I know you probably haven't been there very long, but what in the heck
are they thinking, making DCs mail servers and FTP servers. Might as
well load them up with web services next.
BTW, you probably shouldn't be posting your infrastructure in a
message list.
On 10/6/06, *Steve Egan (Temp)* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Al, will do. I tucked FTPSERVER under a desk and forgot about
it. Experience has taught me the hard way not to be in a rush to
tear down machines and cannibalize the parts until you are SURE
it's okay to loot the corpse. Nevermind the smell…
AD and DNS is working as well as can be expected with a
thumb-fingered choom hacking away at it! FTPSERVER **was** a DC,
I think, but I'll fire up the box (OFF of the wire!) and start
looking at it.
Here's what I see for the domain:
How the *&^($(*^ is Sweden in there?? It's NOT an AD server, it
refuses to become one… This entry is from an OLD Sweden server
entry – notice how the guy before me spedded Swe(den).
"IF it ain't broke, don't break it!". Maybe I should just quit
screwing with it – for now…
I'll keep plugging away at it, I guess.
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al Mulnick
*Sent:* Friday, October 06, 2006 1:30 PM
*To:* ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
*Subject:* Re: [ActiveDir] Major screwup on AD for my company -
Can't install AD on remote server now
Glad you're able to retain a sense of humor. That's important too. :)
You're in good shape if AD and DNS is working fine or at least as
expected. You can find out if the old FTP server held any roles
etc and clean up based on that.
I don't have the links handy, but you'll want to check for the
following:
1) time server settings for the Domain - check PDC (by default
it's the time master for the domain but yours may be custom/different)
2) find out if the FTP server was a DC. For this, open the ADUC
and see what it shows in the domain controllers container. Not
foolproof but it's an indication
3) Use DCDIAG on the domain controllers and check the information
that comes back. Look for issues in there. Easiest if you pipe it
to a text file and use the /v switch, so that you can search it
later. Before you take action, feel free to drop a note back with
the results. Some things can be easy, while others might be
better left alone or better yet, you might need to involve
Microsoft Support.
4) Leave the sweden server alone until you have the other
questions answered. It's fine the way it is for now, even if it
leaves them degraded.
5) once you've been able to clear the rest, then we can go back
and find out why the server doesn't want to be added to the domain
as a dc (keep in mind it should be a domain member server now
without issue).
Chances are, based on your description, that there's nothing to be
terribly concerned about. Verify and then figure out why the
server won't join as a DC. There are logs for the dcpromo process
that should give an indication of that issue, but I highly suggest
attacking this serially.
Al
On 10/6/06, *Steve Egan (Temp)* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Boy, Al, I'd dearly **love** to "step away from the keyboard, keep
your hands where we can see 'em!" but I am the monkey in charge of
doing this.
Problem was (is?), I stupidly shut down the FTPSERVER without
seeing if it was a time server, the OU master, the AD controller,
and/or the PDC. Chalk it up to inexperience/stupidity. I went
into this task DUMB. (FTPSERVER is the old, inactivated server,
FTP1 is now the only ftp server in the organization)
I'd like to flatten the Sweden server and start over, but what if
the problem is still there? Something is going to be broken
within the AD on the Headquarters end. I'm going to suck the
filesystem over here to the States, then probably bare metal the
little bugger.
DNS seems to be working okay, replication and all. I have the HQ
NAT address in the 192.168.1.x range, with Poland on 192.168.2.x
and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate
is the 192.168.1.x Class C. I VPN tunnel to them, and I'm able
(when DNS is working) to login with the AD login permissions
available here. I'm pretty sure it's working, because when I
"add" the Sweden DNS server to the purcellsystems.com
<http://purcellsystems.com/> domain everything works in the Sweden
office.
AD is working okay ( I **think**), I'm doing my level best to
avoid having to tweak it in any way. I'm slavishly following the
instructions in Robbie Allen's "Active Directory Cookbook" to
avoid any future screw-ups.
FWIW, I've torn the server's DNS and AD down completely, rebooted
the server twice, then rebuilt/reinstalled DNS and was attempting
to reinstall AD when this happened. Is bare metal rebuild the
only option at this point?
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al Mulnick
*Sent:* Thursday, October 05, 2006 5:18 PM
*To:* ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
*Subject:* Re: [ActiveDir] Major screwup on AD for my company -
Can't install AD on remote server now
My first instinct is to say "please step away from the keyboard"
but that's just to make me chuckle. :)
It looks like the old server, FTP1 was configured as a time
server? Or was it an AD domain controller?
