Only boots in to AD recovery

Discussion in 'Active Directory' started by Deb, Jul 23, 2009.

  1. Hello Deb,

    Before removing an old DC we have the need for an answer about the root domain
    and if the creashed DC was from the root domain and if that was the only
    one. The way Marcin describes applies only if you have additional DCs in
    the SAME domain available.

    As said earlier, when the root domain DC is crashed and you can not restore
    it or have an additioanl DC in the root, you will not be able to restore
    the forest. And you have to start complete for all child domains also from
    scratch.

    Of course you can safe your data before as much as possible, but all user
    accounts, computer accounts, security groups, GPOs etc. etc. are lost. All
    domain machines have to be rejoined to the new domain and you have to rebuilt
    everything, all users will get new passwords etc.etc.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 24, 2009
    #21
    1. Advertisements


  2. Hi Deb,

    I'm sorry, I don't understand this question:
    If all DCs of a domain no longer exist, then the domain no longer exists to seize anything.

    I agree with Meinolf, we'll need to get MORE info about your complete infrastructure. You're providing bits and pieces, but not the whole picture, which makes is extremely challenging to help you.

    Did you read my suggestion to run the script and Metadata Cleanup or the script to provide us with a complete picture of the infrastructure, as well as the ipconfigs?

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #22
    1. Advertisements

  3. Hmm, I must have missed that part. So it appears that there was only one forest root DC, and it crashed? Quite unfortunate.

    Hopefully Deb will run that script I provided. I am looking forward to see the results so we can get a complete picture of the infrastructure.

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #23
  4. Deb

    Deb Guest

    Hi all,

    2 item, first is the JLFACC server, second rebuilding the AD on JLFSRV1:
    This I do know that JLFACC does have AD & DNS running on it. Before AD took
    a bump on JLFSRV1 there were no trusts showing. Now these could have been
    upgraded from Windows 2000 servers. No documentation.

    1-Well there is the rub I did not set it up and there are no notes on how it
    was setup.
    So how do I tell if the second DC SRV2 (JLFACC) is the root or a child domain?

    The JLFACC server hosts ADP. I have not done anything with this server but
    was logged in as administrator on at the console when JLFSRV1 crash and now
    the console is locked and will not unlock with the same administrators
    password.
    But the ADP software is still being accessed. So the AD on server JLFACC is
    still authenticating those user accounts.
    There are only 4 users that have access to the ADP server I am told. That
    much I know. But why will it not allow the admin not to unlock console?
    I know I need to resolve this before rebuilding AD on FLFSRVR1 because like
    you have said which server is/was the root AD. And if it is a total rebuild
    of AD then it is.

    2-Tthere is no longer a DC of JLFSRV1.
    Yes I know I will have to add all the computer and user account back in to
    the domain that will be built on JLFSRV1. One good thing is it’s under 20
    accounts.

    Hopefully this has given you a better idea of the mess I have. The person
    who set this up is no longer with the company. It is a small site. Yes it
    would be great if the AD on JLFSRV1 did not crash but it did.

    Thank you for sticking with me, will be on site at 10am and can running the
    scripts from the JLFSRV1 against what I think is the domain. This would have
    been a lot easier if there was a little documentation on the AD lay out.
    Thanks again,
    Deb
     
    Deb, Jul 24, 2009
    #24
  5. Deb

    Deb Guest

    Not a program so which script should I use from
    http://www.visualbasicscript.com/m_33275/tm.htm ?
    sorry please help me with running this script,
    Thank you

     
    Deb, Jul 24, 2009
    #25
  6. Hello Ace Fekay [MCT],

    At the beginning was a statement about 2 Domains:

    "Looking.local - should be root DC
    Works.looking.local - sub DC"

    That's the reason for my answer also at the start about the needed setup.
    So we will see it hopefully in the output from your script.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Jul 24, 2009
    #26
  7. Deb

    Deb Guest

    I know its something is shouled be seeing but I do not see where it is
    attached as a file.
    Thanks again,

     
    Deb, Jul 24, 2009
    #27

  8. Deb:

    "> So how do I tell if the second DC SRV2 (JLFACC) is the root or a child domain?"

