Forest Root Restore - Global Catalog Issue


  • I am attempting to test a Forest Restore. I have done this several times in the past without issues. Now I am creating a test environment for a 2008 upgrade.
    Its a small network, Empty Root Forest with 2 DC's that run DNS and DHCP. Production domain with 2 DC's, with DNS. I have roughly 500 users. The servers are Server 2003 Standard R2 SP2.
    I have checked Event Viewer on all 4 DC's, no errors, and verified that they running correctly with dcdiag, netdiag, repladmin, and FRS.
    I run full system state backups nightly on each DC.

    I am building my first DC in the Empty Root Forest (2003 Standard R2, with updates). I restore using my full system state backup using ntbackup. I ensure that the files are always replaced and that the system state data is marked as the primary data for all replicas.

    When the restore is complete, I restart, and I get the message that "Active Directoy is rebuilding indices". I wait for 15-20 minutes and I get a logon screen and am able to logon using my domain admin account against my domain.

    I setup a IP address for my test environment and assign itself as the primary DNS.

    However, I clear the checkbox to remove the Global Catalog, I cannot bind using my logon credentials when raising the RID Pool. When I logoff, I cannot logon the server with any credentials.

    I usually test the system state restores several times a year, and I have never run into this issue before (and this was suppose to be my easy task this week).

    Steps I use are below:
    I have copied my system state backup (full) to the first DC in the parent domain.
    After I restore using system state, I can logon to the DC using my domain admin account. After the system detects new devices, reboot again and logon.
    I then do the following steps:
    1) assign IP Address, with DNS pointing to itself ( I am on test network equipment)
    2) Metadata cleanup - remove all other DC's except for this first DC
    3) Check to ensure that this DC has all FSMO roles
    4) Sites and Services - remove all extinct DC's
    5) Remove the SRV and A records of this DC from DNS
    6) Uncheck Global Catalog from this DC
    7) Check Event Viewer for successful deletion of Global Catalog from DC
    8) Recheck Global Catalog
    I get Event Viewer messages that the DC is no longer a Global Catalog and that the Directory Partition from the child domain is being removed.
    I then get a message 1578, that the DC is being delayed because partition occupancy requirements have not been met.
    Occupancy level - 6 and Domain Controller level = 0
    1809 - no inter-site sources for at least one partition replication
    1110 - Promotion of GC is delayed for 30 minutes
    After 16 minutes - I get error 1126 - AD was unable to establish a connection with GC. Additional data:
    Error Value
    1355 The specified domain does not exist or could nto be contacted.
    Internal ID - 3200cf3
    After 30 minutes, I start to get duplicate event entrees from the events listed above.
    If I log off from the DC, I will not be able to log back on.
    I have a document that I created for when I do this test from time to time and have never encountered this problem.
    Any ideas or help is truly appreciated.
    martedì 5 gennaio 2010 14:31


  • Global catalog promotion may fail if one of the following conditions is true:
    1. The configuration partition on one or more domain controllers contains a cross-reference object to a stale or orphaned domain, but no domain controllers for that domain are located in the forest.
    2. Metadata for a source domain controller that is designated by the KCC is located in the configuration partition of one or more domain controllers but does not represent a domain controller currently present in the forest.
    3. The source domain controller that is selected by the KCC on the global catalog that is being promoted is offline.
    4. The source domain controller that was selected by the KCC on the global catalog that is being promoted is inaccessible over the network. This domain controller is inaccessible because there is no network connectivity or partial network connectivity. The following are examples of network connectivity issues:
      • Ports that are blocked
      • IP addresses that are filtered
      • Networks that are not fully routed but that have the bridge-all-site-links option enabled
    5. Source domain global catalogs are constrained from acting as bridgeheads because non-global catalog domain controllers have incorrectly been selected as preferred bridgeheads by administrators.
    6. The global catalog that is being promoted cannot build a connection link from the selected source domain controller because of the error status that is logged in one of the events that are listed in the Summary section.

    An orphaned domain will prevent the domain controller from finishing the replication. The domain controller cannot advertise itself as a global catalog server until replication is completed. There are several issues that could lead to an orphaned domain:
    1. Active Directory was removed from all the domain controllers of a domain, but the domain partition cross-reference object still remains.
    2. Active Directory was removed from a domain controller, and the directory partition of the domain controller was removed. The domain controller was then re-created before replication was completed. These events caused lingering phantoms that a cross-reference object incorrectly references.
    3. The domain-naming update for the domain has not reached the domain controller that is experiencing the problem. Or, the domain-naming update for a domain that is newly promoted may not have reached any domain controllers outside that domain. This issue would be a temporary problem.

    Troubleshooting problems with promoting a domain controller to a global catalog server
    martedì 5 gennaio 2010 18:04