The answer to that guides the rest of the conversation, but the
best thing to do regardless is to flatten the Sweden server.
Rebuild it completely with a new name and everything. Because
you're not sure of the state, be sure to get a backup should you
need it.
If everything else is fine, then you'll want to rebuild that
server, rejoin it to the appropriate domain and let it settle.
Before you continue, you'll want to ensure that everything else is
in good shape including dns, replication and authentication at a
minimum.
DNS would be my primary concern at this point. Don't mess with the
forest, domain or any of the other pieces if you can help it.
Upgrading the forest functional level or the domain functional
level is not something you want to just walk out and pull the
trigger on without understanding what it means and what the
implications are.
Al
On 10/5/06, *Steve Egan (Temp)* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I'm the System/Network Engineer for Purcell Systems, and I'm
afraid I've
"screwed the pooch" on my network. Here's how:
Shut down an antiquated FTP server after transferring files to the
"new"
FTP server. The old one's OS was Win2K, the new one is Win2003.
I *did not* do anything to AD at the time this occurred.
A day before I started working here (8/8/06) the server in Sweden was
rebuilt by a local consultant. Hardware failure. He rebuilt from
bare
metal, and set up the DNS and AD incorrectly. The end result was a
server sitting in its own domain. DNS was somehow told to
replicate to
the server, and was working fine.
I next tried to put/rename/move the Sweden server into the
Purcell.com <http://purcell.com/>
domain. Oops, have to "upgrade" out of Win2000 mixed mode. No
problem,
I'll just transfer the AD, DNS, and PDC to a "master" machine running
Win2003 and have lotsa machines (okay, one or two) running as PDCs
and
alternate DNS and AD, right?
Here's where the pooch got this way - I'm a n00b when it comes to AD,
and somehow in the "transfer" of functions I've messed up the domain
something fierce. AD and DNS work just fine (replicate) on the
USA and
Poland servers, but I tried "upgrading" the Sweden server to the
forest
and things got cranky - it wouldn't upgrade because it swore up
and down
that the domain was still in pre-Win2003 mode. In frustration, I
tore
down DNS and AD on the Sweden server, and rebuilt them - not an easy
task by remote control...
The DNS rebuilt just peachy on the Sweden server, but when I go to
install AD on it, it tells me that the domain ain't ready for
prime time
- I have to run adprep on the domain. I ran adprep the first
time, and
everything appeared to work just fine. Subsequent attempts are
rebuffed
- I've already prepared the domain, it tells me. The Sweden
server just
refuses to accept that the AD in the domain is Win2003 mode. I've
checked - it's mode 2 on all the AD machines. The necessary
containers
for a Win2003 AD have been built! SOMEthing is preventing the ADPREP
from executing properly. Here's a partial log entry from the Sweden
server (adprep.log?):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10/05 01:34:26 [INFO] Searching for a domain controller for the
domain
PURCELLSYSTEMS.COM <http://purcellsystems.com/> that contains the
account PURCELLABSWE$10/05 01:34:27
[INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM
<http://ftp1.purcellsystems.com/> for domain
PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for
server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time
sync
10/05 01:34:27 [INFO] Forcing a time synch with
\\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
current time on \\FTP1.PURCELLSYSTEMS.COM: 5
10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).
Ignoring
10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]
Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
NETLOGON to 1 returned 0
10/05 01:35:32 [INFO] Stopped NETLOGON
10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
10/05 01:35:36 [INFO] Created system volume path
10/05 01:35:36 [INFO] Copying initial Directory Service database file
C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36
[INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling
NtdsInstall for PURCELLSYSTEMS.COM <http://purcellsystems.com/>
10/05 01:35:36 [INFO] Starting Active Directory installation
10/05 01:35:36 [INFO] Validating user supplied options
10/05 01:35:36 [INFO] Determining a site in which to install
10/05 01:35:36 [INFO] Examining an existing Active Directory forest
10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard
cannot continue because the forest is not prepared for installing
Windows Server 2003. Use the Adprep command-line tool to prepare both
the forest and the domain. For more information about using the
Adprep,
see Active Directory Help. (8467)
10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM
<http://purcellsystems.com/> returned 8467
10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467
10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467)
10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO]
Configuring service NETLOGON to 2 returned 0
10/05 01:35:49 [INFO] The attempted domain controller operation has
completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Oh crap. Now what? Ideas?
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
<http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.activedir.org/ml/threads.aspx