    The domain name it is part of (the Primary DNS Suffix of the machine, if correct) will tell you, that is if you know the domain names above it in the hierarchal structure of the DNS name, is not a domain. The ntdsutil or running that script I provided will tell you exactly.

    If you provide an ipconfig /all of all DCs in your domain, we can tell you.

    You have a lot going on. As I mentioned, with the bits and spurts you are providing us, makes it extremely challenging to assist.

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #28

  9. Yea, I was trying to follow the thread, but so many postings, and each post has little pieces of the domain, with lots of other information, but nothing specific about the infrastructure. So hopefully that script will help.

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #29
  10. Meinolf/Deb,

    I found a better script. I tested this and it works nicely.

    I substituted what I believe your domain names are, but honestly, I believe you've changed the names in your posts, so I will need YOU to enter all the domains you are aware of.
    read throug in the top of the script for the line that says "'put your domains in below ." In the line directly below it, if the domain names I put in are wrong, please subsitute the names in the quotes for all of the ACTUAL domain names you are aware of you have.

    Honestly, the ntdsutil is easier than this, but I'm trying to make it easier for you by having to avoid you to actually use the command line tools.

    Thanks.

    '==========================================================================
    '
    ' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 4.0
    '
    ' NAME: getadroles.vbs
    '
    ' AUTHOR: Kirrilian
    ' DATE : 11/3/2005
    '
    ' COMMENT: just run it, preferably with cscript :)
    ' code liberally hacked/borrowed from the script repository
    '==========================================================================
    'put your domains in below
    domains = Array("workstations", "jlf1", "jlfsrv1", "'srv1")

    For Each domain In domains
    WScript.Echo "*********** Querying: " & domain & " *************"
    getdomaininfo domain
    WScript.echo
    Next

    Sub getdomaininfo(domain)
    'needed for the gc queries
    On Error Resume Next

    Set objRootDSE = GetObject("LDAP://" & domain & "/rootDSE")

    'ugly code follows...
    Set objSchema = GetObject _
    ("LDAP://" & objRootDSE.Get("schemaNamingContext"))
    strSchemaMaster = objSchema.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strSchemaMaster)
    Set objComputer = GetObject(objNtds.Parent)
    WScript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name

    Set objNtds = Nothing
    Set objComputer = Nothing

    Set objPartitions = GetObject("LDAP://CN=Partitions," & _
    objRootDSE.Get("configurationNamingContext"))
    strDomainNamingMaster = objPartitions.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strDomainNamingMaster)
    Set objComputer = GetObject(objNtds.Parent)
    WScript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name

    Set objDomain = GetObject _
    ("LDAP://" & objRootDSE.Get("defaultNamingContext"))
    strPdcEmulator = objDomain.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strPdcEmulator)
    Set objComputer = GetObject(objNtds.Parent)
    WScript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name

    Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & _
    objRootDSE.Get("defaultNamingContext"))
    strRidMaster = objRidManager.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strRidMaster)
    Set objComputer = GetObject(objNtds.Parent)
    WScript.Echo "Domain's RID Master FSMO: " & objComputer.Name

    Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & _
    objRootDSE.Get("defaultNamingContext"))
    strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strInfrastructureMaster)
    Set objComputer = GetObject(objNtds.Parent)
    WScript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name

    'check for global catalogs
    Const NTDSDSA_OPT_IS_GC = 1
    Set objGC = GetObject("LDAP://OU=Domain Controllers," & _
    objRootDSE.Get("defaultNamingContext"))
    For Each gc In objGC
    'clean up the ldap response
    gc = Replace(gc.name, "CN=", "")
    Set objRootDSE = GetObject("LDAP://" & gc & "/rootDSE")
    strDsServiceDN = objRootDSE.Get("dsServiceName")
    Set objDsRoot = GetObject("LDAP://" & gc & "/" & strDsServiceDN)
    'this doesnt always exist therefore we have to use on error resume next
    intOptions = objDsRoot.Get("options")
    'check to see if the previous command failed with the err.number function
    If intOptions And NTDSDSA_OPT_IS_GC and err.Number = 0 Then
    WScript.Echo gc & " is a global catalog server."
    Else
    WScript.Echo gc & " isnt up or isnt a global catalog server."
    Err.Clear
    End If
    next

