+ Reply to Thread
Results 1 to 6 of 6
  1. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #1

    Default Real world root DC Demote/Promote question

    Hi folks,

    Let me preface this with saying that I'm just finishing up my MCSA (about halfway through 291) and have started a new job as a network engineer/admin. I have a good working knowledge of AD but not so much from a multi-domain standpoint. In the network I inherited there are multiple child domains from one root in a single forest. The root domain is used for nothing more than it's parent abilities to our site/child domains. No file serving, user processing, DHCP or other services bar being a 2ndary DNS server for the site in which it is located. Since this was my first week I started off by going through the event logs and fixing things up, I noticed there were some replication issues between the Child domain DC and the parent at my site (mainly DNS replication). Further investigation showed that while DNS is setup as an AD integrated Zone on the primary DC (Child) the option is greyed out on the Parent DC....which I know usually means it is not hosted on a DC at all. I ran repadmin and got successful replication reports from the Child DC to the other Child domains at our different sites. The Parent DC only shows replication to the Child DC at our (the same) site. DCDIAG on the Parent DC is successfuly with one exception, the Machine account, stating that (as was show in the DNS properties) that the server does not have a DC account....even though it is the ONLY DC for the parent domain, and under server roles it is shown as being one. As I just said though it is the only DC in the parent domain.
    My current thinking is to install a second server and promote it to DC in the parent domain temporarily, give it time to replicate (and of course backup the problematic DC), then demote the old and promote it again to hopefully resolve it's identity crisis. The only thing I am worried about in this scanario is that the issue itself affects replication.

    What I realy would like to know is just how tolerant a domain tree is of issues with the root/parent domain? Would it be enough to restore the system state after demotion/promotion in the event the initial AD data is lost. And what kind of impact it's downtime would have on the rest of the domain....Not much huh?...

    Any help would be GREATLY appreciated.

    Cheers
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jun 2006
    Location
    Tampa Bay
    Posts
    1,266

    Certifications
    MCSA 2000, MCSE 2003, Exchange 2000, CCNA, CCNA Security, CNE, A+, Network+, Security+
    #2
    It might help to know what version OS the DCs are. 2003 has quite a bit of flexibility on how you replicate DNS information within AD whereas in 2000, it can only replicate the zone along with the domain replication, which means it can only replicate the zone with other DCs in the same domain.

    But when you have DNS problems, what I usually do with a client is have them set up a DNS zone for the domain (in your case that would be the root zone) and not use AD integrated, so you don't get into the chicken/egg situation where AD replication relies on DNS, but DNS relies on AD replication, so you get into a deadlock.
    Once you have the DNS zone not relying on AD replication to be correct, have all DCs in the domain use that one DNS server for resolution. Then run Netdiag /fix on all DCs using that DNS server.

    How are you addressing child domain resolution for the root domain hosts? It has to be able to resolve records for the child domains in order to be able to find and reach the child domain DCs and their services. Also the reverse is true: the child domains have to be able to resolve resource records for the root domain.
    Reply With Quote Quote  

  4. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #3
    Hi and thanks for replying. Should have been specific about the OS, apologies. Both are Win2k3 but the Forest and subdomains are all in Win2k native mode. I'm not at the office at the mo. and can't get specifics but the Root domain DC is resolving the child domains correctly from what I can see, it has the Child domain DC at the same site as it's primary DNS....Odd I know, the guy I replaced was an NT head and kinda built the company domains in that vein, DNS and an efficient AD setup didn't figure into things, at least that what it seems like. We're having fun reconsolidating our domains to work more efficiently with AD. Ah well it's a learning experience and that can't be bad.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jun 2006
    Location
    Tampa Bay
    Posts
    1,266

    Certifications
    MCSA 2000, MCSE 2003, Exchange 2000, CCNA, CCNA Security, CNE, A+, Network+, Security+
    #4
    It seems like you may not grasp the concepts of DNS zones, replication and resolution, or else not presenting the whole picture we need. Each DC is a host that have DNS client services in the TCP stack, as do other machines such as member servers and workstations. All the DCs have to be able to resolve all domains in the forest, either directly or indirectly. DNS clients will not go polling various DNS servers. They will query the primary DNS server ONLY, unless that server is offline or busy and doesn't respond at all.

    So, if a DC of the child domain had DNS services, and only had the zone for its own domain, and there were no other mechanism configured in the DNS server service to resolve other domains, and the DC DNS client service had the primary DNS being itself, it would have no way of resolving other domains. Now it seems that you may have DNS resolution working upstream from the child domains to the root, but what about the other way around? Can the root domain DCs resolve the child domains?

    Have you run Netdiag on your DCs and observe the DNS test? If that test fails, all bets are off for other aspects of AD.
    Reply With Quote Quote  

  6. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #5
    Apologies for the delay in replying, it's one of my own pet hates to have someone ask a question and then disappear, was just travelling a lot for work and didn't get any time to get back to this. Many thanks for all the advice Danman I appreciate the time you spent on it. I had installed a 2ndary server and was a few days away from trying the demote/promote when we had a visit from one of our software vendors, who also happens to be an AD god (And I do not use the term lightly). Took him all of 30 seconds to fix. Just in case anyone else has anything similar happen here was the solution.

    On the newly installed 2ndary server:
    Open ADSIEDIT and go to DOMAIN / DC=(Domain)..../OU=Domain Controllers/CN=(ServerName), right click to get the properties and scroll down to userAccountControl, double click it and copy the numeric value.

    On the problematic server do the same but paste the numeric value from the working server.

    Dcdiag reports all is fine and we're replicating fully (it was affecting the forest level GPO propagation).
    Reply With Quote Quote  

  7. Coffee anyone? rossonieri#1's Avatar
    Join Date
    Jun 2003
    Posts
    800

    Certifications
    a few...
    #6
    hello,

    how about promote the new DC first - then demote the other one.
    specify - this is not the last DC in domain.

    cheers; )
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks