Domain login problem after AD restore

Tutorials Win: Microsoft Windows Forum

Hope you guys can give me some pointers here. The client is a school and
these are the details of the issue:

The main server (â??server1â??, for staff) was derived from earlier NT4 box that
has been upgraded and moved around over the years. It had exchange 5.5 and
was then upgraded first to windows 2000, then exchange 2000. It's hard disk
has been cloned and moved into a newer server. It was once the only server,
18 months ago it was upgraded to server 2003R2, with some difficulty from
exchange 2000 failing. Its been stable for 18 months.

Server2 (for pupils) was added at some point after the first win2k server
came, and was a domain controller and global catalog with server in the
domain â??schoolâ??. All master and schema roles etc were on server1.

At the end of last term I tried to upgrade exchange to 2003. It failed due
to the domain controllers not being in sync. Looking at the system logs there
has been a problem since April 14th. In looking at the AD connector on
exchange 2000 a permissions message was returned. At this point the users
disappeared from server1, but were still ok on server2. Backups were taken
and a third server (server3) introduced, with some success. The exchange data
was moved to server2. Foolishly I then tried to upgrade the exchange here,
and guess what, the users disappeared on server2 and server3!

I then restored the AD from server2 from July 18th back to server2 (server1
had shadow copy in backup exec but no system state backup). I forcibly did a
dcpromo /remove on server1, so itâ??s a standalone as there did not seem much
point in keeping it, I regret it now. The users reappeared on server2, and
with a little more configuration it looks good, you can create new users
(there are around 200) and share folders etc. All the shares are correct. The
exchange data is however â??stuckâ?? here as the AD restore also restores the
registry, so this is another issue!

The main problems are that you cannot login to server2, even though it
claims to be a DC with all roles â?? things like netlogon, sysvol share etc are
all there. You cannot join server1 (or server3) to the domain. You cannot run
a terminal server session on it. You can login on a workstation, but it's so
slow its obviously not right (dns screams at me here?) Nslookup fails on any
other server looking at server2 as dns. If you ping server2â??s fqdn it fails
(but it's ok on server2 itself). Dcdiag and event logs show very little to
help.

Just wondering if anyone can give me some pointers. I have eliminated any
physical possibilities like NIC drivers, switching, cabling etc and am pretty
sure it's DNS (things like this always seem to be DNS!) but I am kind of
banging my head against a brick wall here. In essence, I need to get Server2
to accept logins and allow server1 (or server3) to be a AD server. Then I can
tackle the Exchange issue on server2.

Thanks a lot guys.
Top

Re: Domain login problem after AD restore by Jorge

Jorge
Tue Aug 12 01:58:42 PDT 2008

Hi
-1st run dcdiag and netdiag on the DC, check the output erros, also look at
eventlog errors.
-Is that server also a DNS server? are the users using the correct internal
DNS server?


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Top

Re: Domain login problem after AD restore by Meinolf

Meinolf
Tue Aug 12 02:05:45 PDT 2008


Hello Daveg,

See inline

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hope you guys can give me some pointers here. The client is a school
> and these are the details of the issue:
>
> The main server (â??server1â??, for staff) was derived from earlier NT4
> box that has been upgraded and moved around over the years. It had
> exchange 5.5 and was then upgraded first to windows 2000, then
> exchange 2000. It's hard disk has been cloned and moved into a newer
> server.

You talk about cloning, did you run sysprep on the clone after adding to
the new server hardware? So server 1 is Exchange 2000 and also Domain controller?

> It was once the only server, 18 months ago it was upgraded to
> server 2003R2, with some difficulty from exchange 2000 failing. Its
> been stable for 18 months.
>
> Server2 (for pupils) was added at some point after the first win2k
> server came, and was a domain controller and global catalog with
> server in the domain â??schoolâ??. All master and schema roles etc were
> on server1.

Is server one in aonther domain then "school"? Is the this the only name
or is it "school.com" or similar?

>
> At the end of last term I tried to upgrade exchange to 2003. It failed
> due to the domain controllers not being in sync. Looking at the system
> logs there has been a problem since April 14th.

14th April 2008? Please post the error message you got if you have it. Also
run diagnostics on the DC and post the result of "repadmin /showrepl" typed
in command window. Seems that you are over the tombstone lifetime for replication.

> In looking at the AD
> connector on exchange 2000 a permissions message was returned.

Please post the message here.

> At this
> point the users disappeared from server1, but were still ok on
> server2.

What do you mean with disappear, either they are deleted or new created users
are not replicated form the other DC because of the replication problem.

> Backups were taken and a third server (server3) introduced,
> with some success.

What means this, did you install the 3rd server from backups?

> The exchange data was moved to server2. Foolishly I
> then tried to upgrade the exchange here, and guess what, the users
> disappeared on server2 and server3!

You shouldn't go on with new installations or upgrading if you have problems
on your machines, FIRST solve all problems especially if they belong to domain
replication.

> I then restored the AD from server2 from July 18th back to server2
> (server1 had shadow copy in backup exec but no system state backup).

What kind of restore, please describe the steps in detail.

> I
> forcibly did a dcpromo /remove on server1, so itâ??s a standalone as
> there did not seem much point in keeping it, I regret it now.

So server 1 is no longer DC, but exchange server? Is it also removed from
ADUC from the DC's OU and in ADSS?

> The
> users reappeared on server2, and with a little more configuration it
> looks good, you can create new users (there are around 200) and share
> folders etc. All the shares are correct. The exchange data is however
> â??stuckâ?? here as the AD restore also restores the registry, so this is
> another issue!

What do you mean with, exchange data is stuck here? Is the server running
as exchange or is all moved to another exchange server? That's not clear
for me. If you have demoted the server and exchange was still running, this
can be the problem for exchange. Unfortunally it is not recommended to demote
a server once exchange is installed.

> The main problems are that you cannot login to server2, even though it
> claims to be a DC with all roles â?? things like netlogon, sysvol share
> etc are all there.

What means cannot login to server2? As administrator on the server itself
or client machines are unable to logon to the domain?

> You cannot join server1 (or server3) to the domain.

What is the error message. Also i thought server1 is already in the domain
or did you reinstall it? For server3 see my question above.

> You cannot run a terminal server session on it. You can login on a
> workstation, but it's so slow its obviously not right (dns screams at
> me here?)

For DNS post an unedited ipconfig /all from all 3 servers and one client
machine.

> Nslookup fails on any other server looking at server2 as
> dns. If you ping server2â??s fqdn it fails (but it's ok on server2
> itself). Dcdiag and event logs show very little to help.

dcdiag is the important command line tool to check the DC's for errors. Please
post an unedited "dcdiag /v" and also "netdiag /v" from all DC's

> Just wondering if anyone can give me some pointers. I have eliminated
> any physical possibilities like NIC drivers, switching, cabling etc
> and am pretty sure it's DNS (things like this always seem to be DNS!)
> but I am kind of banging my head against a brick wall here. In
> essence, I need to get Server2 to accept logins and allow server1 (or
> server3) to be a AD server. Then I can tackle the Exchange issue on
> server2.
>
> Thanks a lot guys.
>


Top