Server 2008 R2 Active Directory no longer accessible. Netlogon Service will not start
(Server names and IP's have been changed for security)Ok, here's the skinny. I had a 2003 DC called 'S1.domain.local' that I wanted to retire. It has existed happily and without any problems, as the one and only DC\file\print\dhcp\dns server in our small network since 2002 (yes that's right, nine years without issue!). All of our desktops however have been upgraded to Windows 7, and the server was now straining under some of our storage and appplication demands, plus we were having some weird share issues....time to replace it with a new 2008 R2 server. Built the new server, shiny new black box, named it 'Temporary.domain.local' and successfully transferred all the roles from the old DC to the new one. Check to make sure all the FSMO roles were successfully transferred, yep, all good...demoted the old server and removed all roles and it is now a lowly member server, but still holding all the network shares. For a couple weeks the new DC has been running perfectly, all the event logs are running clean, no errors...yay, all perfect. Today I decide to finally transfer all the shares to the new Server, and rename it so I can reuse it's name on the new server. That first part went off without a hitch. Then I wandered over to the new DC and tried the "Netdom computername" approach and got an access denied error. Ok, I'll do this the hard way. I went into the computer properties and used the gui to make the change; we've a small network so it wouldn't take very long to replicate. Changed the name from "Temporary" to "S1" and received an error that I couldn't make the change as another computer in the network already had that name...hmm...already changed the name on the old server so that's not trued. I opened DNS and cleared the resolver cache and then deleted any records that pointed to "S1.Domain.local" and then rebooted for good measure. What do you know...the server comes back up and it's name has changed, even though it said it couldn't change it. Worse still, the netlogon service won't start and the AD is completely inaccessible...can't even change the name back. I figured it was a DNS problem so I deleted the forward and reverse lookups and recreated them, i've used the IPconfig /registerdns commands. I've tried the NETDOM computer name commands but I still get access denied. The Netlogon service seems to be the achilles heel in all of this, but it refuses to start and provides a useless generic error that is completely useless. DCdiag returns a host name that looks like the hash and when I ping the new FQDN it responds with the same hash instead of an IP. I can't help but think that the problem is DNS but I'm thoroughly stumped.
April 23rd, 2011 3:59am

Just to ward off some of the obvious questions 1) Netdom Query FSMO returns an error "The Specified Domain either does not exist or could not be contacted" 2) Using Ntdsutil to clear metadata fails as it can't connect to the server 3) Using Ntdsutil to seize the FSMO roles results in a "Server" already knows about those roles...no changes 4) Dcdiag /recreatemachineaccount doesn't work because it can't locate the machine...even though DNS is configured properly...I can ping it. 5) Dcdiag /fix provides the same error 6) Dcdiag in general won't run tests because it says it can't find the server (it keeps trying to query the old server name) I have gone so far as to edit the registry and manually change all the instances of the old server name to the new in hopes that I might catch it...absolutely no change. I have no idea where it's storing the old name. It's not in the registry, it's not in the DNS, the active directory is not functioning and is inaccessible so it can't be pulling it from there...where else does it store names in the CN= format. The old server name keeps reappearing ie: CN=Temporary instead of CN=S1
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2011 6:33am

Did you changed DNS to Point to other DNS server or it was pointing to itself. If it was pointing to itself, Then you will get this type of error. you can run dcprome /forceremoval to remove the domain and join it back again. Note: Before changing DC name make sure its DNS points to other DNS server. Wait for sometime for the changes to replicate. Then restart DC.
April 25th, 2011 3:22am

No the problem was apparently because of that server rename glitch...definitely a bug in the OS. I ended up downloading a registry toolkit (because regedit still doesn't do this) and then doing a find and replace, having it find all instances of the new name and changing the value back to the old name. As soon as I did that, I rebooted and all was absolutely back to normal. Then I tried to use Netdom to rename it and it worked perfectly...has been running 4 days now without a single issue or a single error in the logs...problem solved
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 1:31am

One big thing to point out, and in my opinion this is an enormous flaw, is that the reason this happened is because I initially didn't run the command prompt "As Administrator". The fact that I was logged on as an Administrator in all capacities seems to be irrelevant. Once I fixed the initial problem I ran CMD as administrator and then ran Netdom and that's when it worked. MS neglects to mention that added neccessary step in their documentation on renaming a Domain Controller... If I have Administrative rights to a server then it should be assumed by that server that I have some semblance of sense and at least an inkling of what I'm doing. Coding the server OS to protect an Administrator from themselves just causes more problems than it's worth...leave that feature for the client OS'...they need it.
April 27th, 2011 1:39am

