I have an AD Domain - Multiple domain controlers, multiple DNS servers.

The "first" Domain Controller for AD/DNS (originally upgraded from NT4.0)
had to be re-built (OS re-load). Since I had other DCs, I have all of my
user/computer account information recovered, but now, when I try to
re-install DNS, I cannot get AD integrated zones. I can bring up my *.local
zone and some of the AD componenets show up but no "ForestDNSZones" or
"DomanDNSZones" entries.

I also have a trust relationship with another AD domain that I cannot verify
and seems to be having issues. When I try to verify, one direction works
but the other cannot establish a Secure Channel. the error message refers
to not having a Computer Account for the "Workstation Trust". I have tried
completely eliminating and re-building the trust, both attempting both ends
from one domain and establishing the trust in each domain discretely. I
suspect that this is is realted to the DNS, in terms of a missing resource
record somewhere, but I can't really tell for sure.

Do I have to completely decommission the domain/forrest and attempt to
re-build from the "first" DC? If I do, what is the best method to recover
user account information, etc. which is still intact on two other DCs?

Have you run DCDiag or NetDiag yet? NetDiag /fix should be able to repair
the missing DNS entries.

Steve


"Christopher A. Newell" <infosystems@shiawassee.net> wrote in message
news:OMy8v$bsHHA.1216@TK2MSFTNGP04.phx.gbl...
>I have an AD Domain - Multiple domain controlers, multiple DNS servers.
>
> The "first" Domain Controller for AD/DNS (originally upgraded from NT4.0)
> had to be re-built (OS re-load). Since I had other DCs, I have all of my
> user/computer account information recovered, but now, when I try to
> re-install DNS, I cannot get AD integrated zones. I can bring up my
> *.local zone and some of the AD componenets show up but no
> "ForestDNSZones" or "DomanDNSZones" entries.
>
> I also have a trust relationship with another AD domain that I cannot
> verify and seems to be having issues. When I try to verify, one direction
> works but the other cannot establish a Secure Channel. the error message
> refers to not having a Computer Account for the "Workstation Trust". I
> have tried completely eliminating and re-building the trust, both
> attempting both ends from one domain and establishing the trust in each
> domain discretely. I suspect that this is is realted to the DNS, in terms
> of a missing resource record somewhere, but I can't really tell for sure.
>
> Do I have to completely decommission the domain/forrest and attempt to
> re-build from the "first" DC? If I do, what is the best method to recover
> user account information, etc. which is still intact on two other DCs?
>

Hi
How did you removed that DC? Did you transfered all FSMO roles?
also check
How to Verify the Creation of SRV Records for a Domain Controller

http://support.microsoft.com/?id=241515


--
I hope that the information above s you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Christopher A. Newell" <infosystems@shiawassee.net> wrote in message
news:OMy8v$bsHHA.1216@TK2MSFTNGP04.phx.gbl...
>I have an AD Domain - Multiple domain controlers, multiple DNS servers.
>
> The "first" Domain Controller for AD/DNS (originally upgraded from NT4.0)
> had to be re-built (OS re-load). Since I had other DCs, I have all of my
> user/computer account information recovered, but now, when I try to
> re-install DNS, I cannot get AD integrated zones. I can bring up my
> *.local zone and some of the AD componenets show up but no
> "ForestDNSZones" or "DomanDNSZones" entries.
>
> I also have a trust relationship with another AD domain that I cannot
> verify and seems to be having issues. When I try to verify, one direction
> works but the other cannot establish a Secure Channel. the error message
> refers to not having a Computer Account for the "Workstation Trust". I
> have tried completely eliminating and re-building the trust, both
> attempting both ends from one domain and establishing the trust in each
> domain discretely. I suspect that this is is realted to the DNS, in terms
> of a missing resource record somewhere, but I can't really tell for sure.
>
> Do I have to completely decommission the domain/forrest and attempt to
> re-build from the "first" DC? If I do, what is the best method to recover
> user account information, etc. which is still intact on two other DCs?
>

The DC with the good DNS was removed manually via AD Sites and Services as
unavailable for DCPROMO.

