# Solved: Problem with 2 domain controllers



## nexxevo

At our our office we originally had 1 domain controller and 1 exchange server. We moved these servers to another location and we added another domain controller. It seems that the 2nd domain controller was causing issues so we tried to remove it. The 2nd domain controller now thinks its the primary DC and the original DC is now saying "operations master: Error" under the RIP, PDC, and infostructure tabs.

Any suggestions?


----------



## Rockn

Did you make sure what roles each server was running prior to removing any of them from the network? Did you transfer roles?


----------



## nexxevo

Unfortunatly i did not. But its almost as if the 2nd DC is "half on". The 2nd DC is the one i wanted to get rid of. Do you think that if i just clicked change that it would take over the role on the 1st one?


----------



## Rockn

Is the server you removed still available to be on the network? What version of Windows Server was the new Domain Controller? The second domain controller will pretty much only be "half on" as it does not have all of the roles it needs to do it's job.


----------



## nexxevo

Yes the 2nd DC is still available. It is still powered on.


----------



## Rockn

Read this regarding transferring and siezing roles.

http://support.microsoft.com/kb/255504

Should give you an idea of what you need to do.


----------



## nexxevo

Thanks for the KB article. I did read this earlier. I am just nervous that i may have to rebuild the DC and that wouldnt be such a problem but I have never rebuilt a DC that had an exchange server connected to it.


----------



## Rockn

So you have set up the Exchange Server on a Domanin controller? 

You should probably attempt to fix any issues you are having prior to doing any removal or transferring of server roles. Did you try and set this new DC as the first DC in the domain....which you should not do btw and I don't think the AD would let you.


----------



## nexxevo

Servers:
A - DC1
B - DC2
C - exchange

server a and server c were in the organization first.

Server b came along about a year later (originally as backup exec server) and we decided to turn it into a second DC. 

Server b was causing some issues with the backup exec stuff so we made the decision to remove it. But some how it would not go away. 

Now server a does some strange stuff.
-operations master is in an error state


----------



## nexxevo

when i go onto server a and go to group policies i have to select select group policies from any available domain.


----------



## Rockn

Can you post the roles that each DC server is running? Have you run DCDIAG on each DC server?


----------



## nexxevo

Ok I did a little bit more checking on this. I have not run DCDIAG yet on the 2nd one yet. But this is what i found out. Hope this sheds more light on what is going on.

When i got onto dc2 and went into the domain users and computers and right clicked on the domain and went to connect to domain controller and selected dc1 i was able to connect no problem. But when i did the same thing from dc1 to dc2 it told me:

The following domain controller could not be contacted: dc2.mydomainname.com.
The RPC server is unavailable


----------



## Rockn

Run DCDIAG on both.

Look under troubleshooting RPC errors:
http://technet.microsoft.com/en-us/library/bb727057.aspx#ECAA

Is the time and date correct on both domain controllers?


----------



## nexxevo

Yes it is. Same time zones / times / dates


----------



## nexxevo

Another new issue i have found is that on dc 1 when you go into the group policy to edit it it says "domain controller not found for xxxx.domain.com" and it gives me 3 options
- The one with the operations master token for the pdc emulator
- The one used by the Active directory snap-ins
- Use any available domain controller.

When i select the 1st option it gives me this error
-group policy error:
failed to find a domain controller. there may be a policy that prevents you from selecting another domain controller.
Details:
Logon failure: the target account name is incorrect.

if i select any of the other 2 my gpo's show up.


----------



## Rockn

Are you ever going to run DCDIAG?


----------



## nexxevo

yeesh. Yes. I will get it posted in about 5 minutes.


----------



## nexxevo

From the first domain controller in our enviroment:

Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests

Testing server: Default-First-Site-Name\OAK
Starting test: Connectivity
......................... OAK passed test Connectivity
Doing primary tests

