RE: [ActiveDir] urgent help needed
How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Alicia, Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089, senario 2. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] urgent help needed Importance: High Hello, i am having trouble with active directory...the database file ntds.dit was erased because of a power failure we had some days ago. The active directory was working perfectly until that day, and now windows 2000 won't start. The only way we have to access the machine is through DS restore mode. We can't uninstall AD because we are not on normal mode...and we don't have a back up for that file. Is there any way i can create a new empty database to start over? or is there a way to eliminate AD from the server without having to format the drive and install windows 2000? Is it possible to create the ntds.dit file and any other needed? Doesn't AD have that functionality? We need to have the server working again as soon as possible. We don´t mind eliminating anything related to Active Directory, but we don't want to format the drive and re-install de operating system again... Please help me Thank you very much List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quasi DC Administrator Service Issue
Title: Quasi DC Administrator Service Issue Just to let everyone know after analyzing what was going on, I found this Microsoft article to be the most likely culprit. http://support.microsoft.com/default.aspx?scid=kb;EN-US;257247 Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Burkes, Jeremy [Contractor]Sent: Monday, August 02, 2004 9:32 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Quasi DC Administrator Service Issue We have some network administrators that do not have full domain administrative access (not in the domain admins group). We have given their accounts through the default domain controller group policy the ability to manage some domain controller services mainly the print spooler and the tcp/ip print service with full control access. When they try to stop or start the service they get error code 5: access is denied. These users are also in server and print operators group(s). Any ideas? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
RE: [ActiveDir] Inplace DC upgrade to 2003 on HP/Compaq hardware?
Title: Message Hi, we have upgraded our entire forest last year from W2K to W2K3. We are running on HP/CPQ ProLiant Servers. We upgraded most of the servers, only a few were demoted and reinstalled. All our servers are iLO enabled and we exclusively used it for all upgrades/reinstalls. To accomplish that, we created a single bootable W2K3 CD containing some additional HP Software (Support Pack for W2K3) and a combination of OS hotfixes. That one was sentto all sites who inserted it in the server before we started. Since SmartStart was not required in this process (it was already installed during the initial W2K install), we didn't need to swap CD's. These are somethings to consider (there are a lot but these I find important): - if you upgrade, will you doit offlineto avoid possible virus infection while the OS has not been patched for certain vulnerabilities (we did) - if today you have a Windows 2000 Certificate server (Enterprise Root) and you are using it to deploy certificates to the DC's,youshould consider toupgrade that one first to W2K3 because the templates required for W2K3 are not supported on a W2K Certificate Serverand that will cause some errors. We had issues that NetLogon did not want to start... - don't forget to do an offline defrag after the upgrade. On upgraded servers, we saw our DIT file shrink substantially. - we rigorously tested this procedure in our QA lab I must agree with Ken and Al that wipe and load is probably the best scenario, however, we didn't do it because we would have lost a lot of data in our systems management tool. That one uses a unique ID (dynamically generated and not transferable) for each object in it's database. A reinstalled server got a new one Bart From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, August 02, 2004 23:09To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inplace DC upgrade to 2003 on HP/Compaq hardware? If that doesn't work, HP offers the ability to provision servers. You may want to talk to your rep about the options they have for doing deploying images on their platform. Wipe/reload is the way to go IMHO - prevents any question that something came over in the upgrade to make the OS less than optimum i.e. drivers, etc that didn't get handled correctly. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, August 02, 2004 3:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Inplace DC upgrade to 2003 on HP/Compaq hardware? These servers have older RIB boards that don't do remote CDROM drives. One thing that just occurred to me is to try doing a 2003 install from the OS cdrom and skip smart start altogether. I'd then install the support pack after the base install. May have to test that... