Wednesday, February 27, 2013 2:05 PM
I work in a small windows environment. We have a mixture of windows 2008r2 servers and windows 2003.
Recently, the primary fsmo role holder server died and was unrecoverable. I "seized" the roles from another GC with DNS running and rebuilt the failed server with the same name and restored most of the services. When I ran dcpromo, it ran, however, through a warning about being unable to join\find the domain, however, it did pull the DNS info from the other server.
The rebuilt file server seems to work reasonably ok, it is mainly a file and print server with DNS and dhcp. However, now, I cannot RDP to it and it it throwing RPC failures, failed replication and other errors in the event logs. To add to this, I cannot login from the console either, without rebooting.
Something going on between these two machines. Eventually, after a few days, both will unable to log in...
Tried running dcdiag and do get some errors. Running DFSR on both servers, to further confuse this, is that DFSR was having issues prior to the failure - files were rarely in sync - mainly because FRS and DFSR were running against the same folders - have since stopped replication on these "shares".
I think that there is some disconnect going on here and need a little help getting started troubleshooting this. Not sure where to begin, however, the not being able to log in concerns me.
Thursday, February 28, 2013 7:40 AMModerator
>> I "seized" the roles from another GC with DNS running and rebuilt the failed server with the same name and restored most of the services. When I ran dcpromo, it ran, however, through a warning about being unable to join\find the domain
I think you need to perform a metadata cleanup in your domain before you promote it again.
metadata cleanup: http://technet.microsoft.com/en-us/library/cc731035(v=WS.10).aspx
And make sure you configure the correct DNS settings on DC:
Best practices for DNS client settings on Domain Controller.
Wednesday, March 06, 2013 6:49 PM
Unfortunately, I already promoted it. It allowed me to do so.
It has AD on it and is running DNS, DHCP, cert services, and DFS - using DFS for sysvol.
Here is what is really weird. We have two offices, physically separate and connected via a Cisco ASA vpn. Works reasonably well. If I reboot both servers - keep in mind, I have a third server, built since this post, it is dc-01 and has all of the fsmo roles now, a copy of AD, DNS, and seems ok. Here is the issue, if I reboot both servers, they come up and run fine for about a day, then, one side will throw errors, cannot contact domain, then dns, then wmi will fail, vss fails, and then dfs starts acting weird, get authentication failure notices in the even logs from known good computer accounts, get kerberos errors, and then I cannot log in remotely nor on the local console... I have to power cycle the machine for it to be able to work ok.
And here is what is really weird, this does not affect dc-01 at all. The other servers, D1 and F1 seem to bounce back and forth as to who is having the issues. F1 was the fsmo role holder which died suddenly. D1 seized the roles.
Running the kdcutil, everyone had good certs and all can talk after a reboot. DFS updates seems to go through ok. Ad is staying up to date. It seems like shares and security requests get botched. Should I still run the metdata cleanup?