netlogon using wrong DC

I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008) we'll
call DC1 that needs to be turned off.

Because of the odd scenario, DC2 has forcefully taken over FSMO roles
from DC1. All references to DC1 have been removed in AD and DNS. As far
as DC2 knows, DC1 doesn't exist.

Similarly, DC1 doesn't have any data about DC2 (had some stale data
which I've removed).

DC1 and DC2 are on different subnets and firewall rules prevent them
from contacting each other.

I have a couple production servers that still authenticate against DC1
(in the same subnet) and don't know about DC2. I need to get them using
DC2 without disrupting the services running (ie: no reboot).

New servers in the DC1 subnet join/auth just fine with DC2, so firewall
rules are correct there.

I thought I could just stop netlogon, delete the cache file, change the
DNS server to DC2, fire netlogon back up and away I'd go.

But it's not working.

When netlogon is stopped, if I run nltest /dsgetdc:domainname I get the
correct answer, DC2. When I start netlogon back up and run the same
command, it's back to DC1.

I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.

I did notice there were some registry entries that referred to DC1.
Could those be being used by netlogon?


-- 
BWPhx
------------------------------------------------------------------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277119.htm

http://forums.techarena.in

0
BWPhx
11/30/2009 10:58:02 PM
windows.server.active_director 902 articles. 0 followers. Follow

5 Replies
2371 Views

Similar Articles

[PageSpeed] 13

Hello BWPhx,

Is DC1 removed from the domain now or not? You wrote "All references to DC1 
have been removed in AD and DNS" and later on "DC1 and DC2 are on different 
subnets and firewall rules prevent ".

If a DC is demoted correct you have to check AD sites and services to remove 
it also there, not done during demtotion, also if it was DNS server you have 
to check/cleanup all old DNS entries from it.

For the existing machines make sure they use the correct DNS servers on the 
NIC and run ipconfig /flushdns and ipconfig /registerdns. Make sure they 
are able to register without any error. Now run netdiag /fix on them.

If you have a firewall in place you MUST make sure that it is configured 
to have ALL ports open for AD replication:
http://technet.microsoft.com/en-us/library/bb727063.aspx

http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

http://support.microsoft.com/kb/179442/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008)
> we'll call DC1 that needs to be turned off.
> 
> Because of the odd scenario, DC2 has forcefully taken over FSMO roles
> from DC1. All references to DC1 have been removed in AD and DNS. As
> far as DC2 knows, DC1 doesn't exist.
> 
> Similarly, DC1 doesn't have any data about DC2 (had some stale data
> which I've removed).
> 
> DC1 and DC2 are on different subnets and firewall rules prevent them
> from contacting each other.
> 
> I have a couple production servers that still authenticate against DC1
> (in the same subnet) and don't know about DC2. I need to get them
> using DC2 without disrupting the services running (ie: no reboot).
> 
> New servers in the DC1 subnet join/auth just fine with DC2, so
> firewall rules are correct there.
> 
> I thought I could just stop netlogon, delete the cache file, change
> the DNS server to DC2, fire netlogon back up and away I'd go.
> 
> But it's not working.
> 
> When netlogon is stopped, if I run nltest /dsgetdc:domainname I get
> the correct answer, DC2. When I start netlogon back up and run the
> same command, it's back to DC1.
> 
> I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.
> 
> I did notice there were some registry entries that referred to DC1.
> Could those be being used by netlogon?
> 
> http://forums.techarena.in
> 


0
Meinolf
12/1/2009 7:05:13 AM
I would suggest you read an article I wrote on Decommissioning a DC.  This 
will guide you in the proper steps to help remove your old DC.
http://www.pbbergs.com/windows/articles.htm

