I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves.
The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: [email protected] Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--------------------------------------+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--------------------------------------+ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: [email protected] Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -----Original Message----- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:[email protected], Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: [email protected]; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: [email protected] Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: [email protected] Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: [email protected] Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: [email protected] Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: ############################# Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. ......................... STF1 failed test KnowsOfRoleHolders Starting test: RidManager ......................... STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. ......................... domain failed test FsmoCheck ############################# Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--------------------------------------+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--------------------------------------+ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: [email protected] Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
