Hello, I am hoping not needing to demote our DC2 to go back as member server then promoting it back up again, but following is the situation.
We have an integrated active directory network with one DC (DC1) running W2k3 Enterprise, x64, SP2, being the primary domain controller.
We did have two DC's prior, however, DC2 became corrupted. We ended up needing to seize the roles away from it, and then we corrected AD in our domain's (PDC) DC1.
Effectively, we had to force DC2 down, as AD would not allow having DC2's AD removed gracefully from the network, or from itself.
After running ADSI & NtdsUtil when removing the fore mentioned older DC, the single DC1 in our domain was running fine from what we could tell and from the tests after using these tools (ADSI & NtdsUtil).
Our forest / domain level is 2000 native, Schema version 30.
(NOTE: We have a W2k server running on site)
Once re-installed W2k3 to the old DC(2) Server, we updated it to SP2, with up to date patches, then joined it to the Domain as a member server. We then DCPromo'd DC2, and we saw errors as we thought we would, however, also saw errors past the first 2 hours, and continued to see errors on the newly raised DC through a week, as what you will see below.
Currently, it is as if DC2 is not a fully recognized secondary domain controller.
It is currently not replicating with DC1, the KCC is not running, Kerberos not running.
Some additional facts:
When I open Explore and type in “\\domain.com\sysvol” , from either DC1 or DC2, then right click on domain properties, the DFS active partition path is DC1 (\\DC1.DomainName.com\Sysvol) Under Explorer, I see the following under “\\Domain.com\Sysvol”:
\\domain.com\SysVol
\\domain.com\SysVol\domain.com
\\domain.com\SysVol\domain.com\Policies (...Has all 7 policies)
\\domain.com\SysVol\sysvol
\\domain.com\SysVol\sysvol\domain.com
\\domain.com\SysVol\sysvol\domain.com\Policies (...Has 2 policies)
I also ran the NetDom Query FSMO Role holder for the domain, and both show DC1 having all 5 roles, however, on both the DC’s they do not recognize DC2 as any FSMO role holder.
Following are some test results ran against our DC1 & Promoted DC2:
DC1
Currently, DC1 has no Application, System, or Directory Service Errors since a few days past. However, replication, I.e. KCC has not run since error showed, and then showing will be shut down.
The Main DNS Manager shows four sets of Reverse records (225.in-addr.arpa, 127.in-addr.arpa, 0.in-addr.arpa, and 1.168.192.in-addr.arpa, whereas the created mmc will show the only and correct set “1.168.192.in-addr.arpa”.
One item I know I will perform is re-do the reverse DNS Zones.
DC2 Still shows many errors: Application Error Events 13, 1030, 1058.
DC1 & DC2 can ping, and see each other under nslookup, and DC2 is in the list of Domain Controllers.
What I am hoping to find, and is this realistic, and am I seeing what's needed), is there a way to complete, or ‘Force’ the finishing of DCPROMO, and the allowance for the various replicating folders and files to be readable and to allow DC2 to function in this domain?
From the various tests ran and posted at skydrive.live.com (ADSI, IPConfigAll, RepAdmin, NtdsUtil, DnsLint, ADReplicationStatus, DCDiag, NetDiag, NetShIpsecDynamicShowAll, NsLookup, ReplAdmin, ), can there be a fix to this situation?
Please see all tests ran at this link:
I look forward to any help that may assist me in finding a solution to this issue in this Forum. =)
Thanks all!
WerkMann