    End Sub 'getdomaininfo
    ==============

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #30
  11. Hello Ace Fekay [MCT],

    You are correct, i am still waiting for the answer to my question what happens
    when the crashed server is started normally.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Jul 24, 2009
    #31
  12. Deb

    Deb Guest

    Good news
    I have the root domain.
    Forest-wide schema master FSMO NC=JLFACC
    Forest-wide Domain Naming Master FSMO=JLFACC
    Domain’s PDC Emulator FSMO CN=JLFACC
    Domain’s RID Master FSMO CN=JLFACC
    Domain’s Infrastructure Master FSMO CN=JLFACC
    JLFACC is a Global Catalog Server

    Query Local (which I had as looking) reported ISNT up or ISNT Global Catalog
    Server

    Now to build JLFSRV1 as a second DC.

    Now to make sure DNS is set correctly.
    Thank you again.

     
    Deb, Jul 24, 2009
    #32
  13. Hello Deb,

    JLFACC seems to be the root Domain Controller, is this the crashed one or
    not? Also you have to different root domain name and root DC, you found the
    root domain controller, the name we hopefully see in one of your next postings.

    Are you able to start it or not?

    If you are able to logon please run dcdiag /v and post the unedited output.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Jul 24, 2009
    #33
  14. Deb

    Deb Guest

    Here it is, the end is marked with ==============
    C:\WINDOWS\ServicePackFiles\i386>dcdiag /v

    Domain Controller Diagnosis

    Performing initial setup:
    * Verifying that the local machine jlfacc, is a DC.
    * Connecting to directory service on server jlfacc.
    [jlfacc] Directory Binding Error -2146892976:
    The system detected a possible attempt to compromise security. Please
    ensure
    that you can contact the server that authenticated you.
    This may limit some of the tests that can be performed.
    * Collecting site info.
    * Identifying all servers.
    * Identifying all NC cross-refs.
    * Found 1 DC(s). Testing 1 of them.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\JLFACC
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    * Active Directory RPC Services Check
    [JLFACC] DsBindWithSpnEx() failed with error -2146892976,
    The system detected a possible attempt to compromise security.
    Please
    ensure that you can contact the server that authenticated you..
    ......................... JLFACC failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\JLFACC
    Skipping all tests, because server JLFACC is
    not responding to directory service requests
    Test omitted by user request: Topology
    Test omitted by user request: CutoffServers
    Test omitted by user request: OutboundSecureChannels
    Test omitted by user request: VerifyReplicas
    Test omitted by user request: VerifyEnterpriseReferences
    Test omitted by user request: CheckSecurityError

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : jlfisher
    Starting test: CrossRefValidation
    ......................... jlfisher passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... jlfisher passed test CheckSDRefDom

    Running enterprise tests on : jlfisher.local
    Starting test: Intersite
    Skipping site Default-First-Site-Name, this site is outside the scope
    provided by the command line arguments provided.
    ......................... jlfisher.local passed test Intersite
    Starting test: FsmoCheck
    GC Name: \\jlfacc.jlfisher.local
    Locator Flags: 0xe00003fd
    Warning: Couldn't verify this server as a PDC using DsListRoles()
    PDC Name: \\jlfacc.jlfisher.local
    Locator Flags: 0xe00003fd
    Time Server Name: \\jlfacc.jlfisher.local
    Locator Flags: 0xe00003fd
    Preferred Time Server Name: \\jlfacc.jlfisher.local
    Locator Flags: 0xe00003fd
    KDC Name: \\jlfacc.jlfisher.local
    Locator Flags: 0xe00003fd
    ......................... jlfisher.local passed test FsmoCheck
    Test omitted by user request: DNS
    Test omitted by user request: DNS

    ============================

     
    Deb, Jul 24, 2009
    #34
  15. Did you use the original script I posted, or the new one, which I tested and is working?

    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #35
  16. Good to hear.

    Can you run the script on your child domain too, please?

    Thank you,
    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #36
  17. Deb

    Deb Guest

    Tried to sent attachments but it looks like I did not setup my newsreader
    right.