-- 
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"BWPhx" <BWPhx.42hlvd@DoNotSpam.com> wrote in message 
news:BWPhx.42hlvd@DoNotSpam.com...
>
> I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008) we'll
> call DC1 that needs to be turned off.
>
> Because of the odd scenario, DC2 has forcefully taken over FSMO roles
> from DC1. All references to DC1 have been removed in AD and DNS. As far
> as DC2 knows, DC1 doesn't exist.
>
> Similarly, DC1 doesn't have any data about DC2 (had some stale data
> which I've removed).
>
> DC1 and DC2 are on different subnets and firewall rules prevent them
> from contacting each other.
>
> I have a couple production servers that still authenticate against DC1
> (in the same subnet) and don't know about DC2. I need to get them using
> DC2 without disrupting the services running (ie: no reboot).
>
> New servers in the DC1 subnet join/auth just fine with DC2, so firewall
> rules are correct there.
>
> I thought I could just stop netlogon, delete the cache file, change the
> DNS server to DC2, fire netlogon back up and away I'd go.
>
> But it's not working.
>
> When netlogon is stopped, if I run nltest /dsgetdc:domainname I get the
> correct answer, DC2. When I start netlogon back up and run the same
> command, it's back to DC1.
>
> I've disabled NetBIOS over TCP/IP and LMHOSTS lookups. Didn't affect.
>
> I did notice there were some registry entries that referred to DC1.
> Could those be being used by netlogon?
>
>
> -- 
> BWPhx
> ------------------------------------------------------------------------
> BWPhx's Profile: http://forums.techarena.in/members/159701.htm
> View this thread: http://forums.techarena.in/active-directory/1277119.htm
>
> http://forums.techarena.in
> 


0
Paul
12/1/2009 1:37:42 PM
This is where I said it was an odd scenario. DC1 was forcefully removed
from DC2, which resides on a different subnet so there is no chance
they'll communicate with each other because of firewall rules I've
specifically put into place.

However, because of how we were using NAT, I couldn't take DC1 offline
for a small number of servers. I've worked around the NAT issue now and
need to get those few servers talking to DC2 without taking them offline
(critical apps).

Once they've all been changed to see DC2, I can offline DC1 for good.

I'm beyond the point where I can do anything with DC1 as far as dcpromo
is concerned I believe. As far as it knows, its a standalone DC at this
point.

Regarding firewall rules and such, that's not the problem. I have new
servers in that NAT'd subnet talking to DC2 just fine.

I could easily do this by rejoining the domain, but that requires a
reboot when complete that I cannot do at the moment. Additionally, I
have a couple MSCS clusters running SQL and it scares the u-know-what
out of me to rejoin a domain on those servers.

All the computer accounts are in DC2, so I just need to force those
boxes to look at DC2.

I've tried the ipconfig /flushdns and /registerdns to no avail. I
haven't tried the netdiag /fix on the member servers tho. I'll give that
a shot.


-- 
BWPhx
------------------------------------------------------------------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277120.htm

http://forums.techarena.in

0
BWPhx
12/1/2009 4:29:10 PM
Thank you all for your input, but it's clear I've been unable to
represent my intentions or situation correctly. Everyone here is talking
about re-introducing DC1 into the domain and that is not at all what I
want or need to do. I'm talking solely about the
members/clients/computers/servers - whatever you want to call them.


-- 
BWPhx
------------------------------------------------------------------------
BWPhx's Profile: http://forums.techarena.in/members/159701.htm
View this thread: http://forums.techarena.in/active-directory/1277120.htm

http://forums.techarena.in

0
BWPhx
12/2/2009 4:40:12 PM
"BWPhx" <BWPhx.42kujb@DoNotSpam.com> wrote in message 
news:BWPhx.42kujb@DoNotSpam.com...
>
> Thank you all for your input, but it's clear I've been unable to
> represent my intentions or situation correctly. Everyone here is talking
> about re-introducing DC1 into the domain and that is not at all what I
> want or need to do. I'm talking solely about the
> members/clients/computers/servers - whatever you want to call them.
>
>
> -- 
> BWPhx

I guess your description of your intentions were not clear, possibly due to 
DC1 being pulled out of the domain, terminology, etc.

If the problem is just the workstation latching on to the wrong DC, then it 
indicates the old DC1 box is still referenced in either the AD database if 
you haven't removed it physically by performing a Metadata Cleanup process.

The reason your clients are still 'finding' DC1, which I am assuming you 
don't want them to find DC1 to use as a logon server or as a server to 
authenticate to, is because AD still thinks it exists.

This is because when you seize the 5 FSMO roles (PDC Emulator, RID Master, 
Schema Master, Domain Name Master and Infrastructure Master), it doesn't 
pull the reference out of the AD database nor does it pull it out of DNS 
(the entries will still exist because the server still exists in it's eyes), 
nor out of Sites and Services, server list. It have to be manually deleted 
from Sites and Services and DNS only after you run the Metadata Cleanup 
procedure.

