Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

isolated DC fails to run

Status
Not open for further replies.
peterve

peterve

IS-IT--Management
Mar 19, 2000
1,348
NL
I have a single forest, with 3 domains (1 top domain, a child domain, and a 'grandchild' domain). Each domain has 2 DC's.

domain.com : 2 DC's
child.domain.com : 2 DC's
local.child.domain.com : 2 DC's

The first DC in domain.com holds the rid, schema, etc. fsmo roles

Each first DC holds the PDC emulator fsmo roles.
Every DC is GC

I converted one of the DC's from local.child.domain.com into a vmware machine, isolated from the rest of the network. The DC has network connectivity to an isolated switch, but not to the rest of the network.
The DC boots and allows me to log on with the domain administrator account. However, AD/DNS/... is not working (so I guess I'm logged on with cached credentials)

Event logs shows all kinds of errors - some of them are caused by the fact that the DC cannot talk to other sites/DC's... etc... others are caused by other reasons, but they all seem pretty valid to me, because the DC is isolated.

The problem is : the DC simply doesn't work. When I open AD U&C, I'm getting an error, stating that a DC (or domain) cannot be found...

The DC has the same IP configuration as the 'live' one, same hostname, etc..

I have no clue where to start first - I just don't understand why this DC doesn't want to run by itself. It is the first DC of a separate domain, so why can't it run by itself (for a while) ?

any ideas/suggestions ?

thanks





--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Sort by date Sort by votes
If it's completely isolated, is it ever going to be back in the original network, or are you building it as a lab? If you're using it for lab purposes, you need to seize the FSMO roles to it.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
 
Upvote 0 Downvote
Lab purposes - it's never coming back to the original network...

Do I need to seize *all* of the fsmo roles to it ?
Do I need to use ntdsutil or something else ?

This situation brings up another question :
What will happen to the live production environment if connection to the rid/schema master/... is temporarily lost ?

In other words : do I have a single point of failure in my AD ? I can't just go around and seize roles if connectivity is gone for a couple of hours... after all, I won't have access to distributed DC's if connectivity is gone.
Local users still need to be able to authenticate, though








--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
can I seize the roles from within AD restore services mode ?
(without the domain admin user/password) ?

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
Part of the problem is that you converted your DC to a Vmware box.. Did you actually demote the box before installing VMware? Vmware adds another network layer so it's possible your DNS services are all pointing to internal VMware network IPs for your DC on top of the one you already have. Take a look at DNS and remove all entries that point to the Vmware IP assignments for your host.
Hope this helps.
 
Upvote 0 Downvote
I did not demote - I need the box for a DRP test, which will be executed isolated from the network. I just converted the DC into a vmware copy.
You've indicated that I should look at the vmware network layer... where should I look ? I only have 1 network card in the vmware server, and it's the vmware nic... and it's IP settings are correct

In fact (here comes the whole story) :
I'm figuring out a way to allow a local engineer to rebuild their local AD without having a Domain Admin account.
All the local engineer has is the Directory Restore password, so I figured

- I will build a vmware copy of the DC
- the engineer can go into Restore mode, and replace the ntds.dit file with the latest backup
- boot the DC and it will work


We tried other scenario's, but I always end up at the point where I need to allow local admin access or domain admin access to that person.
I won't be able to go in and type in the domain admin password myself, they have to be able to do it themselves

(so rebuilding the system and doing an inplace restore of AD won't work, because that will overwrite the registy, and the network interfaces are different on the DRP system... so they'll lose connectivity again, and they won't be able to solve that themselves)

any other tips ?


--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
Take a look at the DNS console, once you have installed VMware what happens is your DC will register itself not only with it's main IP but with the IP as a default g/w for a Vmware network. check all host records, service records etc.
 
Upvote 0 Downvote
I can't open the DNS console...

I guess there must be something wrong with the stack or so, because I just cloned a DC that was installed within VMWare; and when I run that DC in an isolated environment, it runs fine

any ideas ?

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
I can already confirm that seizing the fsmo has nothing to do with it.
I tried the same scenario with a DC that was originally installed in a vmware environment...
I cloned it, ran it into isolated environment... and it worked fine out of the box

So I guess it has something to do with physical to virtual and the fact that the network interface is different in the vmware environment

I had the old machine (the one that caused the problems) still running, and guess what... after waiting for a while, the DC decided to start running... so I think it must be trying to bind to network interfaces that don't exist anymore... wait for timeout... and eventually it can bind to the vmware nic... ? does that make sense ?
If so, how can I clean this up ?

thanks



--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
I did some tests with a vmware dc, and restored it onto vmware


I'll try the same procedure with a physical to vmware machine next week - I guess I will only have to fix the hal/driver issues in addition to the problems I've discovered while doing a vmware to vmware

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
494
mangentle
mangentle
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
458
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
488
microsGuy16
microsGuy16
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
232
RRankin355
RRankin355
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
263
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top