Mobius Forum Archive

I got Pwnd. In whic...
 
Notifications
Clear all

I got Pwnd. In which Rico begs for computer help.

4 Posts
2 Users
0 Reactions
37 Views
(@rico-underwood)
Posts: 2928
Famed Member
Topic starter
 

Ok, I admit it, I'm thrashing at anything for help. I'm researching every DNS related error in my event log for this problem. Note both servers are running 2003 server.

Originally we had a Domain Controller called "Tonkawa-Central", We added a NEW Domain Controller called "Home-One" *pause for snickering*. Ok we plugged in the roles on the new server Home-One and connected to Tonkawa-Central and AD pulled our users off just fine, all the data transfered fine to the new servers second drive. Everything ran fine while we prepped Home-One to take over as the main DC.

It was discovered that in order for the new server to function on its own we needed to turn over PDC, RID, and Infastructure roles to Home-One. We attempted to do this by connecting to Home-One from Tonkawa-Central. We got a message saying the domain controller could not be contacted because "The RPC server is unavaliable."

It was puzzling, so we moved to Home-One and seized the RID, PDC, and Infrastructure roles from the new server itself. It could now function on its own. Nothing seemed to be wrong save for Tonkawa-Central could not connect to Home-One. Note that files could be transfered between the machines fine so there is two way communication.

We decided that AD had become corrupted on the Tonkawa-Central system and we reloaded 2003 on it. On the Home-One server I attempted to reload the DNS forward zone. Unfortunately my newishness with 2003 only escalated the problem as I not only removed the zone "tonkawa.local". But Rico's idiot self ALSO removed the "_msdsc" zone and its sub zones. Which are not really DNS created zones, they are apparently AD created zones.

I have tried the usual commands like netdiag and nltest put so far nothing I have tried has recreated the zones.

As of now things are working fine from the users side. The issue is currently that the Domain is not excepting new members. And of course the reloaded server will not join as an existing DC. Short of dcpromo is there anything, anyone can think of that may help with this issue?

The current error we are working from in the eventlog for a lead is the following.

Quote:


Ownership of the following FSMO role is set to a server which is deleted or does not exist.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=Partitions,CN=Configuration,DC=tonkawa,DC=local
FSMO Server DN: CN=NTDS SettingsADEL:6c898c07-b7ad-44c3-beea-fa5d46c080f5,CN=TONKAWA-CENTRALADEL:1223376c-bca0-45b1-85fe-3f1b4d23bfe1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tonkawa,DC=local

User Action:

1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.

The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.


In bold you can see one of our problems.

I have some theory's on this but I'm still researching what is needed to be done in the ntdsutil.exe console before I change anything in it.

Another error thats slightly older by might still be relavent is below.

Quote:


Dynamic registration or deletion of one or more DNS records associated with DNS domain 'tonkawa.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

For more information, see Help and Support Center at go.microsoft.com/fwlink/events.asp.


Of course we had already done an nltest.exe /dsregdns, but to no avail. But this may still help anyone still reading this.

If you do not have a headache by this point please throw me an IM. After a week of hell getting SBC to setup the T1 and cisco router, then moving our access points and realigning antenna's my body is fried. And all my second level support people are scared to talk to me.

~Rico

 
(@rico-underwood)
Posts: 2928
Famed Member
Topic starter
 

Researching the FSMO KB articles did help. I seized the schema master and Domain naming master and now I can add computers to domain. But they refuse to login. It says the domain is not avaliable.

~Rico

 
(@jimro)
Posts: 666
Honorable Member
 

Asked my brother in law, this is his response.

I'm assuming that the group policies and OU's didn't get pulled from tonkawa-central. If that's the case then you have to set those up manually, since you wiped tonkawa.

Once you do that all you have to do to allow new members is creat new computer accounts in the specified OU according to group policy, then just join the computers to the domain.

I hope this helps.

Jimro

 
(@rico-underwood)
Posts: 2928
Famed Member
Topic starter
 

*writes that down as he's not going back till the 14th*

It could, the policies are still there so he's right there. The only OU we have is the tonkawa domain as we're not really that big or complex. I'll have to look around and see where the setting is for allow new members to join. Like I said I seized the roles and they can join the domain now, they just can't login,

Hate to have you bug him again but will that solve the problem with the reformatted Tonkawa-Central system giving a failure to connect to Domain when trying to add the Domain Controller role to it? Seizing the roles didn't help there.

Thanks much,

~Rico

 
Share: