Domain controller dies and 2nd domain controller isn't picking up the slack

[Iggy]

Hi,

I'm somewhat new to 2000 AD and I have a problem. I built up 2
domain controllers in an AD domain and I have a problem. The first DC
I built up crashed and burned. The 2nd domain controller doesn't
really seem to be picking up the slack as far as wins or
authentication is concerned.

For example, I set up a user, lets call him bob, and I want some
services to run as that user. When I try to configure those services
to run as that user I can't authenticate. I fire up AD Users and
Computers on the 2nd domain controller and I can see that the user
replicated but nobody in the domain can seem to get credentials for
this user. Why is that?

There are also other things failing, for example time synch is
failing. I get a message in the eventlog that says contact couldn't
be made to a domain controller. The most frustrating part of this
message is that I'm the 2nd domain controller and it's bitching that
it can't find a domain controller.

The machine is listed in Users and Computers as a domain
controller and I can see various entries in DNS that list it as a
domain controller so I don't understand what's going on with that
either.

If anybody could help me with these problems I would appreciate
it.

 

[Shawn Rabourn \(MS\)]

You may want to clean the old DC out of AD and if applicable seize any FSMO
roles the first DC had.

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498

255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller
http://support.microsoft.com/?id=255504


--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.

 

[Iggy]

Thanks Shawn.

The problem as I see it is that everything I read says that if I
seize a roll from a downed domain controller then I should never put
the domain controllser back into the environment. That seems a little
severe.

Shouldn't a 2nd domain controller automatically handle
authentications if the other DC fails? Is the behaviour I'm seeing
the normal expected behaviour or does it indicate something went
wrong?

Thanks in advance for any help.

 

[David Pharr [MSFT]]

A couple of questions for you:
1. Were the domain controllers replicating properly before the crash? If
they were both functioning as DCs and replicating properly when the first
one went down the other should allow users to continue to login and access
AD.
2. If the DC crashed, how are you planning to bring it back into the
domain? I would think you would rebuild it, join the domain and then
promote it as a DC again in which case Shawn's recommendation of seizing
the roles that it had to the remaining DC makes sense. You also need to do
a metadata cleanup per kb 216498 to clean up it's entries from the
remaining DC.
3. It sounds like you have 2 DCs - if one crashed, where did the other one
come from?

Take a look at the following article to make sure each DC is functioning
correctly:
298143 How to Verify an Active Directory Installation
http://support.microsoft.com/?id=298143

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: (e-mail address removed) (Iggy)
| Newsgroups: microsoft.public.win2000.active_directory
| Subject: Re: Domain controller dies and 2nd domain controller isn't
picking up the slack
| Date: 18 Nov 2003 11:18:09 -0800
| Organization: http://groups.google.com
| Lines: 29
| Message-ID: <[email protected]>
| References: <[email protected]>
<e9Y#[email protected]>
| NNTP-Posting-Host: 216.251.253.198
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1069183089 18621 127.0.0.1 (18 Nov 2003
19:18:09 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Tue, 18 Nov 2003 19:18:09 +0000 (UTC)
| Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.google.com!no
t-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:56655
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thanks Shawn.
|
| The problem as I see it is that everything I read says that if I
| seize a roll from a downed domain controller then I should never put
| the domain controllser back into the environment. That seems a little
| severe.
|
| Shouldn't a 2nd domain controller automatically handle
| authentications if the other DC fails? Is the behaviour I'm seeing
| the normal expected behaviour or does it indicate something went
| wrong?
|
| Thanks in advance for any help.
|
|
| > You may want to clean the old DC out of AD and if applicable seize any
FSMO
| > roles the first DC had.
| >
| > 216498 HOW TO: Remove Data in Active Directory After an Unsuccessful
Domain
| > http://support.microsoft.com/?id=216498
| >
| > 255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
| > Controller
| > http://support.microsoft.com/?id=255504
| >
| >
| > --Shawn
| > This posting is provided "AS IS" with no warranties and confers no
rights.
|

 

[David Pharr [MSFT]]

FSMO (flexible single master operations) roles must be performed by a
single DC only. Seizing a role basically recreates the role from scratch
because the original machine is no longer available and will not be coming
back. If a machine crashes and needs to be rebuilt then you would need to
seize its roles. If a FSMO role holder is temporarily removed from the
environment (it's down for some other reason or just not available) then
you would not seize the role.

If a DC crashes, in most cases you would rebuild the machine. However, you
need to clean up its information from the remaining DCs that have no idea
that the machine crashed. They still have information about that machine
that should be removed since it will not be coming back. The steps to
perform this are outlined in the following kb article (which I alluded to
in the other reply):
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: (e-mail address removed) (Iggy)
| Newsgroups: microsoft.public.win2000.active_directory
| Subject: Re: Domain controller dies and 2nd domain controller isn't
picking up the slack
| Date: 18 Nov 2003 11:18:09 -0800
| Organization: http://groups.google.com
| Lines: 29
| Message-ID: <[email protected]>
| References: <[email protected]>
<e9Y#[email protected]>
| NNTP-Posting-Host: 216.251.253.198
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1069183089 18621 127.0.0.1 (18 Nov 2003
19:18:09 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Tue, 18 Nov 2003 19:18:09 +0000 (UTC)
| Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.google.com!no
t-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:56655
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Thanks Shawn.
|
| The problem as I see it is that everything I read says that if I
| seize a roll from a downed domain controller then I should never put
| the domain controllser back into the environment. That seems a little
| severe.
|
| Shouldn't a 2nd domain controller automatically handle
| authentications if the other DC fails? Is the behaviour I'm seeing
| the normal expected behaviour or does it indicate something went
| wrong?
|
| Thanks in advance for any help.
|
|
| > You may want to clean the old DC out of AD and if applicable seize any
FSMO
| > roles the first DC had.
| >
| > 216498 HOW TO: Remove Data in Active Directory After an Unsuccessful
Domain
| > http://support.microsoft.com/?id=216498
| >
| > 255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
| > Controller
| > http://support.microsoft.com/?id=255504
| >
| >
| > --Shawn
| > This posting is provided "AS IS" with no warranties and confers no
rights.
|

 

[Iggy]

Hi David,

1. Were the domain controllers replicating properly before the crash? If
they were both functioning as DCs and replicating properly when the first
one went down the other should allow users to continue to login and access
AD.

They appeard to be. Any machine added to the domain was plainly
visible in AD Users and Computers on both domain controllers and any
user account was also plainly visible. The event log contains no
replication errors and it appeared to have the stander replication
success entries you would expect to find if both DCs were working
properly.

2. If the DC crashed, how are you planning to bring it back into the
domain? I would think you would rebuild it, join the domain and then
promote it as a DC again in which case Shawn's recommendation of seizing
the roles that it had to the remaining DC makes sense.

I actually am going to rebuild it. At the time I wrote my first
question I wasn't sure what was wrong with the first DC. It could
have been something as simple as a yanked power cord or the machine
waiting for some user interaction at boot up to continue. The machine
is 3000 miles away in a remote data center so if it's offline I can't
tell what the problem is remotely.

It turns out the machine is dead because of some type of damage to the
OS so it'll need to be rebuilt. So I have no problem seizing control
of the AD stuff now.

You also need to do
a metadata cleanup per kb 216498 to clean up it's entries from the
remaining DC.

Ok I'll be sure to read that doc and follow it's instructions.

3. It sounds like you have 2 DCs - if one crashed, where did the other one
come from?

Well I built 2 DCs as my first step to creating the domain. I'm not
sure I understand your questions. It's fairly typical to have more
than 1 controller so I think I don't get what you're asking me.

Take a look at the following article to make sure each DC is functioning
correctly:
298143 How to Verify an Active Directory Installation
http://support.microsoft.com/?id=298143

Thank you. I certainly will look at it.

 

[David Pharr [MSFT]]

Ignore my question 3 since you seem to have a handle on the problem.
Since that machine crashed it did not properly pull out its information
from AD and the other DC will still think it is there. The steps in kb
216498 are correct and work exactly as typed, although you may get messages
that make you a little nervous like "there are no servers in site". You
just have to continue with the steps to list the information - it's not the
most intuitive interface we have but I've done this 20-30 times so I know
the steps are exact.

A couple of good articles for your records:

238369 HOW TO: Promote and Demote Domain Controllers in Windows 2000
http://support.microsoft.com/?id=238369

237675 Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?id=237675

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: (e-mail address removed) (Iggy)
| Newsgroups: microsoft.public.win2000.active_directory
| Subject: Re: Domain controller dies and 2nd domain controller isn't
picking up the slack
| Date: 19 Nov 2003 08:35:52 -0800
| Organization: http://groups.google.com
| Lines: 50
| Message-ID: <[email protected]>
| References: <[email protected]>
<e9Y#[email protected]>
<[email protected]>
<[email protected]>
| NNTP-Posting-Host: 216.251.253.198
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1069259752 7023 127.0.0.1 (19 Nov 2003
16:35:52 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Wed, 19 Nov 2003 16:35:52 +0000 (UTC)
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!newsfeed00.sul.t-online.de!newsfeed01.sul.t-online.de!t-online.de!e
usc.inter.net!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.goog
le.com!not-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:56414
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Hi David,
|
| > 1. Were the domain controllers replicating properly before the crash?
If
| > they were both functioning as DCs and replicating properly when the
first
| > one went down the other should allow users to continue to login and
access
| > AD.
|
| They appeard to be. Any machine added to the domain was plainly
| visible in AD Users and Computers on both domain controllers and any
| user account was also plainly visible. The event log contains no
| replication errors and it appeared to have the stander replication
| success entries you would expect to find if both DCs were working
| properly.
|
|
| > 2. If the DC crashed, how are you planning to bring it back into the
| > domain? I would think you would rebuild it, join the domain and then
| > promote it as a DC again in which case Shawn's recommendation of
seizing
| > the roles that it had to the remaining DC makes sense.
| I actually am going to rebuild it. At the time I wrote my first
| question I wasn't sure what was wrong with the first DC. It could
| have been something as simple as a yanked power cord or the machine
| waiting for some user interaction at boot up to continue. The machine
| is 3000 miles away in a remote data center so if it's offline I can't
| tell what the problem is remotely.
|
| It turns out the machine is dead because of some type of damage to the
| OS so it'll need to be rebuilt. So I have no problem seizing control
| of the AD stuff now.
|
| > You also need to do
| > a metadata cleanup per kb 216498 to clean up it's entries from the
| > remaining DC.
|
| Ok I'll be sure to read that doc and follow it's instructions.
|
| > 3. It sounds like you have 2 DCs - if one crashed, where did the other
one
| > come from?
|
| Well I built 2 DCs as my first step to creating the domain. I'm not
| sure I understand your questions. It's fairly typical to have more
| than 1 controller so I think I don't get what you're asking me.
|
|
| > Take a look at the following article to make sure each DC is
functioning
| > correctly:
| > 298143 How to Verify an Active Directory Installation
| > http://support.microsoft.com/?id=298143
|
| Thank you. I certainly will look at it.
|