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken)Sent: Monday, August 02, 2004 1:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Inplace DC upgrade to 2003 on HP/Compaq hardware? Personally, I'd go with your alternate option of performing a wipe and load. That ensures you don't have any inefficiencies carried over from the previous OS. If you copy the OS and HP Support Pack software onto a networked share, you should be able to perform the installations without having anyone on site to swap CDs. You would link to the share from the target server using its RIB connection, run the setup program and select the new installation option (it will copy the files it needs to the local drive). Once the OS is installed, you would establish a link to the network share that contains the HP Support Software and run it's setup program. I've performed this operation from the console of one of my local servers when going from NT4 to 2000. We're not licensed to use 2K3 yet (will be next year), so I don't have personal experience with 2000 to 2K3 (yet). HTH. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, August 02, 2004 1:49 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Inplace DC upgrade to 2003 on HP/Compaq hardware? Has anyone done an in-place upgrade from2000 to 2003 on HP/Compaq servers? I am trying to put together a plan for upgrading our forest, and one of the sticky points is our remote domain controllers. What I would like to do is update each DC to the latest2k support pack, then do an in-place 2003 upgrade, thengrab the latest 2k3 support pack(I am assuming that the 2k and 2k3 versions of support pack are different). I will, of course, test in the lab, but as some great admiral once said: "The best scale for an experiment is twelve inches to the foot". I'd like to hear from someone who's done this in the real world. My other option is to demote the
Re: [ActiveDir] Checklist for changing IP Address on DC
Hello Guys, I Followed the same steps to change the IPs of 2 DCs that I have but after I made the change I start getting replication errors.the event log is showing RPC server is unavailable .I tried forcing the replication but no success.I can ping both DC's from each other by names and IP's the dcdiag is showing errors: DC Diagnosis Performing initial setup: Done gathering initial info. Doing initial non skippeable tests Testing server: Default-First-Site-Name\EMMA2 Starting test: Connectivity . EMMA2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\EMMA2 Starting test: Replications [Replications Check,EMMA2] A recent replication attempt failed: From EMMA1 to EMMA2 Naming Context: CN=Schema,CN=Configuration,DC=emmanuel,DC=edu The replication generated an error (1722): The RPC server is unavailable. The failure occurred at 2004-08-03 08:48.02. The last success occurred at 2004-08-03 06:48.41. 5 failures have occurred since the last success. [EMMA1] DsBind() failed with error 1722, The RPC server is unavailable.. The source remains down. Please check the machine. [Replications Check,EMMA2] A recent replication attempt failed: From EMMA1 to EMMA2 Naming Context: CN=Configuration,DC=emmanuel,DC=edu The replication generated an error (1722): The RPC server is unavailable. The failure occurred at 2004-08-03 07:54.41. The last success occurred at 2004-08-03 07:23.03. 5 failures have occurred since the last success. The source remains down. Please check the machine. [Replications Check,EMMA2] A recent replication attempt failed: From EMMA1 to EMMA2 Naming Context: DC=emmanuel,DC=edu The replication generated an error (1722): The RPC server is unavailable. The failure occurred at 2004-08-03 08:50.07. The last success occurred at 2004-08-03 07:24.25. 8 failures have occurred since the last success. The source remains down. Please check the machine. . EMMA2 passed test Replications Starting test: NCSecDesc . EMMA2 passed test NCSecDesc Starting test: NetLogons . EMMA2 passed test NetLogons Starting test: Advertising . EMMA2 passed test Advertising Starting test: KnowsOfRoleHolders Warning: EMMA1 is the Schema Owner, but is not responding to DS RPC Bi d. Warning: EMMA1 is the Domain Owner, but is not responding to DS RPC Bi d. Warning: EMMA1 is the PDC Owner, but is not responding to DS RPC Bind. Warning: EMMA1 is the Rid Owner, but is not responding to DS RPC Bind. Warning: EMMA1 is the Infrastructure Update Owner, but is not respondi g to DS RPC Bind. . EMMA2 failed test KnowsOfRoleHolders Starting test: RidManager [EMMA2] DsBindWithCred() failed with error 1722. The RPC server is una ailable. . EMMA2 failed test RidManager Starting test: MachineAccount . EMMA2 passed test MachineAccount Starting test: Services . EMMA2 passed test Services Starting test: ObjectsReplicated . EMMA2 passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. . EMMA2 passed test frssysvol Starting test: kccevent . EMMA2 passed test kccevent Starting test: systemlog . EMMA2 passed test systemlog Running enterprise tests on : emmanuel.edu Starting test: Intersite . emmanuel.edu passed test Intersite Starting test: FsmoCheck . emmanuel.edu passed test FsmoCheck Any help is appreciated.thanks [EMAIL PROTECTED] writes: Hi Roger, This is interesting. When I was going through the design process a couple of years ago that was pretty much the best practice according to Microsoft (primarily the Branch Office guides) where the 'island' problem was laid out. We also had this validated by an external source. Our Unix/ BIND environment has a similar configuration (well basically 127.0.0.1) but its not fair to compare that. Carefully reading that KB article reflects pretty much the same scenario. If I think about it further, both these child DC's are in the same network segment with
