Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Troubleshooting Active Directory issues

    I have a client who is having some issues with Active Directory.

    There are 3 specific issues which I'm looking into though I suspect if I fix one it is likely to resolve the others or at the very least shed light on how to fix the other issues.

    So a bit of background (will try to keep it as short as possible)

    Two years back they paid Fujitsu to demote the then Primary DC and left the secondary DC running.
    Now 2 years later and several administrators later the current admin is having issues and she's asked me to give her a hand.

    Issue 1

    So after a week of tinkering the first anomaly I found was that after running netdom query fsmo the result showed that the decomissioned PDC was still holding all the FSMO roles. From this I assumed Fujitsu did not demote the DC in the correct way and further evidence of this was that there were still references to the old PDC in Active Directory Sites and Services as well as AD users and computers and DNS. So the first thing I did was perform a FSMO seizure of all the roles to the current domain controller (it is also the only domain controller). I cleaned up DNS and also removed any references to the "dead" domain controller.

    The only thing I'm not sure about now in regards to this is that there is an entry in Active Directory Sites and Services for the Exchange server? Is this normal? I have confirmed that the server does not have the AD role installed so from that I'm assuming it shouldn't be in AD Sites and Services? I'm not an Exchange Expert so if anyone can shed light on this that would be great. It's Exchange 2013 by the way.

    Now onto the other 2 issues we've been seeing on the domain;

    Issue 2

    The Domain Admins group keeps getting changed (currentlty every 3 hours) and it has some weird permissions on it which is as follows;

    Members = Domain Admins
    Member of = Domain Admins, Administrators

    This is obviously incorrect;

    They should be;

    Members = list of all accounts which are granted domain admin privilege - in this instance the client has specific accounts admins have to use for domain admin access only.

    Member of = Administrators and RODC replication password denied - this is the standard out of the box config.

    Now here's the strange thing... when the domain admins group "reverts" to the defunct state above I can log into the DC with my Domain admin account but cannot login to ANY other domain computer whether it be a server or desktop. I fix this by changing the domain admins group members and members of tab to what they should be as per above. So this one has me stumped and I have to do this every 3 hours.

    Issue 3

    User accounts are constantly getting locked, we don't know why, it can happen to any user multiple times (and has happened to multiple users) and there appears to be no pattern in terms of timing and frequency. We have ruled out outdated passwords on users' other devices such as tablets and mobile phones and it doesn't appear that the the Default Domain Password Policy has anything to do with this either. So again i'm stumped here....

    My gut is telling me it has something to so with the way the old DC was forced off the network. Clearly it was not done correctly if at all and AD is kind of just revertingg to its "tombstone" state which is set at intervals of 180 minutes.

    Part of me wants to suggest commissioning a new DC setting everything up the way it should be and then somehow add it to the domain WITHOUT it receiving replication from the current DC. I'm not sure if this is even possible or advisable but it's safe to say the current state if AD is not good and it is also creating issues in the share permissions area. I'm trying to fix this problem with a new standalone File server... currently the DC is also a file server for all the client's user data.... they have everything in one basket.

    Today I fnished tidying up AD sites and services as well as AD users and computers by removing all the references to the old DC (including DNS). Hopefully, this will have helped but I will only know in the morning when I try to login with my domain admin account.

    Apologies for the novel but I couldn't explain it any shorter.

    I'd appreciate any advice or tips and tricks on how to resolve this one... ideally, without having to commission a new server.

    Cheers,

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  2. #2
    Computer Tech
    Join Date
    Dec 2004
    Location
    Whangarei
    Posts
    5,730

    Default Re: Troubleshooting Active Directory issues

    Had a quick read through but haven't had a chance to look at it fully yet.

    Couple of things, what server OS?
    For issue 2 could it be a group policy doing that?

  3. #3
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Re: Troubleshooting Active Directory issues

    The DC is running Server 2016.

    I haven't actually looked at group policy as being the culprit here. I will check and post findings.

    Why would you even use Group Policy that way? Surely, that wouldl create more of an administrative overhead?

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  4. #4
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Re: Troubleshooting Active Directory issues

    So no changes after I made the modifications. The Domain Admins group is still reverting to its defunct state.

    Some other things I found, the current DC was pointing to itself for DNS via its assigned static IP, I don't think that should be an issue but usually when a DC is the DNS server the DNS setting for that DC is usually 127.0.0.1 so I made that change. There were issues with some new machines not being able to locate an LDAP server but since making the above change this seems to have now gone away.

    Another thing I'm thinking about is raising the domain's functional level from Server 2003 to at least Server 2008 R2, not sure what effect this will have but the benefits should largely outway the current state.

    I need to find a way of setting up a new DC which will take over all the FSMO roles WITHOUT replicating the current state from the existing DC or at least force the current DC to replicate from the new one rather than the other way around.... Is that even possible? Turning the current DC nto an RODC and then set the new DC as the primary holding the GC?
    Last edited by chiefnz; 26-08-2017 at 02:44 AM.

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  5. #5
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Re: Troubleshooting Active Directory issues

    Not much progress has been made but I did raise the domain functional level to Server 2008 R2 and there were no issues. I also found an AD Health Check Script here which I ran on the DC and apart from a few obvious no-nos (mainly around account password expiry etc) the most significant item was according to the script no domain controller was found and there had been no contact with a domain controller for the last 3 months?

    I'm not sure what this all means or what my options will be to remediate.