How to remove data in Active Directory after an unsuccessful domain 
controller demotion Windows 2000 and 2003
http://support.microsoft.com/kb/216498
or
Cleanup Metadata Windows 2003
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

If Windows 2008:
Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Also, if any of the workstations are at the other subnet or location where 
DC1 still exists, and you try to move them to the DC2's location, the 
security channel is skewed because a number of reasons, one being the secure 
password, Kerberos and the time stamp of the Kerb ticket, etc. Nltest and 
netdom may not be able to fix that. You will literally need to disjoin and 
rejoin the workstation.

I hope I was able to understand the problem.

Ace



0
Ace
12/2/2009 9:35:55 PM
Reply:

Similar Artilces:

How to cc the sender using vba and outlook
I am using Ron de Bruin's "Mail one worksheet" code to send email through excel and outlook. Is there a way to cc the sender so they can confirm the email was sent? Sub Mail_ActiveSheet() 'Working in 2000-2007 Dim FileExtStr As String Dim FileFormatNum As Long Dim Sourcewb As Workbook Dim Destwb As Workbook Dim TempFilePath As String Dim TempFileName As String Dim OutApp As Object Dim OutMail As Object With Application .ScreenUpdating = False .EnableEvents = False End With Set Sourcewb = A...

Double quote use
$items = get-childitem c:\photos-temp\ -recurse | where {!$_.PSisContainer} | foreach-object -process { $_.FullName } Foreach ($item in $items) {mogrify -resize 480000@ `"$item`"} The first line successfully collates the full paths of files in the c:\photos-temp\ directory into $items. The second line doesn't apply the resizing. Do you ahve any idea why? ...

Using textbox using a variable
Hi Guys, I need to know, if I have a variable call (txtField) cointaining the name of a field of my form ex. txtField="Day1Week2", I want to move 3 to Day1Week2 textbox on my form using txtField. Thanks Maracay wrote: >I need to know, if I have a variable call (txtField) cointaining the name >of a field of my form ex. txtField="Day1Week2", I want to move 3 to Day1Week2 >textbox on my form using txtField. Since variables are strictly a VBA item, they can only be used in a VBA procedure. Use this kind of syntax: Me(txtfield) = 3 -- Mars...

Netlogon issues
Hello Guys, I have a very starnge issue, last night we had to re-ip one of out windows 2003 DC's so i first Dcprom'ed it down chaged the computer name and then re-ip'ed the server. After that I dcpromo'ed the server up and made it a GC and associated the new Subnet with the site and restarted the netlogon service. Now When i log on to the DC i get a strange netlogon warining which says ==================================== Event Type: Warning Event Source: NETLOGON Event Category: None Event ID: 5802 Date: 2/18/2010 Time: 10:18:03 AM User: N/A Computer: ...

Using IF formulas on multiple columns
I have a table with Multiple columns and rows like this: Transaction Month1 Month2 Month3 etc.. Location Sales 500 550 340 Glasgow Sales 780 825 575 Edinburgh Sales 260 345 210 Inverness Expenses 500 550 340 Glasgow Expenses 780 825 575 Edinburgh Expenses 260 345 210 Inverness In another excel sheet I need to have an IF formula which says IF(B3:B50="Sales",IF(F3:F50="Glasgow,C3:C50,0)) so that when the value in column B = Sales and ...

Using the DLookup function
I have a table that includes a field StartDate. Another table (HOLIDAY) holds dates announced as Holidays. I am trying to use the Lookup function to see if my StartDate matches a HolidayDate. I have tried If Forms!frmAssignment!StartDate = DLookup("HolDate", "HOLIDAY", "HolDate = " & Me.StartDate) Then......... Unfortunately, it doesn't run!! (The datatypes throughout are ShortDate). I've tried the same using the # sign as part of the last section, but still no joy. Would appreciate any help. Thank you. Andrew The correct syntax shoul...

Outlook 2003. Sending through wrong account!
Hi all I have a rather strange problem sending emails. I have about 5 email accounts setup. My main account is set as default. When I create an email from scratch and send it, it's being sent through one of my other accounts - not the default account. I've even tried selecting the account to be used but still it sends via one of the other accounts I've also removed the account from the send receive process - same problem! The only way I've managed to correct the issue is by deleting the account and then my email sends properly through my default account! Any ideas? Regar...

Changes to 97 db using 2000
Is there any way to make changes to an Access 97 database using Access 2000? Any help is always appreciated. thanks, matt. You can convert the database to A2K format, do modification in A2K format. Provided that you don't use new features in A2K (c.f.A97), you can convert the database to prior version (A97) format. -- HTH Van T. Dinh MVP (Access) "matt" <anonymous@discussions.microsoft.com> wrote in message news:01b001c3c990$48432760$a401280a@phx.gbl... > Is there any way to make changes to an Access 97 database > using Access 2000? Any help is always appr...

