My 2003 R2 DC is a global catalog, and points to itself for DNS (via its own
static IP and has all the AD forest-integrated zones w/records). It does not
hold any FSMO roles. When it is shut down, disconnected from the production
network, and brought back up disconnected (isolated on its own network to
test), I cannot log on to it (except with the Administrator account). Should
it still not be able to allow me to log on? This troubles me because what if
it becomes disconnected from all other DCs in a real network outage scenario?
I lose all authentication?

The DNS Server just won't start... DCDiag is just full of DNS issues. This
is very troubling that a DC can't live on its own for a while. Is it because
the DNS zones are forest-integrated? Is it because it can't see the Forest
Root DCs?

Errors in the event logs:

DNS 4000 (The DNS server was unable to open Active Directory.)

DNS 4013 (The DNS server was unable to open the Active Directory.)

NTDS Replication 2087 (Active Directory could not resolve the following DNS
host name of the source domain controller to an IP address.)

NTDS General 1126 (Active Directory was unable to establish a connection
with the global catalog.)

Userenv 1054 (Windows cannot obtain the domain controller name for your
computer network. (The specified domain either does not exist or could not be
contacted. ). Group Policy processing aborted. )

NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records
associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.)

W32Time 14 (The time provider NtpClient was unable to find a domain
controller to use as a time source. NtpClient will try again in 30 minutes.)

In news:DE21DDBB-27D4-4AA8-AC10-25764FAF0F8C@microsoft.com,
Mark Z. <MarkZ@discussions.microsoft.com>, posted the following:

Quote:

My 2003 R2 DC is a global catalog, and points to itself for DNS (via its own static IP and has all the AD forest-integrated zones w/records). It does not hold any FSMO roles. When it is shut down, disconnected from the production network, and brought back up disconnected (isolated on its own network to test), I cannot log on to it (except with the Administrator account). Should it still not be able to allow me to log on? This troubles me because what if it becomes disconnected from all other DCs in a real network outage scenario? I lose all authentication? The DNS Server just won't start... DCDiag is just full of DNS issues. This is very troubling that a DC can't live on its own for a while. Is it because the DNS zones are forest-integrated? Is it because it can't see the Forest Root DCs? Errors in the event logs: DNS 4000 (The DNS server was unable to open Active Directory.) DNS 4013 (The DNS server was unable to open the Active Directory.) NTDS Replication 2087 (Active Directory could not resolve the following DNS host name of the source domain controller to an IP address.) NTDS General 1126 (Active Directory was unable to establish a connection with the global catalog.) Userenv 1054 (Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. ) NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.) W32Time 14 (The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.)

There are a number of reasons for this. One, mainly is the FSMO roles (PDC,
IM, RM, SM and DNM) . They have a huge impact and are required to be
accessible by ALL DCs, and the other is the reference to the Forest root
data in DNS, _msdcs.... where the GC is referenced, which is required for
logon. You got in because of cached credentials.There's also DC
communication between DCs, including replication involved between the DCs.

Unfortunately you cannot simply unplug one DC and expect it to work
elsewhere.

Curious, what was the purpose of doing this?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Hello Mark Z.,

As stated from Ace, please describe what you are trying to achive with isolating
a not full Domain controller, because of missing FSMO roles.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

My 2003 R2 DC is a global catalog, and points to itself for DNS (via its own static IP and has all the AD forest-integrated zones w/records). It does not hold any FSMO roles. When it is shut down, disconnected from the production network, and brought back up disconnected (isolated on its own network to test), I cannot log on to it (except with the Administrator account). Should it still not be able to allow me to log on? This troubles me because what if it becomes disconnected from all other DCs in a real network outage scenario? I lose all authentication? The DNS Server just won't start... DCDiag is just full of DNS issues. This is very troubling that a DC can't live on its own for a while. Is it because the DNS zones are forest-integrated? Is it because it can't see the Forest Root DCs? Errors in the event logs: DNS 4000 (The DNS server was unable to open Active Directory.) DNS 4013 (The DNS server was unable to open the Active Directory.) NTDS Replication 2087 (Active Directory could not resolve the following DNS host name of the source domain controller to an IP address.) NTDS General 1126 (Active Directory was unable to establish a connection with the global catalog.) Userenv 1054 (Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. ) NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.) W32Time 14 (The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.)

Hi Mark Z

If you have the builtin domain admin account name and password, you can
login instantly after bootup, this only works on the builtin dom adm account
EG: Administrator, handy to remember this password to be secured somewhere
and ready if you are in a Disaster Recovery Procedure. If this is the only DC
you can restore as an example. The AD will still not of started at this
point, and therefore you AD integrated DNS zones. Seize in whichever order
you prefer, also remembering your schema domain/root domain DC has to also be
part of the process as Ace has already stipulated. Use NTDSUtil to remove the
remaiing DC's in the original AD site that these belong to, I notice AD kicks
in almost instantly after the Infrastructure Master DC has been ntdsutil'd
out and seized automatically as part of the deletion, the DNS starts and all
is fine after that. Don't delete the non present DC's if you will want to
reinject them into "say a LAB" environment, only seize. 2003 AD FSMO roles
holders will first check to see if a new FSMO role holder has taken it's
position and automatically domote itself before advertising itself on the
network.
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"Mark Z." wrote:

Quote:

My 2003 R2 DC is a global catalog, and points to itself for DNS (via its own static IP and has all the AD forest-integrated zones w/records). It does not hold any FSMO roles. When it is shut down, disconnected from the production network, and brought back up disconnected (isolated on its own network to test), I cannot log on to it (except with the Administrator account). Should it still not be able to allow me to log on? This troubles me because what if it becomes disconnected from all other DCs in a real network outage scenario? I lose all authentication? The DNS Server just won't start... DCDiag is just full of DNS issues. This is very troubling that a DC can't live on its own for a while. Is it because the DNS zones are forest-integrated? Is it because it can't see the Forest Root DCs? Errors in the event logs: DNS 4000 (The DNS server was unable to open Active Directory.) DNS 4013 (The DNS server was unable to open the Active Directory.) NTDS Replication 2087 (Active Directory could not resolve the following DNS host name of the source domain controller to an IP address.) NTDS General 1126 (Active Directory was unable to establish a connection with the global catalog.) Userenv 1054 (Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. ) NETLOGON 5781 (Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.footlocker.net.' failed.) W32Time 14 (The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.)