Share via

Server 2008R2 Domain Partially Missing

Mike Hammett 1 Reputation point
2020-11-05T01:56:04.157+00:00

I have a Server 2008R2 domain controller. I run Azure AD Connect to sync the AD up to Azure so I can authenticate my Office 365 against it. Azure AD Connect stopped syncing. I went looking as to why.

I discovered that DNS was not running on the server anymore. It couldn't load the AD zones because AD wasn't up. I did indeed see errors in AD.

I went to check my Server 2019 domain controller, only to figure out that it wasn't a domain controller after all.

I have a pair of old Server 2003 boxes that were still domain controllers but powered down. I powered them up. One of them still has DNS running and is mostly complete. I did a variety of restarts and troubleshooting to see why my 2008 box wasn't coming back alive, but no success. If I point the NIC DNS to the 2003 box running DNS, dcdiag reports fewer errors, but I have little confidence that it's actually working any better, given that it was a powered down DC.

I can create a new user in the 2008 Users and Computers and login to it via RDP, so not everything is hosed. I'm kind of stuck where to go from here.

I've attached an output of: Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.txt

37430-dcdiag.txt

Windows for business | Windows Client for IT Pros | Directory services | Active Directory

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mike Hammett 1 Reputation point
    2020-11-05T15:06:36.38+00:00

    Argh, stupid forum lost my long response.

    I can ping DNA-170 from SVR-FILE-RCH and vice versa.

    Both DNA-170 and SVR-FILE-RCH have their Windows firewalls turned off. The Vyatta firewall doesn't have anything in it that seems obvious and the configuration hasn't changed (except for two added, then removed NAT rules) since December of 2018.

    I have ran a dcdiag from SVR-FILE-RCH (dc1) and added it to the v3 OneDrive folder.

    SVR-EXCH-RCH is being difficult, so I may not ever get anything out of it. That's probably why it was powered off.

    DNA-170 is where I had been making all of my changes on for the three years I've been here. I'm pretty sure previous to this fiasco, it was a fully functional DC. I won't swear to it, however.

    DNA-170 and SVR-FILE-RCH have nearly the same user and group configuration. The only differences that seem obvious to be would be things done in the past week or so, which is how long Azure AD Connect hasn't been able to sync passwords.

    0 comments
  2. Anonymous
    2020-11-05T15:20:16.77+00:00

    SVR-FILE-RCH is the role holder. DNA-170 was never initialized so likely is a lost cause. If its been three years then it has tombstoned as well.
    On the role holder I'd check that it has it's own static ip address listed for DNS. You can follow along here to cleanup metadata on the role holder then rebuild the other two.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  3. Mike Hammett 1 Reputation point
    2020-11-10T20:29:16.177+00:00

    A friend of mine ended up taking a look and just took DNA170 and seized all of the roles and then did a few other things that I don't recall. I'm now operating with DNA-170 as the sole domain controller. I've started getting a couple of 2019 controllers up and running but will have to work through some other upgrades to get them on board.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.