DC no longer a DC?

[JBruyet]

Hey all,

I'm tracking down a problem with my Exchange server and just noticed that my domain controller, DC2 is no longer listed in the Domain Controllers group. I was able to find it in my Computers group on DC2, but in the Computers group on DC3 the account was disabled. I enabled the account and waited for DC2 to show back up as a domain controller but it hasn't happened yet. Should I dcpromo it out and then back in again? Any ideas on how I can prevent this from happening again?

Thanks,

Joe B

 

[58sniper]

If you run dcdiag from each DC, what do they say?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[JBruyet]

58sniper, when I run dcdiag I see several replication failures like this one:

[Replications Check,SRV-DC2] A recent replication attempt failed:
From SRV-DC3 to SRV-DC2
Naming Context: DC=ForestDnsZones,DC=link,DC=com
The replication generated an error (8453):
Replication access was denied.
The failure occurred at 2008-11-09 07:51:33.
The last success occurred at 2008-10-16 15:46:56.
571 failures have occurred since the last success.
The machine account for the destination SRV-DC2.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.

The repadmin/syncall doesn't help either. Any ideas? Also, I think I'll start running dcdiag, netdiag and maybe replmon (and maybe a few others) on a regular basis. That and go through my logs a lot more often.

Thanks,

Joe B

 

[JBruyet]

Oops, you said "both" domain controllers. Here's what I get from DC3:

Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SRV-DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SRV-DC2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION-RECEIVED LATENCY WARNING
SRV-DC3: Current time is 2008-11-09 08:51:52.
DC=ForestDnsZones,DC=link,DC=com
Last replication recieved from SRV-DC2 at 2008-10-16 10:50:29.
DC=DomainDnsZones,DC=link,DC=com
Last replication recieved from SRV-DC2 at 2008-10-16 10:52:06.
......................... SRV-DC3 passed test Replications

Ideas? Suggestions? Recommendations?

Thanks,

JOe B

 

[JBruyet]

In addtion to all that, and in reference about what I said about DC2's computer account not being in the DC group but in the Computers group, here's another thing I noticed in my dcdiag output:

Starting test: MachineAccount
* The current DC is not in the domain controller's OU
The account SRV-DC2 is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of SRV-DC2 is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = (UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?

Yeah, it's affecting replication. In fact, when I run dcdiag on DC3 the only errors I get are two references to not being able to replicate with DC2. The problem lies with DC2 but I'm not sure how to go about fixing it. My gut feeling is that I should dcpromo DC2 back down from being a domain controller and then dcpromo it backup to being a domain controller. BUT, would that fix it or am I looking at a different kind of problem?

Thanks,

Joe B