Why use Redirect
Version: 2004 Operating System: Mac OS X 10.4 (Tiger) Processor: Intel Hello, <br><br>This seems like the most basic question. <br><br>Why would I want to take an e-mail in my inbox (from someone else) and redirect it. I understand forwarding it but redirecting sends it to the same people from the original person. I don't see the difference. <br><br>I use resend all the time. <br><br>Please help. <br><br>Thanks On 2010-01-11 15:29:25 -0500, robomac@officeformac.com said: > This seems like the most basic question. >...

Clearing the recently used list of other users folders
Hi Does anyone know how to clear the list of previously opened 'other user's folders' under File/Open. I have a user who only needs to open the calendars of a couple of people but has four on her list. She keeps clicking on the wrong one as the names are similiar. I've tried going to 'Customise' to drag them off to no avail and can't find anything in Tools/Options to clear the list. My only other last resort 'solution' is to open the calendars of two completely different names so that she doesn't get confused anymore! But would love to kn...

IF formula is greater than X use it, if not use X
I'm trying to use the IF function to do the following: IF(C16+C17)*.3>1600, (C16+C17)*.3, 1600. In English: If the sum of this range times 30% is greater than 1600 then display the sum of this range times 30%, else display 1600. I can't get this to work? Can anyone help me? Hi Maybe something like this =IF(C16+C17*130%>1600,C16+C17*130%,1600) HTH John "dschneider3" <dschneider3@discussions.microsoft.com> wrote in message news:A1E72D4F-4BB9-4752-8304-94A89F135764@microsoft.com... > I'm trying to use the IF function to do the following: IF(...

Sending distribution list as contacts for others to use
Two issues: 1) I have a distribution list in Outlook 2002 and 2003, I want to send it to a client so that they can then have all of these contacts listed individually, not as a group in their contacts folder. How can I do this please? 2) Also Outlook 2002 and 2003 I have a list of names and email addresses in a Word file, and I'd like to send these to the same person to add to their contacts list. I currently do not have them in my contacts, only in the Word file. Thanks in advance contrain <rlaughridge@gordonrees.com> wrote: > 1) I have a distribution list in Outlook 2002 a...

possible to show an XML file using CHTML?
I have a XML file, and it uses XSL to parse it to HTML. That XSL file also contains javascript. I just want to know if CHTML would be able to display the XML file and parse it usign XSL just like internet explorer does? Is CHTML basically an "IE plugin" that we use in MFC? If so then I'd assume it would work. I just want to make sure.... You can use CHtmlView to display it. Or you can use the IWebBrowser control. http://www.codeproject.com/miscctrl/simplebrowserformfc.asp AliR. "Kourosh" <kderakhshan@msn.com> wrote in message news:1147717929.593067.319000@v4...

I get a file in use message telling me that the file is locked ?
This is a one user computer and the file is not being used. The box containing the error message says "FILE IN USE". If I reboot I can get into the file once only before having the same error message. I have tried saving the file under a different file name but that file acts the same. I have checked permisions and that is not the problem either .....HELP! ...

refer to same row in other columns by using entire column in formula
Context I have lots of columns of data which I want to do calculations on, and i always want to consider the same row only. I would like to use names in the formulas to make it easier to keep track of which columns are being used. So it's not as if I have a problem at the moment, just that it could be easier to follow if i used named ranges. Now, I noticed a 'feature' of excel and was wondering if it is safe to use. Here it is: Column A has, say, row numbers in it, so A1 has a 1, A2 a 2, etc. If in cell B1 I type: '=A:A', the result is 1. Below is cell th...

Using Outlook to Access Web Mail?
I have a client who's company currently uses Outlook Web Access for their mail. Is it possible to use Outlook 2003 instead? The lack of formatting and message rules makes it hard to manage the volume they're receiving. If so, how would I configure Outlook? Jim When connected to Exchange 2003 your mail administrator can configure RPC over HTTP. Otherwise a VPN connection is required. -- Robert Sparnaaij [MVP-Outlook] www.howto-outlook.com Tips of the month: -What do the Outlook Icons Mean? -Create an Office 2003 CD slipstreamed with Service Pack 1 ----- "Jim" <jim...

Has anyone ever use this service before?
I was thinking about using a new payment system on my website from a company called Glowpay.com. It's something like paypal but they say they won't blame me and hold my money. If anyone has had a successful experience using Glowpay can you please recommend them to me. Thank you very much I just like to feel safe! : ) Sincerely John Ignore this. -- J�rgen Beck MCSD.NET, MCDBA, MCT www.Juergen-Beck.de ...

A problem using PrintForm
Trying to do something kind of fundamental here: Print some stuff that's displayed on a form. Just for testing purposes, I've created a form and from a menu click event, I'm showing it (MyForm.Show vbModal) In the form's Activate event there are these statements: Print "gobledygook" Print "Some stuff" Print "92oijwleijd0892uo9ij" PrintForm When I execute this, a page is printed out (on the "default" printer) but the strings shown above are NOT printed. Just for testing, I added a Label and a command button to the...

netlogon using wrong DC
I have an odd scenario. I have a DC (win2003 but ADPREP'd to 2008) we'll call DC1 that needs to be turned off. Because of the odd scenario, DC2 has forcefully taken over FSMO roles from DC1. All references to DC1 have been removed in AD and DNS. As far as DC2 knows, DC1 doesn't exist. Similarly, DC1 doesn't have any data about DC2 (had some stale data which I've removed). DC1 and DC2 are on different subnets and firewall rules prevent them from contacting each other. I have a couple production servers that still authenticate against DC1 (in the same subn...

Using "IF" in a Formula
If I enter the word "bounced" in one cell can I trigger a value in another cell ($500.00) to become a negative number (-$500.00)? Regrads, Corey Brock =IF(A1="bounced",-500,500) or if the 500 is from another cell =IF(A1="bounced",-H5,H5) The formula has to be in the cell that is to change. -- Regards Ken....................... Microsoft MVP - Excel Sys Spec - Win XP Pro / XL 97/00/02/03 ---------------------------------------------------------------------------- It's easier to beg forgiveness than ask permission :-) ----...

Use of wildcards to find text in e-mail
The following extract from "Microsoft Outlook Help" describes the usage of * and ? as wildcards to search for text in e-mail messages. It does'nt work on my machine which is loaded with Microsoft Office 2000 SR-1 Professional on a military base. Can someone help me make it work? Our MCOM LAN administrators don't know very much. Use complex search criteria to find files: When you click Files in the Look for box (on the Advanced Find dialog box) to search for files on your computer or a network, you can use complex search criteria in the Named and Search for the wor...

Why Use UNC?
I have read often that using UNC is preferable. Could someone clarify why? Also, I had read somewhere that this adds to security because users can't see actual drive letters which they would with mapped drives. Is this another reason? Thanks so much for any clarification. -- Thanks! Dee dee wrote: > I have read often that using UNC is preferable. Could someone > clarify why? Also, I had read somewhere that this adds to security > because users can't see actual drive letters which they would with > mapped drives. Is this another reason? > > Thanks so much f...

When to use OnInitDialog()
Context: Modal dialog OnInitDialog() is a member function of the dialog and as such has access to some data (and function too, I guess) members that aren't public so there's definitely a need for the native initialization function, but several examples of OnInitDialog() I've seen do data initialization that could also be done when a modal dialog is constructed. In these cases, is there any advantage to doing the initialization in one place rather than another? TIA Norm "Norm Dresner" <ndrez@att.net> wrote in message news:%5bTa.67420$0v4.4496265...

How do I use the timecard template if I am using a time clock and.
I need help using the time card template in Microsoft Excel We use a time clock and the employees punch the card when the come in and when they leave in the evening. I would like to set iup the template. HELP!!! Thanks , Gargi Hi Gargi what i've not sure about is how the information gets from the card to the excel spreadsheet - are you going to retype it? if so what assistance do you need in setting up the spreadsheet beyond ...............A.......................B.....................C........................D....................E 1.........Employee #............Date............S...

How to use FindWindowEx() ?
hi, all I have a piece of code like this: CMyMainDlg::OnAdd() //Title: "File manager" { CMyAddDlg dlg; //Title: "Add a file" dlg.DoModal(); } I want to get the window handle of CMyAddDlg. Becuase there are more than one instance on my box at the same time, I need to find all of them out and also I need to know which parent window has which child window! How to do this with FindWindow() and FindWindowEx() or is there some better solution? Thanks Nicky wrote: > hi, all > > I have a piece of code like this: > CMyMainDlg::OnAdd() ...