I have the Doman Naming and Schema FMSOs moved to another controller now via
NTDSUTIL.

I am still getting a "server failure" when I try to make a zone AD
integrated.

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:uuQxnfcsHHA.4548@TK2MSFTNGP04.phx.gbl...
> Hi
> How did you removed that DC? Did you transfered all FSMO roles?
> also check
> How to Verify the Creation of SRV Records for a Domain Controller
>
> http://support.microsoft.com/?id=241515
>
>
> --
> I hope that the information above s you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message
> news:OMy8v$bsHHA.1216@TK2MSFTNGP04.phx.gbl...
>>I have an AD Domain - Multiple domain controlers, multiple DNS servers.
>>
>> The "first" Domain Controller for AD/DNS (originally upgraded from NT4.0)
>> had to be re-built (OS re-load). Since I had other DCs, I have all of my
>> user/computer account information recovered, but now, when I try to
>> re-install DNS, I cannot get AD integrated zones. I can bring up my
>> *.local zone and some of the AD componenets show up but no
>> "ForestDNSZones" or "DomanDNSZones" entries.
>>
>> I also have a trust relationship with another AD domain that I cannot
>> verify and seems to be having issues. When I try to verify, one
>> direction works but the other cannot establish a Secure Channel. the
>> error message refers to not having a Computer Account for the
>> "Workstation Trust". I have tried completely eliminating and re-building
>> the trust, both attempting both ends from one domain and establishing the
>> trust in each domain discretely. I suspect that this is is realted to
>> the DNS, in terms of a missing resource record somewhere, but I can't
>> really tell for sure.
>>
>> Do I have to completely decommission the domain/forrest and attempt to
>> re-build from the "first" DC? If I do, what is the best method to
>> recover user account information, etc. which is still intact on two other
>> DCs?
>>
>
>

Ok.
Refer to Steve post and check if you have any miss configuration.

--
I hope that the information above s you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Christopher A. Newell" <infosystems@shiawassee.net> wrote in message
news:%23ESHVlesHHA.4800@TK2MSFTNGP05.phx.gbl...
> The DC with the good DNS was removed manually via AD Sites and Services as
> unavailable for DCPROMO.
>
> I have the Doman Naming and Schema FMSOs moved to another controller now
> via NTDSUTIL.
>
> I am still getting a "server failure" when I try to make a zone AD
> integrated.
>
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:uuQxnfcsHHA.4548@TK2MSFTNGP04.phx.gbl...
>> Hi
>> How did you removed that DC? Did you transfered all FSMO roles?
>> also check
>> How to Verify the Creation of SRV Records for a Domain Controller
>>
>> http://support.microsoft.com/?id=241515
>>
>>
>> --
>> I hope that the information above s you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message
>> news:OMy8v$bsHHA.1216@TK2MSFTNGP04.phx.gbl...
>>>I have an AD Domain - Multiple domain controlers, multiple DNS servers.
>>>
>>> The "first" Domain Controller for AD/DNS (originally upgraded from
>>> NT4.0) had to be re-built (OS re-load). Since I had other DCs, I have
>>> all of my user/computer account information recovered, but now, when I
>>> try to re-install DNS, I cannot get AD integrated zones. I can bring up
>>> my *.local zone and some of the AD componenets show up but no
>>> "ForestDNSZones" or "DomanDNSZones" entries.
>>>
>>> I also have a trust relationship with another AD domain that I cannot
>>> verify and seems to be having issues. When I try to verify, one
>>> direction works but the other cannot establish a Secure Channel. the
>>> error message refers to not having a Computer Account for the
>>> "Workstation Trust". I have tried completely eliminating and
>>> re-building the trust, both attempting both ends from one domain and
>>> establishing the trust in each domain discretely. I suspect that this
>>> is is realted to the DNS, in terms of a missing resource record
>>> somewhere, but I can't really tell for sure.
>>>
>>> Do I have to completely decommission the domain/forrest and attempt to
>>> re-build from the "first" DC? If I do, what is the best method to
>>> recover user account information, etc. which is still intact on two
>>> other DCs?
>>>
>>
>>
>
>

Read inline please.

