Calling all Win2k AD guru's

[ITJunkie]

Okay so here is my problem. While doing some routine maintenance awhile back (ie. installing MS patches), we started getting a wierd error on our root domain controller. Everytime we rebooted it, there would be a pop-up about a dll error and please put in the Win2K disk. Because this was Win2k w/SP2 and I was already running SP4, I usually just ignored it as it didn't "seem" to be causing any issues.

It did, however, cause problems with using the Windows Update site...as in couldn't access. Kept erroring on the cryptographic service. I was able to track down that problem and get the proper crypt32.dll installed and was finally able to get into Windows update for patches.

The problem now is IE6 is totally hosed. I get mucho script errors when it opens, so much so that it is basically useless. This isn't necessarily a big deal but the update site of course uses it for access.

I have run DCDiag and everything passes without issue and using ldp.exe I am able to connect, bind and run successful queries against the schema. DNS is also functioning fine. It's a smallish office and I am running 2 DC's without any replication problems between the 2.

So my question is this: if you were me, would you A) leave things alone and just download patches manually? Or B) spend a weekend rebuilding the whole damn domain?
Thanks in advance for your advice and sorry if this is long winded

~Bill

 

[stash]

Can you bring another DC online? Doesn't sound like there's an issue with AD, so you could bring up a second DC, replicate and then demote the first one. Then you can rebuild and and repromote it into the domain.

 

[ITJunkie]

Originally posted by: STaSh
Can you bring another DC online? Doesn't sound like there's an issue with AD, so you could bring up a second DC, replicate and then demote the first one. Then you can rebuild and and repromote it into the domain.

That's what I wasn't sure about. I am running a second DC, so if I move the FSMO roles over to the other DC can I still dcpromo the root domain controller down? I have the GC replicating between the 2.
That's one area (of many )I am fuzzy on. Does AD just see domain controllers or is the first (root) domain controller critical/untouchable to the forest domain?

Thanks Stash

 

[stash]

You don't need to move the FSMO roles before you run dcpromo, dcpromo will do that for you. You could move them before hand, but there isn't any point. If they fail to move during dcpromo, they would've failed to move manually, and you have replication problems to work out.

So I would recommend that you make sure DNS is running on the second DC, and that clients are configured to use it for DNS. Dcpromo down the first box, rebuild and dcpromo back up. All DCs in a domain are essentially equals, with the exception of the ones holding FSMO roles, but those can be moved easily. That's the whole idea behind having multiple DCs...redundancy

 

[spyordie007]

I agree; demote it and rebuild.

 

[ITJunkie]

That I will do...

Thanks much for your help and advice Stash & Spy
:beer::beer::beer:
:beer::beer::beer:

 

[Woodie]

What they said.

 

[gwag]

make sure the clock is set to the right date and time.

 

[spyordie007]

Originally posted by: gwag
make sure the clock is set to the right date and time.

Your PDCE should be set to sync from a relable time source. You shouldnt be manually setting the clock on any domain member or server 2000 or greater.

 

[ITJunkie]

Originally posted by: spyordie007

Originally posted by: gwag
make sure the clock is set to the right date and time.

Your PDCE should be set to sync from a relable time source. You shouldnt be manually setting the clock on any domain member or server 2000 or greater.

Yup. I currently have one DC sync to an external time server and everyone else sync's their time to that DC.