    What I'm thinking about doing is the following;

    • Setup a new DC running Server 2012 R2 or Server 2016
    • Join the new DC to the domain
    • Transfer all the FSMO roles to the new DC
    • Make the new DC the GC
    • Remove GC from the existing server
    • Disconnect the current DC from the network and see if any issue arise - authenticaton issues etc.


    If all goes well, demote the old DC properly and rebuild it from scratch and then rejoin to the domain.
    Last edited by chiefnz; 26-08-2017 at 10:11 AM.

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  6. #6
    Computer Technician wainuitech's Avatar
    Join Date
    Aug 2007
    Location
    Wellington
    Posts
    24,864

    Default Re: Troubleshooting Active Directory issues

    Dont know if the following article is of any use or not https://support.microsoft.com/en-us/...ws-server-2003 or https://www.petri.com/transferring_fsmo_roles

    If changing a server, why use an outdated, (Server2008) better to go with Server 2012 or 2016. Found that the other day trying to get a backup software for a few PC's to auto backup. Server 2008 had so many things no longer working it became a pain, so used server 2012.
    One thing positive about Windows 10 is that there is never a dull moment anymore on ye olde computer

  7. #7
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Re: Troubleshooting Active Directory issues

    Wainui are you refering to the Domain Functional Level or Server OS?

    The functional level is set to 2008 R2 and the current server is running 2012 R2.

    The new server will have 2012 R2 or 2016 installed on it.

    I hav transferred all the FSMO roles to the current server and have verified they have been changed to the current server.

    There are are few things in the first article which I didn't exeplicitly do (according to the process detailed) but I'm sure that the transfer has been completed.
    I will check on these items as per the article and post back

    Thanks
    Last edited by chiefnz; 26-08-2017 at 03:14 PM.

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  8. #8
    Computer Technician wainuitech's Avatar
    Join Date
    Aug 2007
    Location
    Wellington
    Posts
    24,864

    Default Re: Troubleshooting Active Directory issues

    I was only referring to the comment
    I'm thinking about is raising the domain's functional level from Server 2003 to at least Server 2008 R2
    If a server upgrade is on the cards, better to go with at least 2012, as Server 2008 R2 is coming up upon end of supported life, where as 2012 is more up to date and stable. The only downside is 2012 has the W8 style interface, where as 2016 is closer to W10.
    One thing positive about Windows 10 is that there is never a dull moment anymore on ye olde computer

  9. #9
    Enterprise IT Consultant chiefnz's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    1,457

    Default Re: Troubleshooting Active Directory issues

    Update:

    Added a secondary DC running Server 2008 R2.

    Transfer of all the FSMO roles was successful apart from the schema master.
    I tried to register the Schmmgmt.dll library by running regsvr32 schmmgmt.dll but got an error message saying the module was registered successfully but the schema snap-in could not be loaded.

    When I tried to add the Schema snap-in in wasn't there.

    Next I forced the schema to the new server use FSMO seizure which was successful.

    I then let all the AD elements replicate to the new server including DNS.
    Everything appeared to be ok but then I started getting errors from domain computers not being able to locate a domain controller. I also had trouble logging in with domain accounts as well as authenticating domain accounts... I kept getting errors saying a domain controller could not be located.

    At this point I didn't want to risk any more potential damage so then started moving things back to the original DC.
    FSMO roles transfer completed successfully and then I had to delete the second server from DNS as well as AD sites and Services etc.

    Once this was done I was able to log back into domain computers and there were no longer issues with domain level authentication.

    Really at a loss here, part of me thinks a reboot may be a good start but could just be a waste of time. The next reboot is scheduled for the night of 31 August so just going to wait until then and then start troubleshooting again.

    The client is considering implementing a new domain design etc. which is probably not a bad idea but it's a lot of work and obviously a lot of things could go wrong in terms of migrating existing users and computers to the new domain. There is also the issue of the current DC being the file server as well so all those shares and permissions would have to be migrated to a new server... which is on order still. So alot of decisions to make and a few design documents to draw up. It's going to be a long couple of weeks ahead.
    Last edited by chiefnz; 29-08-2017 at 11:16 AM.

    Asus P8Z77-VL X
    Intel Core i7-3770
    Cooler Master Seidon 120V Plus CPU Water Cooler
    32GB DDR3
    2 x 250GB SSD, 3 x 2TB WD Enterprise HDD
    Asus DVD/RW
    eVGA GeForce GTX 970
    Coolermaster Centurion Case & 550W PSU
    Windows 10 Pro

  10. #10
    Senior Member
    Join Date
    Jan 2005
    Location
    Plimmerton
    Posts
    3,236

    Default Re: Troubleshooting Active Directory issues

    We feel your pain. A helluva responsibility on a live system.

    Hopefully, something will go your way.

Similar Threads

  1. Sample Active Directory
    By somebody in forum PressF1
    Replies: 3
    Last Post: 15-07-2012, 09:53 PM
  2. Exporting data from Active Directory
    By chiefnz in forum PressF1
    Replies: 5
    Last Post: 06-10-2009, 06:22 PM
  3. Active Directory
    By jwil1 in forum PressF1
    Replies: 1
    Last Post: 30-01-2009, 09:55 AM
  4. Replies: 4
    Last Post: 18-11-2007, 10:43 AM
  5. Copy Active Directory users to Open Directory
    By technicianxp in forum PressF1
    Replies: 2
    Last Post: 13-04-2006, 06:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •