locked
Active Directory "mort" dupa migrare de la SBS 2003 la Win 2008 R2 RRS feed

  • Întrebare

  • Salut tuturor, Intrun domeniu, tinut de un SBS 2003 a trebuit sa migrez intregul Forest pe un Win 2008 R2. Am efectuat cu succes replicarea, migrarea FSMO-urilor, DNS-ului pe noul server (Win 2008 R2). M-am asigurat ca noul server ridicat la rang de Global Catalog, nu pica nici un test in DCDIAG, dupa care am depromovat vechiul SBS 2003. Depromovarea a decurs lin si cu succes. Am restartat vechiul Server (SBS 2003), acesta devenind doar o simpla statie integrata in domeniu. Observand Event Log-urile noului server ca nu-mi arunca nici o eroare, am decis sa-l restartez si pe acesta.

    Dupa restartarea Serverului Windows 2008 R2, Consola (MMC) nu m-a mai lasat sa mai accesez sub nici o forma DNS Serverul afisandu-mi mesajul:

    The server DC01 could not be contacted.
    The error was:
    Acces was denied.
    _________________
    Would you like to add it anyway?
    _________________
    Yes/No

    Am incercat sa depanez, sa gasesc sursa acestei probleme, insa fara succes. Din cauza DNS-ului nu functioneaza nimic in AD, nici GPO, nici DFS, nici Kerberos.

    dcdiag /s:dc01 /test:DNS raspunde cu:

    Directory Server Diagnosis
    
    Performing initial setup:
       * Identified AD Forest.
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: Default-First-Site-Name\DC01
          Starting test: Connectivity
             The host 78e5a977-0dc7-46ce-b5f3-ffe34f6ddb42._msdcs.Domeniu.local could not be resolved to an IP address. Check the DNS server,
             DHCP, server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... DC01 failed test Connectivity
    
    Doing primary tests
    
       Testing server: Default-First-Site-Name\DC01
    
          Starting test: DNS
    
             DNS Tests are running and not hung. Please wait a few minutes...
             ......................... DC01 failed test DNS
    
       Running partition tests on : ForestDnsZones
    
       Running partition tests on : DomainDnsZones
    
       Running partition tests on : Schema
    
       Running partition tests on : Configuration
    
       Running partition tests on : Domeniu
    
       Running enterprise tests on : Domeniu.local
          Starting test: DNS
             Test results for domain controllers:
    
                DC: DC01.Domeniu.local
                Domain: Domeniu.local
    
    
                   TEST: Basic (Basc)
                      Error: No LDAP connectivity
                      Warning: adapter [00000017] Citrix PV Ethernet Adapter has invalid DNS server: 127.0.0.1 (DC01)
                      Error: all DNS servers are invalid
                      No host records (A or AAAA) were found for this DC
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
    
             Summary of test results for DNS servers used by the above domain controllers:
    
                DNS server: 192.168.2.6 (DC01)
                   1 test failure on this DNS server
                   Name resolution is not functional. _ldap._tcp.Domeniu.local. failed on the DNS server 192.168.2.6
    
             Summary of DNS test results:
    
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: Domeniu.local
                   DC01                         PASS FAIL n/a  n/a  n/a  n/a  n/a
    
             ......................... Domeniu.local failed test DNS

    Am nevoie de ajutor.
    Va multumesc.


    marți, 11 octombrie 2011 10:48

Răspunsuri

  • Salut,

    Stiu ca este intarziat mesajul meu dar am zis "sa ma bag si eu in seama."

    Din cate stiu eu un controlor de domeniu ce tinea rolurile FSMO a fost decomsionat, acesta nu trebuie sa se intoarca in retea si sa comunice din nou cu noile DC-uri. Migrarea din ce spui tu a functionat corect dar gresala a fost reintroducerea in domeniu fara curatare de metadata folosing NTDSUTIL.exe.

    "A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest  by using the ntdsutil /metadata cleanup command.  The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same  FSMO roles include creating security principals that have  overlapping RID pools, and other problems"


    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    • Marcat ca răspuns de sealview vineri, 24 februarie 2012 14:01
    vineri, 24 februarie 2012 13:41
  • Salut Vlad,
    Multumesc pentru raspuns.

    Did that, done that. No success.

    Oricum, am refacut intregul AD de la zero.

    • Marcat ca răspuns de sealview vineri, 21 octombrie 2011 16:51
    vineri, 21 octombrie 2011 16:49

Toate mesajele

  • Salut sealview, incearca sa vezi daca serviciul dns este pornit, daca nu, da-i drumul si posteaza mesajul de eroare daca nu merge.
    Verifica deasemenea ca setarile placii de retea, la Primary DNS server sunt corect configurate si indica catre DC-ul actual.

    Daca tot ce e mai sus functioneaza/este corect configurat, executa urmatoarele comenzi pentru a recrea inregistrarile DNS:

    - net stop netlogon && net start netlogon
    - ipconfig /registerdns
    - ipconfig /flushdns

    In cazul in care nici asta nu merge, dezinstaleaza DNS-ul, reinstaleaza-l, dupa care creeaza zona forward a domeniului si executa din nou comenzile de mai sus. De asemenea, ruleaza un dcdiag /v > dcdiag.txt si atasazea-l la post si un netdom query fsmo > fsmo.txt.

    Vlad

    vineri, 21 octombrie 2011 16:43
  • Salut Vlad,
    Multumesc pentru raspuns.

    Did that, done that. No success.

    Oricum, am refacut intregul AD de la zero.

    • Marcat ca răspuns de sealview vineri, 21 octombrie 2011 16:51
    vineri, 21 octombrie 2011 16:49
  • Salut,

    Stiu ca este intarziat mesajul meu dar am zis "sa ma bag si eu in seama."

    Din cate stiu eu un controlor de domeniu ce tinea rolurile FSMO a fost decomsionat, acesta nu trebuie sa se intoarca in retea si sa comunice din nou cu noile DC-uri. Migrarea din ce spui tu a functionat corect dar gresala a fost reintroducerea in domeniu fara curatare de metadata folosing NTDSUTIL.exe.

    "A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest  by using the ntdsutil /metadata cleanup command.  The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same  FSMO roles include creating security principals that have  overlapping RID pools, and other problems"


    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    • Marcat ca răspuns de sealview vineri, 24 februarie 2012 14:01
    vineri, 24 februarie 2012 13:41
  • Salut Marius,

    Multumesc frumos pentru raspuns.

    Acum imi dau seama ca acest TIP se potriveste clar cu scenariul in care mie mi-a dat crash AD-ul.

    Nu am avut cunostinte despre acest risc, dar de acum incolo cu siguranta voi sti.

    Multumesc din nou.

    vineri, 24 februarie 2012 14:01