Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PDC lost name in AD

Status
Not open for further replies.
rflora

rflora

Technical User
Nov 26, 2003
80
CA
Hello,

Any ideas on this? My domain controllers name is missing from the Domain Controller's list. I realized this when I noticed a bunch of error in event viewer. I tried to demote it, but I get messages saying it's a FSMO etc. Should I transfer control to another server and then demote and promote? Thanks.
 
Sort by date Sort by votes
<sigh> You don't have a PDC...but I digress.

What are the errors in the logs?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
If you have other Domain Controllers available then yes transfer the roles if possible. If they won't transfer due to a catastrophic DC failure of some sort, you could always use dcpromo /forceremoval to kill AD on that box and then seize the roles on another DC. If this is your only DC, then I wouldn't remove Active Directory :)
 
Upvote 0 Downvote
What are the implications of doing this? Remove AD and seizing? I do have another DC by the way.
 
Upvote 0 Downvote
Find out what FSMO roles this server holds;

on both dcs

netdom query fsmo

both DCs should agree on which server holds which roles

if the DCs agree on which one has the roles then try and transfer roles;


If they won't transfer then you will have to seize them


Should the DCs give you different results on which server hodls the FSMO roles then post back with those results and the errors you see in the event logs.


Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
Thanks, will get back to in an hour or so.
 
Upvote 0 Downvote
Trying to resolve an issue without first trying to discover why the error exists isn't the best approach. You say you had a bunch of errors in your log files...I think it's important that you first try to determine what went wrong before trying to fix it...since you may be "fixing" the wrong thing.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
Here's what happened. I have two production servers, R1 & B1. I restored R1 from an image as a disaster recovery test. Once it was restored, I believe it was left plugged on to the production network. I then renamed the restored server from R1 to testdomain. So now when I go in AD on B1 (production server), under Domains Controllers I only see B1 and testdomain! So AD thinks I renamed production R1 to testdomain. That's what the problem is.

Here's the result of the fsmo query on production R1 and B1

C:\Program Files\Support Tools>netdom query fsmo
Schema owner testdomain.HQ.local

Domain role owner testdomain.HQ.local

PDC role testdomain.HQ.local

RID pool manager testdomain.HQ.local

Infrastructure owner testdomain.HQ.local

The command completed successfully.

I need to solve this asap any help is much appreciated.
 
Upvote 0 Downvote
rflora said:
it was left plugged on to the production network. I then renamed the restored server from R1 to testdomain.
Click to expand...

rflora said:
So AD thinks I renamed production R1 to testdomain. That's what the problem is.
Click to expand...

That's because that's what you did. If it was plugged into the network when you renamed it, then the results you see are correct (and by design). I don't see where that is a "problem", other than that's not what you meant to do.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Pat is correct...you've renamed the server and are just seeing that result. So, you're test was successful, but you renamed it to testdomain. I'd DCPROMO testdomain out, rename it, then DCPROMO it back in as R1. You can't just plug R1 back in (your real production server) because the SID's won't be right.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
You're right, but how do I get my production R1 back in AD and in action? The testdomain doesn't exist anymore, I had to restore something else on that machine.

Now I basically have B1 which is in AD which is doing all the authentications. I tried doing dcprom on R1 but it doesn't let me because it can't authenticate anywhere. Should I do dcpromo /forceremoval and seize ? Please tell me exactly what steps I should take as this is a production server.

Thanks.
 
Upvote 0 Downvote
Just let me make sure i understand this;

You restored an image of your R1 server to another physical server and left it plugged into you production LAN, is that correct?? If so then the SIDS on 2 servers would now be identical and AD has no way of knowing which is the correct server.
You then renamed the server you restored the image onto to testdomain and you now see that in ADUC in the domain controllers container but don't see your original R1 server anymore??

If I am understanding you correctly then this is a prime example of why you never ever use imaging for domain controllers and restore that image onto servers connected to your production network. This can cause USN rollbacks, duplicate SIDS.

What errors do you get when you try to dcpromo R1 now, you said something about it can't authenticate but what is the exact error??
The domain contrller you see in the domain controllers container called testdomain is that still on line or was that the test server that has now been used for something else??

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
OK, I'm back at this. Sorry for posting so late. Pagy, everything you said up there is correct. I renamed it to testdomain and left it connected to the network. Now I don't see R1 anymore but I see test domain.

The testdomain domain controller does not exist anymore as I used that machine to test restoration of something else.

The exact error I get when I do dcpromo is as follows.

The Operation failed because:
A domain controller could not be contacted for the domain fl.local that contained an account for this computer. Make the computer a member of a workgroup then rejoin before retrying the promotion.

"The security database on the server does not have a computer account for this workstation trust relationship.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
629
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
901
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
255
DrB0b
DrB0b
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
483
Aquiles Vidal
Aquiles Vidal
DTGMI
  • Locked
  • Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
0
Views
416
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top