Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Original DC is down, now group policy doesn't work

Status
Not open for further replies.
silverspecv

silverspecv

Programmer
Oct 31, 2003
125
US
I had a single DC on the lan, so I added a second one, and then eventually the first one's hard drive crashed, so it is completely down, unrecoverable. I thought everything would be fine on the secondary controller, but my group policies don't work. I can add users and manage their passwords via the new DC, so it is at least semi-functional. There are other glitches that let me know something is wrong, such as adding new users, and I get a message saying that it can't confirm if the new user is unique, etc.. but those are minor annoyances.. The current REAL problem is that my terminal server now allows and joe user to turn off the server via shutdown!! When I try to edit the group policy of an OU, it says "the domain controller for group policy operations is unavailable".. I have file/print sharing turned on and the whatchacallit helper service running. The DC's DNS was not pointed to itself, so I did that, but it didn't help. I ran netdiag /fix and dcdiag /fix, that didn't work either.. I have to think it is still trying to authenticate something with the old crashed server, but I can't tell what. Any ideas? Can I post up some more info that would help?
 
Sort by date Sort by votes
had you moved any of the FSMO roles over to the 2nd sever after you dcpromo'd it? if not, you will need to seize all 5 of those roles. also, if server #2 was not a global catalog, make it one. this will get your domain closer to it's original state. then you can trouble-shoot the gp issue. a re-boot will probably be necessary after seizing the roles. ntdsutil.exe will be your friend for this process.

check out this link:
scottie
 
Upvote 0 Downvote
Thanks, buddafish.. you're right, the answer is definitely in there somewhere. I hadn't done anything with fsmo roles yet. I used ntdsutil with somewhat ambiguous results. I tried seizing each of the roles repeatedly. Some of them seemed to seize while others failed, but I'm not sure. Anyway, I rebooted afterward, and now I don't get that error message when I try to edit group policies, but the policy does not seem to be in effect on the terminal server that the gpo applies to. I did a force refresh on it and tried again a few minutes later, and the security was still wide open.. I'll wait a little longer and try again. If it still doesn't work, I'll start over the dcdiag, netdiag, and ntdsutil and post the "errors" if they are indeed errors.. they're sorta cryptic

Oh yeah, does the terminal server have to be configured to use the dc as its primary dns server?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
345
RRankin355
RRankin355
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
273
juniper911
juniper911
techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
797
araheusaff
araheusaff
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
663
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top