Forum

ADC`den yapilan deg...
 
Bildirimler
Hepsini Temizle

ADC`den yapilan degisiklikler diger DClere yansimiyor

26 Yazılar
6 Üyeler
0 Reactions
2,175 Görüntüleme
(@kemalsudan)
Gönderiler: 40
Eminent Member
 

Merhabalar,

Aşağıdaki şekilde sunucuların tcp/ip yapılandırmasını düzenleyiniz.

Yeni ADC 192.168.0.20  (Win2008 R2) ve Pref DNS 192.168.0.20, Ikincil
DNS 192.168.0.21,Üçüncü DNS 192.168.0.22
Eski PDC 192.168.0.21 (Win2003 Ent) ve Pref DNS
192.168.0.21, Ikincil DNS 192.168.0.22,Üçüncü DNS 192.168.0.20
Eski ADC 192.168.0.22 (Win
2003 Ent) ve Pref DNS 192.168.0.22, Ikincil DNS 192.168.0.21 ,Üçüncü DNS 192.168.0.20

Sunucuların hepsinde Sıra ile Command prompt ta aşağıdaki komutu çalıştırın.

ipconfig/flushdns

net stop netlogon

net start netlogon       ( Bir önceki cevapta eklemeyi unutmuşum)

net stop DNS

net  start DNS

net stop Dnscache

net start Dnscache

ipconfig/registerdns

Bu işlemlerden 15dk yada 30dk sonra dns konsolunu açın ve _msdcs ile başlayan zonda her sunucu için NS ve CNAME kayıtları oluşturulmuş mu kontrol ediniz.Eğer kayıtlar oluşmuşsa güncelleme yapıp yapmadığını yeni bir user yada grup açarak kontrol ediniz.

 

 

 

 

 
Gönderildi : 07/02/2010 00:39

(@TeomanEfendi)
Gönderiler: 798
Noble Member
Konu başlatıcı
 

Hocam adimlari aynen takip ettim. _msdcs zonu altinda kayitlar dediginiz sekilde yerinde. Problem aynen devam ediyor. Birde asagidaki uyari eklendi.

Duzenleme: Yeni server olan Win2008i kapattim. Simdilik 2 saat oldu ve PDC uzerine dusen uyarilar durdu. Hersey normal gorunuyor su anda. Ama yeni serveri acarsam tekrar edecek bu belli. Yeni server DCpromo ile kaldirirsam uzeride yuklu olan Certification Authority rolu islevini surdurur mu? Bu rolu sadece ve sadece exchnage`e sertifika uretmek icin kurmustum haricinde kullanimi yok. Exchnage server baska bir server uzerinde member olarak calisiyor.

 

 Event Type:    Warning
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    2092
Date:        7/02/2010
Time:        6:56:34 AM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    ICB21
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: DC=icb,DC=local
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 
Gönderildi : 07/02/2010 03:21

(@kemalsudan)
Gönderiler: 40
Eminent Member
 

Merhabalar,

 

Aşağıdaki adımları uygulayıp kontrol ediniz.

 

1. Please flush DNS and NetBIOS cache on both domain controllers.

2. Point both Domain Controllers to use the same DNS and then
re-registering A and SRV records by restarting Netlogon service.

3. Reset secure channel by using Netdom utility on both domain
controllers

For windows server 2003 domain controller, please refer to:
How to use Netdom.exe to reset machine account passwords of a Windows
Server 2003 domain controller
http://support.microsoft.com/kb/325850/en-us

For windows 2000 domain controller, please refer to:
How To Use Netdom.exe to Reset Machine Account Passwords of a Windows
2000
Domain Controller
http://support.microsoft.com/kb/260575/en-us

You receive the "The target principal name is incorrect" error message
when
you try to start Active Directory Users and Computers in Windows 2000
http://support.microsoft.com/kb/830069

4. Restart the Kerberos Key Distribution Center (KDC) service and set
its
startup type back to Automatic on both domain controllers.

5. Try forcing replicate the AD replica by using Active Directory Sites
and
Services snap-in.

Please refer to:

Initiating Replication Between Active Directory Direct Replication
Partners
http://support.microsoft.com/kb/232072

Afterward, you may check if the issue can be resolved.

 
Gönderildi : 07/02/2010 17:11

(@TeomanEfendi)
Gönderiler: 798
Noble Member
Konu başlatıcı
 

Hocam tesekkur ederim sadece bir sorum var bu alttaki yontemi uygulamadan once. Domaine olumsuz etkisi olma riski yuksek bir islemmidir bu yoksa gonul rahatligiyla yapabilir miyim?