In news:%23ESHVlesHHA.4800@TK2MSFTNGP05.phx.gbl,
Christopher A. Newell <infosystems@shiawassee.net> typed:
> The DC with the good DNS was removed manually via AD Sites and
> Services as unavailable for DCPROMO.
>
> I have the Doman Naming and Schema FMSOs moved to another controller
> now via NTDSUTIL.
What about the PDC, Infrastructure, and RID FSMO roles?

How did you restore this DC?

>
> I am still getting a "server failure" when I try to make a zone AD
> integrated.







--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Thanks all.

The situation was more complex that I had imagined.

The DCs were not properly replicating, so I had to isolate them from
each other and use NTDSUTIL to force both to believe they had all of the
FSMOs, removing the other from each by claming it was permanently
unavailable in Sites-and-Services. Only then would DCPROMO run to remove
the role from the DC with the corrupt structure.
I had to do this in both forrests involved in the trust (in once case I
ended up formatting and re-loading the OS partition.)

One thing which may others in a similar scneario. I fund some
outdated DNS entries which replicated in the _msdcs. structure which also
had to be manually deleted. Oddly, we had the above process completed and
the trusts back working for almost 24 hours before this became a factor.
"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:OwjbkqosHHA.1416@TK2MSFTNGP06.phx.gbl...
> Read inline please.
>
> In news:%23ESHVlesHHA.4800@TK2MSFTNGP05.phx.gbl,
> Christopher A. Newell <infosystems@shiawassee.net> typed:
>> The DC with the good DNS was removed manually via AD Sites and
>> Services as unavailable for DCPROMO.
>>
>> I have the Doman Naming and Schema FMSOs moved to another controller
>> now via NTDSUTIL.
> What about the PDC, Infrastructure, and RID FSMO roles?
>
> How did you restore this DC?
>
>>
>> I am still getting a "server failure" when I try to make a zone AD
>> integrated.
>
>
>
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>

Read inline please.

In news:edZOEHttHHA.4800@TK2MSFTNGP05.phx.gbl,
Christopher A. Newell <infosystems@shiawassee.net> typed:
> Thanks all.
>
> The situation was more complex that I had imagined.
>
> The DCs were not properly replicating, so I had to isolate them
> from each other and use NTDSUTIL to force both to believe they had
> all of the FSMOs, removing the other from each by claming it was
> permanently unavailable in Sites-and-Services. Only then would
> DCPROMO run to remove the role from the DC with the corrupt structure.
> I had to do this in both forrests involved in the trust (in once
> case I ended up formatting and re-loading the OS partition.)

I'm still unclear about if you followed the proper procedure to do this.
Here it is:

On the DC you are keeping:
1. Make the DC a global catalog.
313994 - How to create or move a global catalog in Windows Server 2003,
Windows 2000, or Small Business Server 2000:
http://support.microsoft.com/default...roduct=win2000

2. Use the ntdsutil tool to seize any or all of the five FSMO roles the DC
you are removing held.
255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller:
http://support.microsoft.com/default...roduct=win2000

3. Use ntdsutil to remove the other DC from its AD database.
216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion:
http://support.microsoft.com/default...b;EN-US;216498

On the DC you are not keeping:
4: On the DC you are not going to keep, disconnected it from the rest of the
network and point it to itself for DNS, and run dcpromo /force

5. After dcpromo /force is completed, point it back to the DC you kept for
DNS, not to itself, you should also already have DNS installed on this DC,
then run dcpromo making it a replica Domain Controller.

6. If the zone is AD Integrated on the DC you kept, the zone should
replicate to this DC without further action from you. You should not create
the zone because it should already exist in AD.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================