

My email address is: (e-mail address removed)

(you have to remove the REMOVE this TEXT part)

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Aubert]

For anyone that is interested, here is the rest of the conversation Julian
and I had over email:


Julian:

I have installed the default DNS and forward lookup is auto populated.
So I point the DNS of the new server to this one and run ipconfig /registerDNS
at the command prompt for the server that's in the domain right now?
Mike:

Point *both* servers' DNS TCP/IP settings at the DNS server. Then run
ipconfig /registerDNS and restart netlogon on the working domain controller.
You could also restart the working domain controller and accomplish the

same thing.

Julian:

I have restarted the netlogon service on the DC that's running. If I repoint the DNS
for the new server can I now add it to the domain or do I have to go through those
steps you mentioned before... using netdsutil?
Mike:

You need to go ahead and do those steps I listed earlier. Otherwise your domain
will not function correctly.
Julian:

Mike I am now on the second article which you referred to me... 216498 where
i run the Meta Data clean up, but when I run the command "select Site 0" it says
no current server, no current naming Context
Mike:

That's fine... keep going... it's just telling you that no DC or NC has been selected.
You will select the DC in steps 12 and 13. It is always going to say no naming
context - don't worry about it, you don't need to select a NC for these steps.

Just be sure that when you select the operations target in steps 12/13 you select the
server that had FAILED. Don't remove the metadata for the working domain controller!!

Julian:

Mike what is the _msdcs.rootdomain of forest zones mentioned in step 17? and
how do I do this.

Also what is ADSIE edit?
Mike:

I have a better solution...forget about the rest of that article.

Open up the DNS console, expand the DNS server, expand forward lookup zones,
expand your domain name. Right click _msdcs and select delete. Also delete the
_sites, _tcp, and _udp subdomains as well. After doing this you will need to restart the
netlogon service on the domain controller again. Starting from scratch will ensure the
correct records are in DNS. After you restart the netlogon service the DC will
re-register the _msdcs, _sites, etc subdomains.

I'll email you the rest of the steps.start with the above for now.
Julian:

That was done. Looks like it repopulated everything!
Mike:

I'm doing this from memory, so let me know if you get an error when performing
these steps.

Open Active Directory Sites and Services
Expand the site that contained the failed domain controller
Expand the Servers folder
Right click the *failed* domain controller and then click delete (you may be
prompted to confirm)


ADSI edit is a snap-in provided with the Windows Support tools. How to
install support tools:
http://support.microsoft.com/default.aspx?scid=kb;en-us;301423

After the tools are install click start, run, then type MMC, and then click OK.
On the Console menu click Add/Remove Snap-in.
Click Add, then select ADSI Edit from the list, click Add, click Close then click OK
Right click ADSI edit and click Connect to.
Select the "Naming Context" option, from the dropdown list choose "Domain NC,"
and click OK.

Expand the Domain NC container.
Expand DC=Your Domain, DC=COM
Expand OU=Domain Controllers.
Right-click CN=**failed** domain controller name, and then click Delete.

Expand CN=System
Expand CN=File Replication Service
Expand CN=Domain System Volume (SYSVOL share)
Right-click CN=**failed** domain controller name, and then click Delete.
Julian:

MIKE! You are the man.

So now that I am at where I wanted to be 12 hours ago... I have reinstalled the OS on
the failed DC and it's got the same server name (for Exchange's sake) but it's on a workgroup.
Can I now go to that box and install AD (setup as an additional Domain Controller)? How
would I configure the DNS (still point it to the backup one we have running now)?

At the end of the day, I want to take the backup one down and have the one that originally
went down, assume it's prior status.
Mike:

Point the failed server's DNS TCP/IP settings at the working DC. Try to promote the
failed DC back to the domain.
Julian:

So I modify the DNS TCP/IP first... Install Active Directory? Or just run DCPromo?

Mike:

Modify the TCP/IP settings on the failed server to point at the working DC for DNS.
Run DCPROMO.
Julian:

i've setup up the failed to add to the existing domain, which it's doing beautifully.

Thanks for ALL your help!

When I want to go back to the original setup before this primary DC went down.
How do I go about making it the primary again, with all the DNS stuff too?
Mike:

Install the DNS Service on the failed server. Point the TCP/IP settings of both
servers to the once failed server for DNS.


Use Ntdsutil to transfer (do *NOT* seize them - there is a difference) all the
FSMO roles.


Also, you are going to need to go into the properties of the NTDS Settings object
under the domain controllers and make both of them global catalog servers (I'm
assuming you only have a single domain in your forest). It's a check box option.


BTW: you really need to have two domain controllers at an absolute minimum.
Julian:

Got It!

Thank you Mike for all your MOST VALUABLE advice. I would not have been
able to get through this without you!!
Mike:

You're welcome!

Would you mind if I post the rest of our conversation on the news group? I will remove
your email/name/contact info. That way others can see what the resolution to this
problem was - just in case they run into a similar situation.
Julian:

No problem Mike.