|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
DC fails when isolated from networkstatic IP and has all the AD forest-integrated zones w/records). It does not hold any FSMO roles. When it is shut down, disconnected from the production network, and brought back up disconnected (isolated on its own network to test), I cannot log on to it (except with the Administrator account). Should it still not be able to allow me to log on? This troubles me because what if it becomes disconnected from all other DCs in a real network outage scenario? I lose all authentication? The DNS Server just won't start... DCDiag is just full of DNS issues. This is very troubling that a DC can't live on its own for a while. Is it because the DNS zones are forest-integrated? Is it because it can't see the Forest Root DCs? Errors in the event logs: DNS 4000 (The DNS server was unable to open Active Directory.) DNS 4013 (The DNS server was unable to open the Active Directory.) NTDS Replication 2087 (Active Directory could not resolve the following DNS host name of the source domain controller to an IP address.) NTDS General 1126 (Active Directory was unable to establish a connection with the global catalog.) Userenv 1054 (Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. ) NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.) W32Time 14 (The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.) In news:DE21DDBB-27D4-4AA8-AC10-25764FAF0F8C@microsoft.com, Mark Z. <Ma***@discussions.microsoft.com>, posted the following:Show quoteHide quote > My 2003 R2 DC is a global catalog, and points to itself for DNS (via There are a number of reasons for this. One, mainly is the FSMO roles (PDC, > its own static IP and has all the AD forest-integrated zones > w/records). It does not hold any FSMO roles. When it is shut down, > disconnected from the production network, and brought back up > disconnected (isolated on its own network to test), I cannot log on > to it (except with the Administrator account). Should it still not be > able to allow me to log on? This troubles me because what if it > becomes disconnected from all other DCs in a real network outage > scenario? I lose all authentication? > > The DNS Server just won't start... DCDiag is just full of DNS issues. > This is very troubling that a DC can't live on its own for a while. > Is it because the DNS zones are forest-integrated? Is it because it > can't see the Forest Root DCs? > > Errors in the event logs: > > DNS 4000 (The DNS server was unable to open Active Directory.) > > DNS 4013 (The DNS server was unable to open the Active Directory.) > > NTDS Replication 2087 (Active Directory could not resolve the > following DNS host name of the source domain controller to an IP > address.) > > NTDS General 1126 (Active Directory was unable to establish a > connection with the global catalog.) > > Userenv 1054 (Windows cannot obtain the domain controller name for > your computer network. (The specified domain either does not exist or > could not be contacted. ). Group Policy processing aborted. ) > > NETLOGON 5781 (Dynamic registration or deletion of one or more DNS > records associated with DNS domain 'ForestDnsZones.footlocker.net.' > failed.) > > W32Time 14 (The time provider NtpClient was unable to find a domain > controller to use as a time source. NtpClient will try again in 30 > minutes.) IM, RM, SM and DNM) . They have a huge impact and are required to be accessible by ALL DCs, and the other is the reference to the Forest root data in DNS, _msdcs.... where the GC is referenced, which is required for logon. You got in because of cached credentials.There's also DC communication between DCs, including replication involved between the DCs. Unfortunately you cannot simply unplug one DC and expect it to work elsewhere. Curious, what was the purpose of doing this? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Hello Mark Z.,
As stated from Ace, please describe what you are trying to achive with isolating a not full Domain controller, because of missing FSMO roles. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > My 2003 R2 DC is a global catalog, and points to itself for DNS (via > its own static IP and has all the AD forest-integrated zones > w/records). It does not hold any FSMO roles. When it is shut down, > disconnected from the production network, and brought back up > disconnected (isolated on its own network to test), I cannot log on to > it (except with the Administrator account). Should it still not be > able to allow me to log on? This troubles me because what if it > becomes disconnected from all other DCs in a real network outage > scenario? I lose all authentication? > > The DNS Server just won't start... DCDiag is just full of DNS issues. > This is very troubling that a DC can't live on its own for a while. Is > it because the DNS zones are forest-integrated? Is it because it can't > see the Forest Root DCs? > > Errors in the event logs: > > DNS 4000 (The DNS server was unable to open Active Directory.) > > DNS 4013 (The DNS server was unable to open the Active Directory.) > > NTDS Replication 2087 (Active Directory could not resolve the > following DNS host name of the source domain controller to an IP > address.) > > NTDS General 1126 (Active Directory was unable to establish a > connection with the global catalog.) > > Userenv 1054 (Windows cannot obtain the domain controller name for > your computer network. (The specified domain either does not exist or > could not be contacted. ). Group Policy processing aborted. ) > > NETLOGON 5781 (Dynamic registration or deletion of one or more DNS > records associated with DNS domain 'ForestDnsZones.footlocker.net.' > failed.) > > W32Time 14 (The time provider NtpClient was unable to find a domain > controller to use as a time source. NtpClient will try again in 30 > minutes.) > Hi Mark Z
If you have the builtin domain admin account name and password, you can login instantly after bootup, this only works on the builtin dom adm account EG: Administrator, handy to remember this password to be secured somewhere and ready if you are in a Disaster Recovery Procedure. If this is the only DC you can restore as an example. The AD will still not of started at this point, and therefore you AD integrated DNS zones. Seize in whichever order you prefer, also remembering your schema domain/root domain DC has to also be part of the process as Ace has already stipulated. Use NTDSUtil to remove the remaiing DC's in the original AD site that these belong to, I notice AD kicks in almost instantly after the Infrastructure Master DC has been ntdsutil'd out and seized automatically as part of the deletion, the DNS starts and all is fine after that. Don't delete the non present DC's if you will want to reinject them into "say a LAB" environment, only seize. 2003 AD FSMO roles holders will first check to see if a new FSMO role holder has taken it's position and automatically domote itself before advertising itself on the network. -- Show quoteHide quoteGarry Starck MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA "Mark Z." wrote: > My 2003 R2 DC is a global catalog, and points to itself for DNS (via its own > static IP and has all the AD forest-integrated zones w/records). It does not > hold any FSMO roles. When it is shut down, disconnected from the production > network, and brought back up disconnected (isolated on its own network to > test), I cannot log on to it (except with the Administrator account). Should > it still not be able to allow me to log on? This troubles me because what if > it becomes disconnected from all other DCs in a real network outage scenario? > I lose all authentication? > > The DNS Server just won't start... DCDiag is just full of DNS issues. This > is very troubling that a DC can't live on its own for a while. Is it because > the DNS zones are forest-integrated? Is it because it can't see the Forest > Root DCs? > > Errors in the event logs: > > DNS 4000 (The DNS server was unable to open Active Directory.) > > DNS 4013 (The DNS server was unable to open the Active Directory.) > > NTDS Replication 2087 (Active Directory could not resolve the following DNS > host name of the source domain controller to an IP address.) > > NTDS General 1126 (Active Directory was unable to establish a connection > with the global catalog.) > > Userenv 1054 (Windows cannot obtain the domain controller name for your > computer network. (The specified domain either does not exist or could not be > contacted. ). Group Policy processing aborted. ) > > NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records > associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.) > > W32Time 14 (The time provider NtpClient was unable to find a domain > controller to use as a time source. NtpClient will try again in 30 minutes.) 
Other interesting topics
What am I missing?
Domain Trust issue problem reading gpt.ini Kerberos Tickets Renewal How to Switch domains without having admin rights? Group Domain Admins cannot be found Logon issue in a 2 domain trust - Win 2003 GPO Version mismatch in Sysvol Folder Redirection Run Amok IE7 Trusted Sites Disabled |
|||||||||||||||||||||||
