locked
Active Directory "mort" dupa migrare de la SBS 2003 la Win 2008 R2 RRS feed

 > 

  • Întrebare

  • Question
    Sign in pentru a vota
    0
    Sign in pentru a vota

    Salut tuturor, Intrun domeniu, tinut de un SBS 2003 a trebuit sa migrez intregul Forest pe un Win 2008 R2. Am efectuat cu succes replicarea, migrarea FSMO-urilor, DNS-ului pe noul server (Win 2008 R2). M-am asigurat ca noul server ridicat la rang de Global Catalog, nu pica nici un test in DCDIAG, dupa care am depromovat vechiul SBS 2003. Depromovarea a decurs lin si cu succes. Am restartat vechiul Server (SBS 2003), acesta devenind doar o simpla statie integrata in domeniu. Observand Event Log-urile noului server ca nu-mi arunca nici o eroare, am decis sa-l restartez si pe acesta.

    Dupa restartarea Serverului Windows 2008 R2, Consola (MMC) nu m-a mai lasat sa mai accesez sub nici o forma DNS Serverul afisandu-mi mesajul:

    The server DC01 could not be contacted.
    The error was:
    Acces was denied.
    _________________
    Would you like to add it anyway?
    _________________
    Yes/No

    Am incercat sa depanez, sa gasesc sursa acestei probleme, insa fara succes. Din cauza DNS-ului nu functioneaza nimic in AD, nici GPO, nici DFS, nici Kerberos.

    dcdiag /s:dc01 /test:DNS raspunde cu:

    Directory Server Diagnosis

Performing initial setup:
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         The host 78e5a977-0dc7-46ce-b5f3-ffe34f6ddb42._msdcs.Domeniu.local could not be resolved to an IP address. Check the DNS server,
         DHCP, server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... DC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC01 failed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : Domeniu

   Running enterprise tests on : Domeniu.local
      Starting test: DNS
         Test results for domain controllers:

            DC: DC01.Domeniu.local
            Domain: Domeniu.local


               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Warning: adapter [00000017] Citrix PV Ethernet Adapter has invalid DNS server: 127.0.0.1 (DC01)
                  Error: all DNS servers are invalid
                  No host records (A or AAAA) were found for this DC
                  Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)

         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.2.6 (DC01)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.Domeniu.local. failed on the DNS server 192.168.2.6

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: Domeniu.local
               DC01                         PASS FAIL n/a  n/a  n/a  n/a  n/a

         ......................... Domeniu.local failed test DNS

    Am nevoie de ajutor.
    Va multumesc.


    marți, 11 octombrie 2011 10:48

Răspunsuri

  • Question
    Sign in pentru a vota
    1
    Sign in pentru a vota

    Salut,

    Stiu ca este intarziat mesajul meu dar am zis "sa ma bag si eu in seama."

    Din cate stiu eu un controlor de domeniu ce tinea rolurile FSMO a fost decomsionat, acesta nu trebuie sa se intoarca in retea si sa comunice din nou cu noile DC-uri. Migrarea din ce spui tu a functionat corect dar gresala a fost reintroducerea in domeniu fara curatare de metadata folosing NTDSUTIL.exe.

    "A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest  by using the ntdsutil /metadata cleanup command.  The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same  FSMO roles include creating security principals that have  overlapping RID pools, and other problems"

    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    • Marcat ca răspuns de sealview vineri, 24 februarie 2012 14:01
    vineri, 24 februarie 2012 13:41
  • Question
    Sign in pentru a vota
    0
    Sign in pentru a vota

    Salut Vlad,
    Multumesc pentru raspuns.

    Did that, done that. No success.

    Oricum, am refacut intregul AD de la zero.

    • Marcat ca răspuns de sealview vineri, 21 octombrie 2011 16:51
    vineri, 21 octombrie 2011 16:49

Toate mesajele

  • Question
    Sign in pentru a vota
    1
    Sign in pentru a vota

    Salut sealview, incearca sa vezi daca serviciul dns este pornit, daca nu, da-i drumul si posteaza mesajul de eroare daca nu merge.
    Verifica deasemenea ca setarile placii de retea, la Primary DNS server sunt corect configurate si indica catre DC-ul actual.

    Daca tot ce e mai sus functioneaza/este corect configurat, executa urmatoarele comenzi pentru a recrea inregistrarile DNS:

    - net stop netlogon && net start netlogon
    - ipconfig /registerdns
    - ipconfig /flushdns

    In cazul in care nici asta nu merge, dezinstaleaza DNS-ul, reinstaleaza-l, dupa care creeaza zona forward a domeniului si executa din nou comenzile de mai sus. De asemenea, ruleaza un dcdiag /v > dcdiag.txt si atasazea-l la post si un netdom query fsmo > fsmo.txt.

    Vlad

    vineri, 21 octombrie 2011 16:43
  • Question
    Sign in pentru a vota
    0
    Sign in pentru a vota

    Salut Vlad,
    Multumesc pentru raspuns.

    Did that, done that. No success.

    Oricum, am refacut intregul AD de la zero.

    • Marcat ca răspuns de sealview vineri, 21 octombrie 2011 16:51
    vineri, 21 octombrie 2011 16:49
  • Question
    Sign in pentru a vota
    1
    Sign in pentru a vota

    Salut,

    Stiu ca este intarziat mesajul meu dar am zis "sa ma bag si eu in seama."

    Din cate stiu eu un controlor de domeniu ce tinea rolurile FSMO a fost decomsionat, acesta nu trebuie sa se intoarca in retea si sa comunice din nou cu noile DC-uri. Migrarea din ce spui tu a functionat corect dar gresala a fost reintroducerea in domeniu fara curatare de metadata folosing NTDSUTIL.exe.

    "A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest  by using the ntdsutil /metadata cleanup command.  The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same  FSMO roles include creating security principals that have  overlapping RID pools, and other problems"

    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    • Marcat ca răspuns de sealview vineri, 24 februarie 2012 14:01
    vineri, 24 februarie 2012 13:41
  • Question
    Sign in pentru a vota
    0
    Sign in pentru a vota

    Salut Marius,

    Multumesc frumos pentru raspuns.

    Acum imi dau seama ca acest TIP se potriveste clar cu scenariul in care mie mi-a dat crash AD-ul.

    Nu am avut cunostinte despre acest risc, dar de acum incolo cu siguranta voi sti.

    Multumesc din nou.

    vineri, 24 februarie 2012 14:01