Hello!

Dear forum members, Dear everyone, who reads this post!

I have a problem:

There are two Domain Controllers, let's call them DC1, and DC2.

DC1 has the FSMO roles.

Couple of days ago, I was wondering about, why shouldn't I check out The WSUS role of WinServer2008, so I've installed WSUS 3.0 sp1 on DC1, and from that point wierd things happend. MSDE was also automatically installed for WSUS. (It's called the Windows Internal Database Engine now I think.)
I've applied all of the Windows Update-s:

Security Update for Windows Server 2003 and Windows Server 2008 (KB948109)
Update for Windows Server Update Services (WSUS) 3 Service Pack 1 for x64-based Systems (KB954960)

Then I went for a coffee, and when I came back, the problem started..

On DC1, I can't open ADUC.. it tells me, that the directory service is unavailable.
gpupdate won't run on DC1, thus domain policy isn't applied.
DCdiag sais everything is fine
Event log is full of ID 1006, gpupdate failure, unable to bind to LDAP, or something like that.

Now the second wierd thing is, that if I sit down to any other computer in the network (about 300), everything just works perfectly.
For example. if I start ADUC on DC2, and select "Change domain controller", and select DC1, everything is OK.

And the third, and all in one the wierdest thing: If I open ADUC on DC1, and bypass the error message, and if I select "Connect to DC (or something like this)", and type DC1-s IP, even 127.0.0.1, It connects, and everything works fine..

What did WSUS do?
Why can't ADUC, or any LDAP based client program (ADSI edit, gpedit, etc..) open the Directory?
Why can ADUC, or any LDAP based client program (ADSI edit, etc..) open the Directory, if I connect to the servers NIC ip, or 127.0.0.1?

What should I do, to regain controll over the DC? (reinstalling is not an option!)

Any help is really appreciated!!!

Thanks!

Andrew

Try this since vista sp1 shares the same core as server 2008.

http://krva.blogspot.com/2007/06/adminpak-on-vista.html

How would this solve the gpupdate problem?:S

no idea?

Are you using AD integrated DNS? If so, double check the SRV records on both DC's. Specifically, make sure the GUID of DC1 did not change when you installed WSUS.

Check the domain sites/services tool in the administration tools and ensure replication really is fine. If so, force a replication. Or use dcdiag (although you said you did try that already...)

Did you upgrade your AD schema for server 2008 at the same time as you installed WSUS?

Yes I'm using an AD integrated DNS, but that seems to be working fine..
DCdiag is OK.
GUIDs are OK.
Repadmin /showreps tells me that everything is fine, they are syncin' as expected.
Everything seems OK, except that if I run start - admin tools - aduc, or adsi edit, or group policy, or anything on that local server, which uses ldap, it sais it can't connect, server down, etc..
Then if I choose to connect to a DC, and I manually input it's IP address (127.0.0.1), it connects and it works fine. Replication to the "secondary" dc also works fine, clients in the network haven't noticed any problem, so from any other member of the network, it seems like everything is just fine.. the problem shows up only locally.

Regards.

Try creating a new Domain Administrator account and logging on to DC1 as that new user. See if the same MMC issues crop up. I saw that happen on a Server 2003 box once. After we logged in as the new domain admin account and there were no problems we deleted the local profile of the domain admin account and logged in again, everything was fine.

Not sure if this will do anything in your situation, but it's worth a shot.

Yes, this would be a good idea, but gpupdate fails as well, and it isn't ran in the name of the default domain admin.
Anyway, I've tried, what you sugested, but.. nope:( still no go.

Thanks