Need help -- Win2kAS AD issues

[COKE CAN]

Ok here is what happened:

I am fairly new, roughly 1.25 months.

We have 2 Win2k Advance Server Domain controllers DC02 and DC03.

We had the mirror die that held SYSVOL and NTDS. We will call this server DC03.

When DC03 had the HDD failure, we planned to slick it and start over.

DC03 and DC02 (the other DC) are also both DNS servers.

We came back in the office a tried to demote DC03 and it failed because it could not transfer the FSMO roles. It stated that it could not connect.

We rebooted DC03 and received an error stating that it could not start directory services. We tried to force the FSMO roles to DC02 and set that one as the Global Catalog. Some of the FSMO roles did not transfer.

All the servers on the domain are pointing to DC02.

Everyone is authenticating without problems.

We tried to delete DC03 out of AD but could not.

We removed any entries of DC03 in DNS.

We rebuilt DC03 and is now named DC01.

DC01 seems to be trying to replicate from DC03 that does not exist anywhere.

I have not set up DC01 as DNS yet either. Why is it trying to replicate from DC03?

What do I need to do about the FSMO roles? What do they affect? How can I remove DC03 from AD?

 

[Jay_2]

read this and see if it helps

http://www.computerperformance.co.uk/w2k3/W2K3_FSMO_transfer.htm

 

[strohs]

Thats a good article on the FSMO's Jay. This one might be able to help with the AD deletion.

http://support.microsoft.com/kb/216498

Good Luck.

 

[COKE CAN]

We tried forcing the FSMO roles to DC02 via ntdsutil like in the above article. Most of them transfered.

This is one of the errors that we are getting from the directory services log:

Event Type:	Warning
Event Source:	NTDS KCC
Event Category:	(1)
Event ID:	1265
Date:		11/1/2007
Time:		9:43:52 AM
User:		N/A
Computer:	DC01
Description:
The attempt to establish a replication link with parameters
 
 Partition: CN=Schema,CN=Configuration,DC=ourdomain,DC=local
 Source DSA DN: CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ourdomain,DC=local
 Source DSA Address: 547917fa-cccf-4042-8b9e-ad9aad714c62._msdcs.ourdomain.local
 Inter-site Transport (if any): 
 
 failed with the following status:
 
 The DSA operation is unable to proceed because of a DNS lookup failure.
 
 The record data is the status code.  This operation will be retried. 
Data:
0000: 4c 21 00 00               L!..

 

[COKE CAN]

P.S. Thanks for the quick responses so far!

 

[strohs]

Have you tried any of the resolutions in this article?


http://support.microsoft.com/kb/892426http://support.microsoft.com/kb/892426

 

[COKE CAN]

The other error:

Event Type:	Warning
Event Source:	NtFrs
Event Category:	None
Event ID:	13508
Date:		11/1/2007
Time:		10:23:12 AM
User:		N/A
Computer:	DC01
Description:
The File Replication Service is having trouble enabling replication from DC03 to DC01 for d:\winnt\sysvol\domain using the DNS name dc03.ourdomain.local. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name DC03.ourdomain.local from this computer. 
 [2] FRS is not running on Dc03.ntimsbidom.local. 
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. 
Data:
0000: ba 06 00 00               º...

 

[COKE CAN]

Have you tried any of the resolutions in this article?


http://support.microsoft.com/kb/892426http://support.microsoft.com/kb/892426

That's restablishing the trust password. I'm not receiving that error. Same event ID number though.

 

[strohs]

Have you tried a Metadata cleanup? This should allow you to get rid of the old DC object. The FSMO's I'm at a loss for.

 

[COKE CAN]

No I haven't

I was under the impression that should be done once the DC was completely removed from AD as a DC.

DC03 still shows in AD U&C and AD S&S

And like I said above, I cannot remove it. I get:

"The DSA object cannot be deleted"

The server would not allow me to demote it and now it doesn't even exist any longer

 

[strohs]

If the object was not gracefully removed from the enviroment, a metadata cleanup will be needed to remove the object from AD.

Edit: I asked a few people that I work with and they confirmed that a meta cleanup was the only viable answer. If the object is in the enviroment and cant be deleted gracefully.

 

[COKE CAN]

Ok, I did a successful metadata cleanup and am able to delete the DC from AD S&S

Still unable to remove it from AD U&C

Found the DNS entries for replication and removed those

Thanks for the help so far all!!!

 

[strohs]

When you attempted to seize the FSMO roles where you using EA credentials? If you had anything less than this you can only retrieve three of the five. It might still be possible with an EA account to seize the other two roles from the DIT.

 

[COKE CAN]

DC02 is holding all of the FSMO rolls and that's what we want.

Sorry, I thought I typed that but it slipped!


Only issue now is the DC still shows in AD U&C and is unable to be deleted

 

[strohs]

If it is just a disabled computer account you should be able to just delete it out of U&C, and make sure all DNS entries are deleted. The M$ KB 216498 article is really good.