 

3. Reset secure channel by using Netdom utility on both domain
controllers

For windows server 2003 domain controller, please refer to:
How to use Netdom.exe to reset machine account passwords of a Windows
Server 2003 domain controller
http://support.microsoft.com/kb/325850/en-us

 
Gönderildi : 08/02/2010 05:27

(@kemalsudan)
Gönderiler: 40
Eminent Member
 

merhaba,

 

  1. Kerberos Anahtar Dağıtım Merkezi hizmetini durdurun ve
    ardından başlangıç değerini El İle olarak ayarlayın.
  2. Etki
    alanı denetleyicisinin makine hesap parolasını
    sıfırlamak için Windows 2000 Server Destek Araçları'ndan veya
    Windows Server
    2003 Destek Araçları'ndan Netdom aracını kullanın:

    netdom
    resetpwd /server:başka bir etki alanı denetleyicisi
    /userd:domain\administrator /passwordd:yönetici
    parolası

    Netdom komutunun başarıyla
    tamamlandı olarak döndürüldüğünden emin olun. Böyle döndürülmezse,
    komut
    çalışmamış demektir. Etkilenen etki alanı denetleyicisinin DC1 ve
    çalışan etki
    alanı denetleyicisinin DC2 olduğu Contoso etki alanı için aşağıdaki netdom
    komutunu DC1 konsolundan çalıştırırsınız:

    netdom resetpwd /server:DC2
    /userd:contoso\administrator
    /passwordd:yönetici parolası

  3. Etkilenen
    etki alanı denetleyicisini yeniden
    başlatın.
  4. Kerberos Anahtar Dağıtım Merkezi hizmetini
    başlatın ve
    ardından başlangıç ayarını Otomatik
    olarak ayarlayın.

 

 
Gönderildi : 08/02/2010 06:32

(@TeomanEfendi)
Gönderiler: 798
Noble Member
Konu başlatıcı
 

 Evet Cem bey simdi farkettim. Bu uyariyi PDCden yeni kurulan ADCye dogru replication yapinca aliyorum. Son iki gunluk evet loglarida asagidaki uyari ile dolmus durumda. 1 hafta once kurdum bu ADCyi ancak uyarilar 2 gun once baslamis. Ne yapmaliyim?

 

 

 

 Event Type:    Error
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    1988
Date:        4/02/2010
Time:        11:40:26 AM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    ICB21
Description:
Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.  Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed.  Objects that have been deleted and garbage collected from an Active Directory partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
 
 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.  This replication attempt has been blocked.
 
 The best solution to this problem is to identify and remove all lingering objects in the forest.
 
 
Source DC (Transport-specific network address):
64e46f05-3760-4914-bd77-7f25e8626a7d._msdcs.icb.local
Object:
CN=Microsoft Hyper-V\0ADEL:155cef3f-6abf-4b7a-b5ed-27c9fbaac3b4,CN=Deleted Objects,DC=icb,DC=local
Object GUID:
155cef3f-6abf-4b7a-b5ed-27c9fbaac3b4

 
User Action:
 
Remove Lingering Objects:
 
 The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.
 
 If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".
 
 If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
 
 If you need Active Directory replication to function immediately at all costs and don't have time to remove lingering objects, enable loose replication consistency by unsetting the following registry key:
 
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency
 
 Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.
 
 Lingering objects may be prevented by ensuring that all domain controllers in the forest are running Active Directory, are connected by a spanning tree connection topology and perform inbound replication before Tombstone Live number of days pass.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Bu komutu benim sisteme göre nasıl oluşturmam gerekiyor. Araştırdığım kadarıyla çözüm bu komutta.

repadmin /removelingeringobjects <Source DC> <Destination DC
DSA GUID> <NC> /ADVISORY_MODE

repadmin /removelingeringobjects <Source DC> <Destination DC
DSA GUID> <NC>

1- Yukarıdaki komutlarda boş olan yerlere ne gelecek?

2- Bu komutu PDCden mi gireceğim yoksa Win 2008 serverdan mı?

 
Gönderildi : 09/02/2010 13:22

Hakan Uzuner
(@hakanuzuner)
Gönderiler: 33322
Illustrious Member Yönetici
 

Merhaba Teoman, aşağıdaki makaleyi incelermisin ?


http://support.microsoft.com/kb/910205/en-us


 

Danışman - ITSTACK Bilgi Sistemleri
****************************************************************
Probleminiz Çözüldüğünde Sonucu Burada Paylaşırsanız.
Sizde Aynı Problemi Yaşayanlar İçin Yardım Etmiş Olursunuz.
Eğer sorununuz çözüldü ise lütfen "çözüldü" olarak işaretlerseniz diğer üyeler için çok büyük kolaylık sağlayacaktır.
*****************************************************************

 
Gönderildi : 13/06/2011 22:44

Sayfa 2 / 2
Paylaş: