Boy, Al, I'd dearly *love* to "step away from the keyboard, keep your hands where we can see 'em!" but I am the monkey in charge of doing this.
Problem was (is?), I stupidly shut down the FTPSERVER without seeing if it was a time server, the OU master, the AD controller, and/or the PDC. Chalk it up to inexperience/stupidity. I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is now the only ftp server in the organization)
I'd like to flatten the Sweden server and start over, but what if the problem is still there? Something is going to be broken within the AD on the Headquarters end. I'm going to suck the filesystem over here to the States, then probably bare metal the little bugger.
DNS seems to be working okay, replication and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 192.168.2.x and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate is the 192.168.1.x Class C. I VPN tunnel to them, and I'm able (when DNS is working) to login with the AD login permissions available here. I'm pretty sure it's working, because when I "add" the Sweden DNS server to the purcellsystems.com domain everything works in the Sweden office.
AD is working okay ( I *think*), I'm doing my level best to avoid having to tweak it in any way. I'm slavishly following the instructions in Robbie Allen's "Active Directory Cookbook" to avoid any future screw-ups.
FWIW, I've torn the server's DNS and AD down completely, rebooted the server twice, then rebuilt/reinstalled DNS and was attempting to reinstall AD when this happened. Is bare metal rebuild the only option at this point?
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Thursday, October 05, 2006 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
My first instinct is to say "please step away from the keyboard" but that's just to make me chuckle. :)
It looks like the old server, FTP1 was configured as a time server? Or was it an AD domain controller?
The answer to that guides the rest of the conversation, but the best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because you're not sure of the state, be sure to get a backup should you need it.
If everything else is fine, then you'll want to rebuild that server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is in good shape including dns, replication and authentication at a minimum.
DNS would be my primary concern at this point. Don't mess with the forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional level is not something you want to just walk out and pull the trigger on without understanding what it means and what the implications are.
Al
On 10/5/06, Steve Egan (Temp) < [EMAIL PROTECTED]> wrote:
I'm the System/Network Engineer for Purcell Systems, and I'm afraid I've
"screwed the pooch" on my network. Here's how:
Shut down an antiquated FTP server after transferring files to the "new"
FTP server. The old one's OS was Win2K, the new one is Win2003.
I *did not* do anything to AD at the time this occurred.
A day before I started working here (8/8/06) the server in Sweden was
rebuilt by a local consultant. Hardware failure. He rebuilt from bare
metal, and set up the DNS and AD incorrectly. The end result was a
server sitting in its own domain. DNS was somehow told to replicate to
the server, and was working fine.
I next tried to put/rename/move the Sweden server into the Purcell.com
domain. Oops, have to "upgrade" out of Win2000 mixed mode. No problem,
I'll just transfer the AD, DNS, and PDC to a "master" machine running
Win2003 and have lotsa machines (okay, one or two) running as PDCs and
alternate DNS and AD, right?
Here's where the pooch got this way - I'm a n00b when it comes to AD,
and somehow in the "transfer" of functions I've messed up the domain
something fierce. AD and DNS work just fine (replicate) on the USA and
Poland servers, but I tried "upgrading" the Sweden server to the forest
and things got cranky - it wouldn't upgrade because it swore up and down
that the domain was still in pre-Win2003 mode. In frustration, I tore
down DNS and AD on the Sweden server, and rebuilt them - not an easy
task by remote control...
The DNS rebuilt just peachy on the Sweden server, but when I go to
install AD on it, it tells me that the domain ain't ready for prime time
- I have to run adprep on the domain. I ran adprep the first time, and
everything appeared to work just fine. Subsequent attempts are rebuffed
- I've already prepared the domain, it tells me. The Sweden server just
refuses to accept that the AD in the domain is Win2003 mode. I've
checked - it's mode 2 on all the AD machines. The necessary containers
for a Win2003 AD have been built! SOMEthing is preventing the ADPREP
from executing properly. Here's a partial log entry from the Sweden
server (adprep.log?):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10/05 01:34:26 [INFO] Searching for a domain controller for the domain
PURCELLSYSTEMS.COM that contains the account PURCELLABSWE$10/05 01:34:27
[INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM for domain
PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for
server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time sync
10/05 01:34:27 [INFO] Forcing a time synch with
\\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
current time on \\FTP1.PURCELLSYSTEMS.COM: 5
10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).
Ignoring
10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]
Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
NETLOGON to 1 returned 0
10/05 01:35:32 [INFO] Stopped NETLOGON
10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
10/05 01:35:36 [INFO] Created system volume path
10/05 01:35:36 [INFO] Copying initial Directory Service database file
C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36
[INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling
NtdsInstall for PURCELLSYSTEMS.COM
10/05 01:35:36 [INFO] Starting Active Directory installation
10/05 01:35:36 [INFO] Validating user supplied options
10/05 01:35:36 [INFO] Determining a site in which to install
10/05 01:35:36 [INFO] Examining an existing Active Directory forest
10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard
cannot continue because the forest is not prepared for installing
Windows Server 2003. Use the Adprep command-line tool to prepare both
the forest and the domain. For more information about using the Adprep,
see Active Directory Help. (8467)
10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM returned 8467
10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467
10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467)
10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO]
Configuring service NETLOGON to 2 returned 0
10/05 01:35:49 [INFO] The attempted domain controller operation has
completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Oh crap. Now what? Ideas?
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
Glad you're able to retain a sense of humor. That's important too. :)
You're in good shape if AD and DNS is working fine or at least as expected. You can find out if the old FTP server held any roles etc and clean up based on that.
I don't have the links handy, but you'll want to check for the following:
1) time server settings for the Domain - check PDC (by default it's the time master for the domain but yours may be custom/different)
2) find out if the FTP server was a DC. For this, open the ADUC and see what it shows in the domain controllers container. Not foolproof but it's an indication
3) Use DCDIAG on the domain controllers and check the information that comes back. Look for issues in there. Easiest if you pipe it to a text file and use the /v switch, so that you can search it later. Before you take action, feel free to drop a note back with the results. Some things can be easy, while others might be better left alone or better yet, you might need to involve Microsoft Support.
4) Leave the sweden server alone until you have the other questions answered. It's fine the way it is for now, even if it leaves them degraded.
5) once you've been able to clear the rest, then we can go back and find out why the server doesn't want to be added to the domain as a dc (keep in mind it should be a domain member server now without issue).
Chances are, based on your description, that there's nothing to be terribly concerned about. Verify and then figure out why the server won't join as a DC. There are logs for the dcpromo process that should give an indication of that issue, but I highly suggest attacking this serially.
Al
On 10/6/06, Steve Egan (Temp) <[EMAIL PROTECTED]> wrote:
- [ActiveDir] Major screwup o... Steve Egan \(Temp\)
- Re: [ActiveDir] Major ... Al Mulnick
- RE: [ActiveDir] Major ... Almeida Pinto, Jorge de
- RE: [ActiveDir] Major ... Steve Egan \(Temp\)
- Re: [ActiveDir] Ma... Al Mulnick
- RE: [ActiveDir] Major ... Steve Egan \(Temp\)
- Re: [ActiveDir] Major ... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] Major ... Steve Egan \(Temp\)
- [ActiveDir] RE: [A... Tim Vander Kooi
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: [Activ... Al Mulnick
