Yeah next they'll be SBS servers being installed there.

(For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys)

Matt Hargraves wrote:
I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next.

BTW, you probably shouldn't be posting your infrastructure in a message list.

On 10/6/06, *Steve Egan (Temp)* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:

    Al, will do.  I tucked FTPSERVER under a desk and forgot about
    it.  Experience has taught me the hard way not to be in a rush to
    tear down machines and cannibalize the parts until you are SURE
    it's okay to loot the corpse.  Nevermind the smell…

    AD and DNS is working as well as can be expected with a
    thumb-fingered choom hacking away at it!  FTPSERVER **was** a DC,
    I think, but I'll fire up the box (OFF of the wire!) and start
    looking at it.

    Here's what I see for the domain:

    How the *&^($(*^ is Sweden in there??  It's NOT an AD server, it
    refuses to become one…  This entry is from an OLD Sweden server
    entry – notice how the guy before me spedded Swe(den).

    "IF it ain't broke, don't break it!".  Maybe I should just quit
    screwing with it – for now…

    I'll keep plugging away at it, I guess.

    Steve Egan

    Purcell Systems

    System/Network Administrator

    desk 509 755-0341 x110

    cell 509 475-7682

    fax 509 755-0345


    <mailto:[EMAIL PROTECTED]> [mailto:
    <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al Mulnick
    *Sent:* Friday, October 06, 2006 1:30 PM

    *Subject:* Re: [ActiveDir] Major screwup on AD for my company -
    Can't install AD on remote server now

    Glad you're able to retain a sense of humor.  That's important too. :)

    You're in good shape if AD and DNS is working fine or at least as
    expected.  You can find out if the old FTP server held any roles
    etc and clean up based on that.

    I don't have the links handy, but you'll want to check for the

    1) time server settings for the Domain - check PDC (by default
    it's the time master for the domain but yours may be custom/different)

    2) find out if the FTP server was a DC. For this, open the ADUC
    and see what it shows in the domain controllers container. Not
    foolproof but it's an indication

    3) Use DCDIAG on the domain controllers and check the information
    that comes back. Look for issues in there.  Easiest if you pipe it
    to a text file and use the /v switch, so that you can search it
    later.  Before you take action, feel free to drop a note back with
    the results.  Some things can be easy, while others might be
    better left alone or better yet, you might need to involve
    Microsoft Support.

    4) Leave the sweden server alone until you have the other
    questions answered. It's fine the way it is for now, even if it
    leaves them degraded.

    5) once you've been able to clear the rest, then we can go back
    and find out why the server doesn't want to be added to the domain
    as a dc (keep in mind it should be a domain member server now
    without issue).
    Chances are, based on your description, that there's nothing to be
    terribly concerned about.  Verify and then figure out why the
    server won't join as a DC.  There are logs for the dcpromo process
    that should give an indication of that issue, but I highly suggest
    attacking this serially.

    On 10/6/06, *Steve Egan (Temp)* <[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>> wrote:

    Boy, Al, I'd dearly **love** to "step away from the keyboard, keep
    your hands where we can see 'em!" but I am the monkey in charge of
    doing this.

    Problem was (is?), I stupidly shut down the FTPSERVER without
    seeing if it was a time server, the OU master, the AD controller,
    and/or the PDC.  Chalk it up to inexperience/stupidity.  I went
    into this task DUMB. (FTPSERVER is the old, inactivated server,
    FTP1 is now the only ftp server in the organization)

    I'd like to flatten the Sweden server and start over, but what if
    the problem is still there?  Something is going to be broken
    within the AD on the Headquarters end.  I'm going to suck the
    filesystem over here to the States, then probably bare metal the
    little bugger.

    DNS seems to be working okay, replication and all.  I have the HQ
    NAT address in the 192.168.1.x range, with Poland on 192.168.2.x
    and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate
    is the 192.168.1.x Class C.  I VPN tunnel to them, and I'm able
    (when DNS is working) to login with the AD login permissions
    available here.  I'm pretty sure it's working, because when I
    "add" the Sweden DNS server to the
    <> domain everything works in the Sweden

    AD is working okay ( I **think**), I'm doing my level best to
    avoid having to tweak it in any way.  I'm slavishly following the
    instructions in Robbie Allen's "Active Directory Cookbook" to
    avoid any future screw-ups.

    FWIW, I've torn the server's DNS and AD down completely, rebooted
    the server twice, then rebuilt/reinstalled DNS and was attempting
    to reinstall AD when this happened.  Is bare metal rebuild the
    only option at this point?