    There is no child domain now.
    the jlfsrv1 DC is no longer present. Which make the workstations entry not
    valid due to the removal of the server JLFSRV1(doing a rebuild) right?
    also when I do a browse of “My Network PlacesMS Windows Networks it shows
    Jlfisher
    Jlfsrv0
    Work (I created this workgroup while testing something)
    Workgroup
    So what I thought was a domain of Jlfsrv0 could very well be a workgroup.
    What do you think after looking at everything?

    Thank you again,
    Deb
     
    Deb, Jul 25, 2009
    #37
  18. Deb

    Deb Guest

    Ok it’s getting late and I am making typo.
    Sorry about that.
    Here is what the DNS looks like on the JLFACC server
    -----------------------------------------------------------
    These are under the DNS\JLFACC\FORWARD Lookup Zone\Jlfisher.local

    Name Type Data
    _msdcs
    _sites
    _tcp
    _udp
    DomainDnsZones
    ForestDnsZones
    workstations
    (same as parent folder) Start of Authority (SOA) [1089],
    jlfacc.jlfisher.local., hostmaster.
    (same as parent folder) Name Server (NS) jlfacc.jlfisher.local.
    (same as parent folder) Host (A) 169.254.247.251
    (same as parent folder) Host (A) 192.168.123.185
    cary Host (A) 192.168.123.22
    jlfacc Host (A) 192.168.123.185
    ProComm Host (A) 192.168.123.138
    sysadmin Host (A) 192.168.123.151
    wacc1 Host (A) 192.168.123.23


    --standing at Workstations object
    Name Type Data
    jlfsrv

    --standing at jlfsrv object
    Name Type Data
    _msdcs
    _sites
    _tcp
    _udp
    DomainDnsZones
    ForestDnsZones
    jlt-tech Host (A) 192.168.123.110
    naomi Host (A) 192.168.123.152
    office Host (A) 192.168.123.139
    RENTAL2 Host (A) 192.168.123.53
    ronprocom Host (A) 192.168.123.162


    --standing at
    Workstations\jlfsrv\domainDnsZones\_sites\Default-First-Site-Name\_tcp object

    Name Type Data
    _ldap Service Location (SRV)
    [0][100][389]jlfsrv.jlfsrv.workstations.jlfisher.local.
     
    Deb, Jul 25, 2009
    #38
  19. So jlfacc.jlfisher.local is the forest root domain controller for
    flfisher.local? Good to know that, so far. I also see it has two NICs in it,
    because one of the NICs is trying to get an IP address from DHCP. It's
    evident by the following entry in DNS:
    (same as parent folder) Host (A) 169.254.247.251

    From what I see so far, a mulithomed domain controllers (more than one NIC
    and/or IP or that has RRAS installed) is *extremely* problematic and a major
    cause of AD malfunction. That could one cause of all the problems you are
    having.

    At least now we can actually see the actual domain names. The variations of
    domain names you've been posting has made it very confusing. That was one
    reason I had mentioned about that srv1.srv1.... name you posted earlier on.
    It's extremely difficult to assist when names are changed, but if you change
    the names, be consistent across the board in order to reduce confusion, as
    well as that we can see an actual picture to fully understand what you have,
    their relationship to each other, and their configuration...

    Which reminds me... this was why we've been asking for ipconfig /alls from
    EVERY domain controller to evaluate the DNS infrastructure and relationship.
    They will be extremely helpful.

    Try to not change the names any more, PLEASE! It will provide us an accurate
    and overall picture.

    Now if you cannot provide them, due to security concerns, or anything else,
    I can understand. If this is the case, with all due respect, and I want to
    see you get these problems resolved, it may be better that you put in a call
    to Microsoft PSS. They have a one time fee of about USD $250, and will fix
    everything for you with the one ticket and the one phone call.

    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #39
  20. Hello Deb,

    On JLFACC i assume a second not connected NIC is used which relies in the
    second ip address assigned with APIPA(automated private ip addressing 169.254.x.x),
    So i f this is not used disable it and delete the DNS entry.

    JLFACC seems to be the root domain controller from jlfisher.local.

    So is JLFACC now the crashed server, which you could start now or is this
    the other one? That's still unclear for me.

    There is also a domain name listed workstations.jlfisher.local or jlfsrv.workstations.jlfisher.local
    with server jlfsrv, so the server is deleted you said? Was that the crashed
    server?

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Jul 25, 2009
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.