Permission issues in Domain after Promoting a Member Server to DC

Discussion in 'Active Directory' started by Kev, Jan 18, 2008.

  1. Kev

    Kev Guest

    I was working at a Single Domain Client Site last week. The Domain had 2
    DC's in it. I was to demote one of the DC's in order that the box could be
    rebuilt for other purposes. The demotion was successful.

    I was then instructed to Promote a designated Member Server to a DC. This
    went fairly well, but there were some issues inherent on the Domain after the
    promotion.

    The issues were as follows

    1) The new DC could not be browsed to from Domain workstations without
    getting prompted for authentication,

    2) The new DC picked up all of the FSMO roles for some reason. So
    effectively I was left with a 2 Domain Controllers that each thought that
    they were holding all 5 FSMO roles.



    Has anyone seen this unorthodox behavior prior? Does anyone have any
    recommendations that would provide a solution to this problem?



    Thanks



    Kevin
     
    Kev, Jan 18, 2008
    #1
    1. Advertisements

  2. Kev

    Jorge Silva Guest

    can you post the results for dcdiag /c /e /v

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jan 22, 2008
    #2
    1. Advertisements

  3. Kev

    Kev Guest

    Jorge

    An update to the issue. At this point, when we promote the Member Server to
    DC in our single Forest Domain, all goes well. The original DC still holds
    all 5 roles.

    The issue at hand is now that "select" users are prompted for authentication
    when they attempt to browse to the name of the new DC (eg., "\\bhiprint1 will
    cause an authentication window to pop-up as if they were not domain members
    when they are already authenticated.

    I have ran netdiag and dcdiag on the original DC. Here is the output...
    there are a couple of weird errors in here:
    C:\Documents and Settings\kevin.BOARSHEADINN>netdiag

    .......................................

    Computer Name: BHIDC2
    DNS Host Name: bhidc2.boarsheadinn.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 10, GenuineIntel
    List of installed hotfixes :
    KB911564
    KB921503
    KB925398_WMP64
    KB925902
    KB926122
    KB927891
    KB929123
    KB930178
    KB931768
    KB931784
    KB931836
    KB932168
    KB933360
    KB933566
    KB933729
    KB933854
    KB935839
    KB935840
    KB935966
    KB936021
    KB936357
    KB936782
    KB937143
    KB938127
    KB939653
    KB941202
    KB941568
    KB941569
    KB941644
    KB941672
    KB942615
    KB942763
    KB942840
    KB943460
    KB943485
    KB944653
    Q147222


    Netcard queries test . . . . . . . : Passed
    [WARNING] The net card 'Broadcom NetXtreme Gigabit Ethernet' may not be
    work
    ing.



    Per interface results:

    Adapter : Local Area Connection 2

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : bhidc2
    IP Address . . . . . . . . : 198.100.100.216
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 198.100.100.1
    Primary WINS Server. . . . : 198.100.100.216
    Dns Servers. . . . . . . . : 198.100.100.216


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Passed

    Adapter : Local Area Connection

    Netcard queries test . . . : Failed
    NetCard Status: DISCONNECTED
    Some tests will be skipped on this interface.

    Host Name. . . . . . . . . : bhidc2
    Autoconfiguration IP Address : 169.254.69.112
    Subnet Mask. . . . . . . . : 255.255.0.0
    Default Gateway. . . . . . :
    Dns Servers. . . . . . . . :



    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{81CE0D0C-08C4-4E09-B697-4512CF6560B3}
    NetBT_Tcpip_{3C9FC95E-A182-449E-BF14-D0F9503DED64}
    2 NetBt transports currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'bhidc2.boarsheadinn.com.'. [ERROR_TIMEOUT]
    The name 'bhidc2.boarsheadinn.com.' may not be registered in DNS.
    PASS - All the DNS entries for DC are registered on DNS server
    '198.100.100.
    216' and other DCs also have some of the names registered.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{81CE0D0C-08C4-4E09-B697-4512CF6560B3}
    NetBT_Tcpip_{3C9FC95E-A182-449E-BF14-D0F9503DED64}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{81CE0D0C-08C4-4E09-B697-4512CF6560B3}
    NetBT_Tcpip_{3C9FC95E-A182-449E-BF14-D0F9503DED64}
    The browser is bound to 2 NetBt transports.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully

    C:\Documents and Settings\kevin.BOARSHEADINN>

    I am not sure why it seems it cannot find the "Authorotative DNS server; it
    actually is that itself. I have checked to make sure the appropriate records
    are there, and they are...

    Thanks
    Kevin
     
    Kev, Jan 24, 2008
    #3
  4. Kev

    Jorge Silva Guest

    Hi
    -Try the following, disable the NIC that has APIPA address, remove entries
    that map the server to any address, then point the Primary DNS in the NIC to
    the existing DNS server, rightclcik in the NIC and coose repair, check that
    the DNS records were created in the DNS.

    -Run netdiag /fix from cmd prompt and restart the netlogon service, then
    use active directory sites and services to force replication between both
    servers.

    -Assuming that both DCs are DNS make sure that DNS is fully replicated
    between both servers and AD as well.

    -After everything is replicated between both servers, you can point each
    DC/DNS to itself in the primary dns NIC configuration, and point to each
    other in the secondary dns NIC configuration, then run the diagnostic tools
    again.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jan 24, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.