0

I had a primary domain controller on machine A and a secondary one on machine B in my AD domain. Due to some hardware/software problems, I decided to migrate the role of primary domain controller to machine B. Unfortunately, machine A has totally crashed and does not boot. Now I can not even log in to machine B (which itself was a controller in the domain). I need to log into machine B then choose it as the primary controller. I already have synced DNS and AD info. when machine A was alive.

Anyone can provide an idea?

Hosm
  • 53
  • 1
  • 9

4 Answers4

2

Hrmmm.. I would suspect this is due to the global catalog and FSMO roles no longer being available. It SOUNDS like you just promoted a second DC without moving some of the other things over.

So some questions for you and I'll revise my answer as you respond:

1) Stop using the terms primary and secondary, these are deprecated and no longer applicable. It's a distributed directory system. Some machines are "in charge" of certain things but no one server is primary if designed right.

2) Is DNS resolving and responding to queries on the second server?

3) Are you absolutely certain the primary is not salvageable?

4) Do you have domain controllers at other sites perhaps?

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • SpacemanSpiff! thanks a lot for your answer, now DNS is being resolved on the second server. BTW, I don't think it is recoverable and I haven't any other DC. – Hosm Feb 23 '11 at 00:31
  • I'm not so experienced with Windows, On Linux I'd login locally and fix it. I'm wondering is there any similar method for Windows. – Hosm Feb 23 '11 at 00:36
  • Make sure that the DNS client settings on the server are currently set to loopback 127.0.0.1 as the other DNS server is not available. It should let you login as domain Administrator at least. Can you get to directoy services recovery mode? – SpacemanSpiff Feb 23 '11 at 01:49
  • As I said, I can not log in to the second server since it says "The specified domain either does not exists or could not be contacted" – Hosm Feb 23 '11 at 02:31
  • There's a recovery console you can boot into from install media. – Kara Marfia Feb 23 '11 at 04:05
  • Directory services recovery may re-enable the local SAM database and allow a local admin to login so you can adjust the DNS settings. I suspect it's looking for an SRV record and since the server's own DNS client may be pointed to a down server, you're not getting a response. – SpacemanSpiff Feb 23 '11 at 05:12
  • I set the DNS on the second server to point to itself but it does not log in domain account. Using NTTAC auth. I did a test and now I'm sure that all user credentials have been replicated on the second server. I'm wondering why I can not make it independent from the dead server – Hosm Feb 24 '11 at 06:20
  • You may be out of luck here. If the secondary was not a global catalog server it's missing some of the forest schema. Download an LDAP test tool and see if you can authenticate directly to this Domain Controller. This might be worth a call to microsoft. – SpacemanSpiff Feb 24 '11 at 14:19
0

Try booting in DSRM (directory restore service mode), you should be able to log using the local administrator account.

Bimo Arioseno
  • 341
  • 2
  • 6
  • Unfortunately, I have lost local password of PDC but I'm logging in to secondary using local credentials – Hosm Feb 24 '11 at 06:18
0

You don't specify any details as to why you can't log into the second DC (I will refer to this as SECONDARY and the first controller as PRIMARY) - is it password denied, or cannot contact domain?

At a guess, on SECONDARY, you have configured its DNS to point at PRIMARY only. So even though it is a domain controller itself, the logon process for the server has a dependency on PRIMARY.

To resolve it, boot SECONDARY into DSRM (i.e. safe mode) and configure 127.0.0.1 as a secondary DNS server. You should then be able to reboot into AD and log in with your normal Domain Admin account.

Neobyte
  • 3,179
  • 1
  • 26
  • 31
  • I logged into the second server using administrator account and set its dns to itself but still I can not log in it using domain account – Hosm Feb 24 '11 at 06:17
0

I have almost came up with the problem using ntdsutil.exe. Using NTTAC I made sure that passwords have been replicated on the second server, hence, I just seized the FSMO, RID, PDC roles for the second server.

Now I can login the second server using domain admin accounts. There's still an strange problem, When I reboot the second server, it looses the seized roles and does not login again and I should log in locally and seize the roles again.

Hosm
  • 53
  • 1
  • 9
  • Is this server designated as a GC server? Some of the FSMO roles are for the domain, and some are for the forest. I would think on a GC can hold the forest roles. – SpacemanSpiff Feb 25 '11 at 02:39