[ActiveDir] exchange 2003 dcpromo
Hi, Is it true that we shouldn't run dcpromo when exchange 2003 is installed in a domain controller ? I had a problem with the DC..so I dcpromo-ed it and then rebuild it from the beginning. Now I can't start the services needed by exchange. Not sure when dcpromo is the root of the problem, but I can't start any services (not only those needed by exchange). It tried to start the service...i could seethe progress bar...but after waiting for quite a long time, it failed with the following error: error 1053: the service did not respond to the start or control request in a timely fashion I googled and found this link: http://www.jsiinc.com/SUBI/tip4400/rh4493.htm The symptomps described quite match my situation (Internet Connection Wizard hangs I couldn't see the properties of the adapter)but unfortunately the cause of problem doesn't. The logical disk manager administrative service is set to manual and the dmadmin registry contains the appropriate value... I wonder wether the following error about ntfrs found in event viewermight be the cause of the above problem: The file replication service has detected that the replica root path has changed from "C:\WINNT\SYSVOL\DOMAIN" to "C:\WINNT\SYSVOL\DOMAIN" If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. This was detected for the following replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Is the above error critical for the operation of active directory and exchange server ? I found the following link http://support.microsoft.com/default.aspx?scid=kb;en-us;819268which is similar to my problem, butI'm not surewhether it's the right solution since the path mentioned is "C:\bin"not "C:\WINNT\SYSVOL\DOMAIN" Should I reinstall exchange on the win2k server ? I'll really appreciate any inputs... Thanks, lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
RE: [ActiveDir] Exchange and AD E-mails
Youll notice that those permissions on the store object arent explicit, but inherited and to use Joes exchange as an example are defined here: CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com As Allow DOMAIN\Exchange Domain Servers List Children, Read All Properties, Read Permissions The two other places where permissions are detailed explicitly are on the org : ,CN=Rendition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com and a simply Deny DOMAIN\Exchange Domain Servers Receive As On the servers container: CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Re ndition Networks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=rendition networks,DC=com Ive managed to break exchange by switching off inheritance in E2k on an admin group or server container, after which email from new servers joining the org could not send mail to servers already existent or other similar probs . Youll notice some interesting things browsing ACLs in exchange, and how they change subtly after service pack applications. I remember a SP rewriting base public folder permissions at one stage, which was rather upsetting in a legal environment ;) Suggest you switch permission inheritance back on if you have switched it off and permission explicitly where required and on the right levels if you HAVE to , so that a) mail flow wont break due to missing permission on the Exchange servers group and b) since there are so few places where ACL are written explicitly, youll have a better idea, i.e. things will be slightly more self documenting (did I mention that word?) when youre trying to figure out what changed six months after the fact. Suggest you document your Default permissions somewhere or have a second org in a lab so that you can compare whats different in the future if something breaks. I once spent a week chasing a NDR after figuring out that I switched something off somewhere and forgot where I did it Document ? ;). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 02 August 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Because I was playing with permissions. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 4:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails Why wouldn't Exchange Domain Servers have the appropriate permission in your environment? Something get changed recently? Any event log entries on the Exchange servers? -Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, August 02, 2004 3:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and AD E-mails Yeah, I just played with this a little bit. If Exchange Domain Servers doesn't have write access, I get a bounce. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, August 02, 2004 2:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and AD E-mails I've got to back off the drinking apparently ;) ACL's very well can prevent mail delivery. Al
RE: [ActiveDir] urgent help needed
It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Alicia, Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089, senario 2. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] urgent help needed Importance: High Hello, i am having trouble with active directory...the database file ntds.dit was erased because of a power failure we had some days ago. The active directory was working perfectly until that day, and now windows 2000 won't start. The only way we have to access the machine is through DS restore mode. We can't uninstall AD because we are not on normal mode...and we don't have a back up for that file. Is there any way i can create a new empty database to start over? or is there a way to eliminate AD from the server without having to format the drive and install windows 2000? Is it possible to create the ntds.dit file and any other needed? Doesn't AD have that functionality? We need to have the server working again as soon as possible. We don´t mind eliminating anything related to Active Directory, but we don't want to format the drive and re-install de operating system again... Please help me Thank you very much List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir]GROUP Policy
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.new here so I am sorry if this question has been asked many times before. My network: Three Windows 2000 servers and 200 W2k/XP workstations. Below is the error I am getting with Group Policy. I have looked in many places, but I cant seem to solve this problem. Administrators(full access), USERS, and all computers have at least READ/WRITE access to SYSVOL. Anyone run into this issue before? Good morning everyone. I am Event Type: Error Event Source: Userenv Event Category: None Event ID: 1101 Date: 8/3/2004 Time: 6:37:33 AM User: NT AUTHORITY\SYSTEM Computer: BH-005C Description: Windows cannot access the the object DC=%,DC=%,DC=% in Active Directory. The access to the object may be denied. Group Policy processing aborted. Thank you, Z.V.
RE: [ActiveDir] urgent help needed
Thanks a lot for everyone's help... i just want to explain that i don`t have a second domain controler or backup for the database file because i am just trying AD out, and learning about it. I installed it in the laboratory server, that it is used to learn, but has other information that belongs to my work-mates... i am just worried that AD is so fragil against a power failure...that could happen again...i just have to pray that it wont? Thanks again Alicia -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Alicia, Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089, senario 2. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] urgent help needed Importance: High Hello, i am having trouble with active directory...the database file ntds.dit was erased because of a power failure we had some days ago. The active directory was working perfectly until that day, and now windows 2000 won't start. The only way we have to access the machine is through DS restore mode. We can't uninstall AD because we are not on normal mode...and we don't have a back up for that file. Is there any way i can create a new empty database to start over? or is there a way to eliminate AD from the server without having to format the drive and install windows 2000? Is it possible to create the ntds.dit file and any other needed? Doesn't AD have that functionality? We need to have the server working again as soon as
RE: [ActiveDir] urgent help needed
One last question (i think..), when you say promote the DC, what do you mean? install AD again (what will promote de server to DC)? or use another software to do it without installing AD? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Alicia, Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089, senario 2. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] urgent help needed Importance: High Hello, i am having trouble with active directory...the database file ntds.dit was erased because of a power failure we had some days ago. The active directory was working perfectly until that day, and now windows 2000 won't start. The only way we have to access the machine is through DS restore mode. We can't uninstall AD because we are not on normal mode...and we don't have a back up for that file. Is there any way i can create a new empty database to start over? or is there a way to eliminate AD from the server without having to format the drive and install windows 2000? Is it possible to create the ntds.dit file and any other needed? Doesn't AD have that functionality? We need to have the server working again as soon as possible. We don´t mind eliminating anything related to Active Directory, but we don't want to format the drive and re-install de operating system again... Please help me Thank you very much List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] urgent help needed
ESE should not have issues as a result of power failure. We should be resilient to that. In this thread you said AD won't start but you didn't cite the errors you get. Can you share the error messages you get on boot? That might tell us what is really happening. Thanks! ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Thanks a lot for everyone's help... i just want to explain that i don`t have a second domain controler or backup for the database file because i am just trying AD out, and learning about it. I installed it in the laboratory server, that it is used to learn, but has other information that belongs to my work-mates... i am just worried that AD is so fragil against a power failure...that could happen again...i just have to pray that it wont? Thanks again Alicia -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Alicia, Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089, senario 2. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 10:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] urgent help needed Importance: High Hello, i am having trouble with active directory...the database file ntds.dit was erased because of a power failure we had some days ago. The active directory was working perfectly until that day, and now windows 2000 won't start. The only way we have to
RE: [ActiveDir] urgent help needed
I tried what joe said about changing the registry and now windows starts. I don't remember the exact error message, plus it was in spanish, but it was something like error with the directory service, the directory service can't start. When i ran an integrity check on the files it said that ntds.dit didn't exist...so.. The problem now is that the partition in the drive where AD was installed can't be accessed due to problems with paging...but the worst that can happen now is that i have to eliminate it...it's better than formating the entire drive... -Mensaje original- De: Eric Fleischman [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 12:04 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed ESE should not have issues as a result of power failure. We should be resilient to that. In this thread you said AD won't start but you didn't cite the errors you get. Can you share the error messages you get on boot? That might tell us what is really happening. Thanks! ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Thanks a lot for everyone's help... i just want to explain that i don`t have a second domain controler or backup for the database file because i am just trying AD out, and learning about it. I installed it in the laboratory server, that it is used to learn, but has other information that belongs to my work-mates... i am just worried that AD is so fragil against a power failure...that could happen again...i just have to pray that it wont? Thanks again Alicia -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De:
RE: [ActiveDir] urgent help needed
The real issue isn't what a power failure can do to an individual box. If you had more than one DC, AD would have survived the failure of an individual DC. You might have to force the transfer of the FSMO roles, but AD would have survived and you would have had a much easier time recovering the failed box. In your situation with one DC with data files that you need to recover, you have the option to re-install Win200x from scratch. The OS files will be replaced and the data partitions shouldn't be touched (don't format them during the install). If you were using NTFS permissions to protect those files, you can take ownership with an admin account then change the permissions on them to let the original users access them. ONE WARNING: If you had been using the file encryption, then DO NOT RE-INSTALL the OS, if so, you will lose the master encryption key and YOUR DATA FILES WILL BE LOST -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 7:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Thanks a lot for everyone's help... i just want to explain that i don`t have a second domain controler or backup for the database file because i am just trying AD out, and learning about it. I installed it in the laboratory server, that it is used to learn, but has other information that belongs to my work-mates... i am just worried that AD is so fragil against a power failure...that could happen again...i just have to pray that it wont? Thanks again Alicia -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: martes, 03 de agosto de 2004 11:02 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed It doesn't have to be a fake domain, it could be your regular domain name. You just want to promote and then demote so you have the member server back at a known good point, then finally do a regular promotion back to being your DC. Make sure you promote a second DC as well so you have a backup in case of failure for next time. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Tuesday, August 03, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed How do i promote the DC into a fake domain? and depromote it? -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 12:51 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Are you sure the DIT file is gone? If so and you have no systemstate backups and you don't have any other DCs for that domain your only choice is a forced demotion of the DC. See the following KB http://support.microsoft.com/default.aspx?kbid=332199 If I recall though you can't do that from single user mode so you will have to do the following unsupported hack: Go to the following registry value: hklm\system\currentcontrolset\control\productoptions\producttype Change it from WinNT to ServerNT After you do this, you will want to promote the DC into a fake domain and demote it again so that it reconfigures everything properly on the machine. It is possible to create an empty DIT file but it will do nothing for you. There is a huge difference between an empty DIT file and a properly built DIT file with no user defined objects. The former is easy, the latter is not. You have to repromote the DC to get it. I will step up on the podium for a second... 1. Always have multiple DCs. 2. If you can't follow number 1, have a systemstate backup that you know is good and still always have multiple DCs. I am wondering why you are so worried about rebuilding the DC, my guess is that you have some other app or apps loaded. It really isn't good security (or any security at all honestly) to run DCs as app servers. There are a couple of infrastructure services that are generally ok to run, but as a whole, don't run apps on DCs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Friday, July 30, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Dennis, i appreciate you're help, but the solutions that are suggested in the link you gave me wont't work...the last suggestion was to reinstall the operating system, what i am trying not to do... Does anybody have any idea how to solve my problem? When i try to boot in normal mode there is an error message saying the directory service can't be started...then, when i check the integrity of the files with ntdsutil some errors occure, the last one being E:\winnt\ntds\ntds.dit file does not exist... it must be possible to create a new empty ntds.dit file...or any other solution!! Thank you Alicia -Mensaje original- De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de julio de 2004 11:37 Para: [EMAIL PROTECTED] Asunto:
[ActiveDir] GPO oddity
We have restricted groups defined in a GPO on each of our OUs that ensure our site administrators all have local administrative priviledges on all their machines. We're in a Win2k AD domain. The other day, one of our sites had to power down all their servers for a power outage. When they brought everything back up, they were unable to log into their print servers. I then realized, that only the local administrator could log into the servers. I did a seceditrefresh on both print servers, and suddenly the restricted groups were fixed and everyone could log in. Any ideas what might have caused this? The local DC was brought up 45 minutes before the print servers. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] AD Backup - Sort of
I am about to turn on a connection agreement for my first AD connector. I have backed up the exchange directory and also exported the directory to csv for recovery. I would like to do the same thing with the AD data to have a roll-back plan if the CA does something I didn't expect. I have played with LDIFDE and the CSV equivalent, and although I have been able to export with both, I have not been able to import back in to change the data. Are there any other (preferably free) methods to capture this ad data, and then reuse it to undo changes? I would hate to have to do an authoritative restore from tape to fix any issues. Thanks -Ted Strand-
RE: [ActiveDir] AD Backup - Sort of
A popular way to do what you discuss is to change replication parameters during the upgrade. Basically, have the ADC talk to an Active Directory isolated server, check for errors and then bring it back into the replication cycle. Another alternative I've seen work is to take a DC off-line during the upgrade. I've seen some introduce a new one first and then bring it off-line during the upgrade. After the all clear, it's then removed from the domain else brought back on-line. The first option is much better as it offers you a chance to check it out prior to moving forward. The second option works if you can flatten all DC's but the one with the good data, in essence creating a hot backup. I suppose you could just mark all the records authoritative and then reintroduce it, but I've never seen a successful ADC deployment that didn't spend a lot of time in the lab getting it right. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Strand, TedSent: Tuesday, August 03, 2004 3:34 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD Backup - Sort of I am about to turn on a connection agreement for my first AD connector. I have backed up the exchange directory and also exported the directory to csv for recovery. I would like to do the same thing with the AD data to have a roll-back plan if the CA does something I didn't expect. I have played with LDIFDE and the CSV equivalent, and although I have been able to export with both, I have not been able to import back in to change the data. Are there any other (preferably free) methods to capture this ad data, and then reuse it to undo changes? I would hate to have to do an authoritative restore from tape to fix any issues. Thanks -Ted Strand-
[ActiveDir] Changing permissions in AD
Question: A particular backup solution requires one of the following rights: Either grant it full domain admin rights over the entire domain, or grant it read, write, and create objects in the entire domain. (which is pretty close to domain admin) If I use Delegation or manually add the rights at the domain level everything works as expected. All objects receive the rights except those OU's/Objects which explicitly have inherit permissions denied. Is there an easy to over write the deny inheritance setting? Or is there a utility that I could use to do this with? I can go though ADUC and grant the rights manually, but I would rather have an automated solution for this problem. I would expect that this is a common request rather than just giving up full domain admin rights and Im looking for a better, smarter way of dealing with it. Thanks Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/