    Steve Egan

    Purcell Systems

    System/Network Administrator

    desk 509 755-0341 x110

    cell 509 475-7682

    fax 509 755-0345


    <mailto:[EMAIL PROTECTED]>
    [mailto:[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al Mulnick
    *Sent:* Thursday, October 05, 2006 5:18 PM
    *Subject:* Re: [ActiveDir] Major screwup on AD for my company -
    Can't install AD on remote server now

    My first instinct is to say "please step away from the keyboard"
    but that's just to make me chuckle. :)

    It looks like the old server, FTP1 was configured as a time
    server?  Or was it an AD domain controller?

    The answer to that guides the rest of the conversation, but the
best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because
    you're not sure of the state, be sure to get a backup should you
    need it.

    If everything else is fine, then you'll want to rebuild that
server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is
    in good shape including dns, replication and authentication at a

    DNS would be my primary concern at this point. Don't mess with the
forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional
    level is not something you want to just walk out and pull the
    trigger on without understanding what it means and what the
    implications are.


    On 10/5/06, *Steve Egan (Temp)* < [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>> wrote:

    I'm the System/Network Engineer for Purcell Systems, and I'm
    afraid I've
    "screwed the pooch" on my network. Here's how:

    Shut down an antiquated FTP server after transferring files to the
    FTP server.  The old one's OS was Win2K, the new one is Win2003.

    I *did not* do anything to AD at the time this occurred.

    A day before I started working here (8/8/06) the server in Sweden was
    rebuilt by a local consultant.  Hardware failure.  He rebuilt from
    metal, and set up the DNS and AD incorrectly.  The end result was a
    server sitting in its own domain.  DNS was somehow told to
    replicate to
    the server, and was working fine.

    I next tried to put/rename/move the Sweden server into the <>
    domain.  Oops, have to "upgrade" out of Win2000 mixed mode.  No
    I'll just transfer the AD, DNS, and PDC to a "master" machine running
    Win2003 and have lotsa machines (okay, one or two) running as PDCs
    alternate DNS and AD, right?

    Here's where the pooch got this way - I'm a n00b when it comes to AD,
    and somehow in the "transfer" of functions I've messed up the domain
    something fierce.  AD and DNS work just fine (replicate) on the
    USA and
    Poland servers, but I tried "upgrading" the Sweden server to the
    and things got cranky - it wouldn't upgrade because it swore up
    and down
    that the domain was still in pre-Win2003 mode.  In frustration, I
    down DNS and AD on the Sweden server, and rebuilt them - not an easy
    task by remote control...

    The DNS rebuilt just peachy on the Sweden server, but when I go to
    install AD on it, it tells me that the domain ain't ready for
    prime time
    - I have to run adprep on the domain.  I ran adprep the first
    time, and
    everything appeared to work just fine.  Subsequent attempts are
    - I've already prepared the domain, it tells me.  The Sweden
    server just
    refuses to accept that the AD in the domain is Win2003 mode.  I've
    checked - it's mode 2 on all the AD machines.  The necessary
    for a Win2003 AD have been built!  SOMEthing is preventing the ADPREP
    from executing properly.  Here's a partial log entry from the Sweden
    server (adprep.log?):
    10/05 01:34:26 [INFO] Searching for a domain controller for the
    PURCELLSYSTEMS.COM <> that contains the
    account PURCELLABSWE$10/05 01:34:27
    [INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM
    <> for domain
    PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for
    server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time
    10/05 01:34:27 [INFO] Forcing a time synch with
    \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
    current time on \\FTP1.PURCELLSYSTEMS.COM: 5
    10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).
    10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]
    Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
    NETLOGON to 1 returned 0
    10/05 01:35:32 [INFO] Stopped NETLOGON
    10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
    10/05 01:35:36 [INFO] Created system volume path
    10/05 01:35:36 [INFO] Copying initial Directory Service database file
    C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36
    [INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling
    NtdsInstall for PURCELLSYSTEMS.COM <>
    10/05 01:35:36 [INFO] Starting Active Directory installation
    10/05 01:35:36 [INFO] Validating user supplied options
    10/05 01:35:36 [INFO] Determining a site in which to install
    10/05 01:35:36 [INFO] Examining an existing Active Directory forest
    10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard
    cannot continue because the forest is not prepared for installing
    Windows Server 2003. Use the Adprep command-line tool to prepare both
    the forest and the domain. For more information about using the
    see Active Directory Help. (8467)
    10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM
    <> returned 8467
    10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467
    10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467)
    10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO]
    Configuring service NETLOGON to 2 returned 0
    10/05 01:35:49 [INFO] The attempted domain controller operation has
    completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0
    Oh crap.  Now what?  Ideas?

    Steve Egan
    Purcell Systems
    System/Network Administrator
    desk 509 755-0341 x110
    cell 509 475-7682
    fax 509 755-0345

    List info   :
    List FAQ    :
    List archive:

Letting your vendors set your risk analysis these days?

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...

List info   :
List FAQ    :
List archive:

Reply via email to