Testing server: Default-First-Site-Name\OAK
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
OAK: Current time is 2011-08-26 12:32:11.
DC=ForestDnsZones,DC=xxxxxx,DC=xxxxxx,DC=com
Last replication recieved from CEDAR at 2010-11-22 08:46:57.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=DomainDnsZones,DC=xxxxxx,DC=xxxxxx,DC=com
Last replication recieved from CEDAR at 2010-11-22 08:46:57.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Schema,CN=Configuration,DC=xxxxxx,DC=xxxxxx,DC=com
Last replication recieved from CEDAR at 2010-11-22 08:46:57.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
CN=Configuration,DC=xxxxxx,DC=xxxxxx,DC=com
Last replication recieved from CEDAR at 2010-11-22 09:29:07.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
DC=xxxxxx,DC=xxxxxx,DC=com
Last replication recieved from CEDAR at 2010-11-22 09:39:33.
WARNING: This latency is over the Tombstone Lifetime of 60 days!
......................... OAK passed test Replications
Starting test: NCSecDesc
......................... OAK passed test NCSecDesc
Starting test: NetLogons
......................... OAK passed test NetLogons
Starting test: Advertising
......................... OAK passed test Advertising
Starting test: KnowsOfRoleHolders
[CEDAR] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: CEDAR is the PDC Owner, but is not responding to DS RPC Bind.
[CEDAR] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: CEDAR is the PDC Owner, but is not responding to LDAP Bind.
Warning: CEDAR is the Rid Owner, but is not responding to DS RPC Bind.
Warning: CEDAR is the Rid Owner, but is not responding to LDAP Bind.
Warning: CEDAR is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: CEDAR is the Infrastructure Update Owner, but is not responding to LDAP Bind.
......................... OAK failed test KnowsOfRoleHolders
Starting test: RidManager
......................... OAK failed test RidManager
Starting test: MachineAccount
......................... OAK passed test MachineAccount
Starting test: Services
IsmServ Service is stopped on [OAK]
......................... OAK failed test Services
Starting test: ObjectsReplicated
......................... OAK passed test ObjectsReplicated
Starting test: frssysvol
......................... OAK passed test frssysvol
Starting test: frsevent
......................... OAK passed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80000785
Time Generated: 08/26/2011 12:28:42
Event String: The attempt to establish a replication link for
An Warning Event occured. EventID: 0x80000785
Time Generated: 08/26/2011 12:28:42
Event String: The attempt to establish a replication link for
......................... OAK failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 08/26/2011 12:13:42
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/26/2011 12:13:42
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/26/2011 12:24:07
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/26/2011 12:24:08
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 08/26/2011 12:32:11
Event String: The kerberos client received a
......................... OAK failed test systemlog
Starting test: VerifyReferences
......................... OAK passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : xxxxxx
Starting test: CrossRefValidation
......................... xxxxxx passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... xxxxxx passed test CheckSDRefDom

Running enterprise tests on : xxxxxx.xxxxxx.com
Starting test: Intersite
......................... xxxxxx.xxxxxx.com passed test Intersite
Starting test: FsmoCheck
......................... xxxxxx.xxxxxx.com passed test FsmoCheck


----------



## nexxevo

From the 2nd dc that we wanted to get rid of:

Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests

Testing server: Default-First-Site-Name\CEDAR
Starting test: Connectivity
......................... CEDAR passed test Connectivity
Doing primary tests

Testing server: Default-First-Site-Name\CEDAR
Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source OAK
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source OAK
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
......................... CEDAR passed test Replications
Starting test: NCSecDesc
......................... CEDAR passed test NCSecDesc
Starting test: NetLogons
......................... CEDAR passed test NetLogons
Starting test: Advertising
......................... CEDAR passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CEDAR passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CEDAR passed test RidManager
Starting test: MachineAccount
......................... CEDAR passed test MachineAccount
Starting test: Services
......................... CEDAR passed test Services
Starting test: ObjectsReplicated
......................... CEDAR passed test ObjectsReplicated
Starting test: frssysvol
......................... CEDAR passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems. 
......................... CEDAR failed test frsevent
Starting test: kccevent
......................... CEDAR passed test kccevent
Starting test: systemlog
......................... CEDAR passed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC CEDAR have problems: 
[1] Problem: Missing Expected Value
Base Object:
CN=CEDAR,OU=Domain Controllers,DC=xxxxxx,DC=xxxxxx,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=CEDAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxx,DC=xxxxxx,DC=com
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

......................... CEDAR failed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : xxxxxx
Starting test: CrossRefValidation
......................... xxxxxx passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... xxxxxx passed test CheckSDRefDom

Running enterprise tests on : xxxxxx.xxxxxx.com
Starting test: Intersite
......................... xxxxxx.xxxxxx.com passed test Intersite
Starting test: FsmoCheck
......................... xxxxxx.xxxxxx.com passed test FsmoCheck


----------



## nexxevo

Sorry about the time btw it was 10 min


----------



## Rockn

There is no replication going on at all between your domain controllers. You were wanting to get rid of the the CEDAR server that holds the FSMO roles needed for proper DNS and AD operations. Fix the issues with CEDAR and the replication will probably start up and correct itself. Did you by chance try and demote CEDAR without transfering roles to the other server? Or possibly delete or move the server object out of the server OU in AD users and computers?


----------



## nexxevo

I think we may have attempted both...

I dont think we knew that when you set up another domain controller that it transfers the primary roles. I read that is what happens when you put up another DC on the network.


----------



## Rockn

I am not sure what to tell you as to how to proceed since it sounds like you are not sure what you have even done when you added a second DC. Which server is the one you want to remove as a DC?


----------



## nexxevo

Alright. So i fixed the issues.

The issues that i was having was that 1 dc could not connect to the other dc (via unc path \\servername). So this link helped me a lot. 
http://support.microsoft.com/?id=288167

It also fixed my issue with connecting via active directory users and computers.

I was able to seize the FSMO roles by following both of these:
http://www.pcreview.co.uk/forums/error-ntdsutil-t1449581.html
http://www.petri.co.il/seizing_fsmo_roles.htm

Now I have 1 domain controller and I am going to rebuild the other one.

Thank you Rockn for stickin' with me.


----------