(Server names and IP's have been changed for security)Ok, here's the skinny. I had a 2003 DC called 'S1.domain.local' that I wanted to retire. It has existed happily and without any problems, as the one and only DC\file\print\dhcp\dns server in our small network since 2002 (yes that's right, nine years without issue!). All of our desktops however have been upgraded to Windows 7, and the server was now straining under some of our storage and appplication demands, plus we were having some weird share issues....time to replace it with a new 2008 R2 server. Built the new server, shiny new black box, named it 'Temporary.domain.local' and successfully transferred all the roles from the old DC to the new one. Check to make sure all the FSMO roles were successfully transferred, yep, all good...demoted the old server and removed all roles and it is now a lowly member server, but still holding all the network shares. For a couple weeks the new DC has been running perfectly, all the event logs are running clean, no errors...yay, all perfect. Today I decide to finally transfer all the shares to the new Server, and rename it so I can reuse it's name on the new server. That first part went off without a hitch. Then I wandered over to the new DC and tried the "Netdom computername" approach and got an access denied error. Ok, I'll do this the hard way. I went into the computer properties and used the gui to make the change; we've a small network so it wouldn't take very long to replicate. Changed the name from "Temporary" to "S1" and received an error that I couldn't make the change as another computer in the network already had that name...hmm...already changed the name on the old server so that's not trued. I opened DNS and cleared the resolver cache and then deleted any records that pointed to "S1.Domain.local" and then rebooted for good measure. What do you know...the server comes back up and it's name has changed, even though it said it couldn't change it. Worse still, the netlogon service won't start and the AD is completely inaccessible...can't even change the name back. I figured it was a DNS problem so I deleted the forward and reverse lookups and recreated them, i've used the IPconfig /registerdns commands. I've tried the NETDOM computer name commands but I still get access denied. The Netlogon service seems to be the achilles heel in all of this, but it refuses to start and provides a useless generic error that is completely useless. DCdiag returns a host name that looks like the hash and when I ping the new FQDN it responds with the same hash instead of an IP. I can't help but think that the problem is DNS but I'm thoroughly stumped. Hello, did you make the new DC also DNS server and Global catalog, you didn't mention this steps? Is the new DC/DNS registered in the DNS forward/reverse lookup zones with it's A and Nameserver record and also the (SRV) service records in the complete folder structure? Does the new DC have the netlogon/sysvol share available with all correct content? Renaming a DC is always a risky step and you should do it only if you have at least a system state backup of this DC or another DC/DNS/GC(which is highly recommended in a domain) so in case of problems you still have the domain up and running and as worst case just disconnect the problem DC an run metadata cleanup.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 4:45am

Just to ward off some of the obvious questions 1) Netdom Query FSMO returns an error "The Specified Domain either does not exist or could not be contacted" 2) Using Ntdsutil to clear metadata fails as it can't connect to the server 3) Using Ntdsutil to seize the FSMO roles results in a "Server" already knows about those roles...no changes 4) Dcdiag /recreatemachineaccount doesn't work because it can't locate the machine...even though DNS is configured properly...I can ping it. 5) Dcdiag /fix provides the same error 6) Dcdiag in general won't run tests because it says it can't find the server (it keeps trying to query the old server name) I have gone so far as to edit the registry and manually change all the instances of the old server name to the new in hopes that I might catch it...absolutely no change. I have no idea where it's storing the old name. It's not in the registry, it's not in the DNS, the active directory is not functioning and is inaccessible so it can't be pulling it from there...where else does it store names in the CN= format. The old server name keeps reappearing ie: CN=Temporary instead of CN=S1 Hello, as this all result in errors the new DC is not working properly and DNS seems to be running bad. Editing the registry is NEVER required to rename a DC, then definitely something was done wrong during rename process.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
April 27th, 2011 4:57am

One big thing to point out, and in my opinion this is an enormous flaw, is that the reason this happened is because I initially didn't run the command prompt "As Administrator". The fact that I was logged on as an Administrator in all capacities seems to be irrelevant. Once I fixed the initial problem I ran CMD as administrator and then ran Netdom and that's when it worked. MS neglects to mention that added neccessary step in their documentation on renaming a Domain Controller... If I have Administrative rights to a server then it should be assumed by that server that I have some semblance of sense and at least an inkling of what I'm doing. Coding the server OS to protect an Administrator from themselves just causes more problems than it's worth...leave that feature for the client OS'...they need it. Hello, what you see with the administrator is the new security concept implemented with Windows server 2008 and higher OS version. Even the administrator is limited and has to use RUNAS to elevate it's permissions fomr some steps. Or you disable UAC complete, which of course lowers the security. "In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one. If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID. " From: http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 5:02am

Hello, so if you still need some help please provide the fopllowing output files: ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server] dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB. There is no problem if you change server names and domain names as long as the format is kept. Please check before uploading that the output files are readable, sometimes the formatting is broken and a oneliner is shown instead the correct output.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
April 27th, 2011 5:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics