how to correct the problem of AD

Now, I have two servers running Windows 2003 sp1. This one is "DAS", the
other is "DASBAK". Some Workstaions run Windows 2000 Professional, other run
"Windows XP Professional"
DAS is root Domain Controller (DC) of "CKDA.COM", DASBAK is the Additional
DC of "CKDA.COM". I also made an "image" of two servers' partition by
running Norton Ghost 2003-these images are done on August, 06th. 2005 and
have name "060805.ghs".
Up to Now, Two above servers don't have any problems, they replicated
together AD's database well.
But after I only restored this image of "DASBAK's partition "060805.ghs" by
running Norton Ghost 2003, ("DAS" server don't restore it's image). two
servers have many problems.

On some workstations (not all of them) :
They (some workstations, but not of all) cannot log on to domain "CKDA"
although they inputed their user names and password correctly, the error
display "Windows cannot connect to the domain either because the domain
controller is down or otherwise is unavailable" or "the primary sytem
computer account is missing".
Besides they cannot access "the other" workstations or DAS or DASBAK for
example "workstation1" by running "\\workstation1", the error inform "Logon
Failure: The target account name is incorrect" but can access the other
workstation by running "\\192.168.x.x"- IP Address of Workstation1, DAS,
DASBAK. in Another times a day , they can log on to domain "ckda"
successfully

On two servers DAS, DASBAK:
-DAS or DASBAK cannot access "the other" workstations for example
"workstation1" by running "\\workstation1", the error inform "Logon Failure:
The target account name is incorrect"
-On DAS, at "AD Sites and Services", I click "Check Replication Topology" ,
the error occur "the following error occured during the attempt to contact
the domain controller. The target principal name is incorrect",
-When I denote "dasbak", this error display : "the target principal name is
incorrect". Active Directory could not transfer the remaining data in
directory partition CN=Shema, CN=Configuration, DC=CKDA, DC=com, to domain
controller DAS.CKDA.COM"
-On DAS's event view :
+this Kerberos error display: "the kerberos client reeived a
KRB_AP_ERR_MODIFIED error from the server host/dasbak.ckda.com. The target
nam used was. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonlly this
is due to indenticallly name machine accounts in the target realm
(ckda.com.vn), and the client realm."
+This netlogon error display: "the session setup from the computer
DASBAK failed to authenticate. The name(s) of the account(s) referenced in
the security database is DASBAK.
+The local Domain Controller has not received replication
information from a number of domain controllers within the configured
latency interval
-On DASBAK's event view:
+this Kerberos error display: "the kerberos client reeived a
KRB_AP_ERR_MODIFIED error from the server host/das.ckda.com. The target nam
used was DAS$. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonlly this
is due to indenticallly name machine accounts in the target realm
(ckda.com.vn), and the client realm."
+This netlogon error display: "the Windows cannot authenticate with
\\das.ckda.com, a Windows domain controller for domain ckda.com, and
therefore this computer might deny logon request. This inablility may be
causes by another computer on the same network using the same name or the
password for this computer account is not recognized.
+The local Domain Controller has not received replication
information from a number of domain controllers within the configured
latency interval

I guess that error is Active directory database replication promblem. And
the reason caused by I make "restore the image of partition of
DASBAK -060805.ghs", is that right? It affect the AD replication between DAS
and DASBAK and affect all workstation, kerberos "username and password" ,
because I think the "SID" of DASBAK is the same as the "SID" of DASBAK's
before restoring image, is that right (AD still remember the old SID)?
Therefore, please help me urgentlly to correct it without reinstall DAS,
DASBAK because two SErvers is working continuously and must run all times
day by day. can This errors are correct by "ntdsutil" command line, or
Server AD support tools,etc,v..v, I think but I don't know, please help me
clearly. I never do a stupid action as "restore a ghost image" with my
servers.
Thanks a lot for listening to me, and please reply to me as soon as
possible.!

You can never use imaging software to restore domain controllers.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Huy Nguyen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
Now, I have two servers running Windows 2003 sp1. This one is "DAS", the
other is "DASBAK". Some Workstaions run Windows 2000 Professional, other run
"Windows XP Professional"
DAS is root Domain Controller (DC) of "CKDA.COM", DASBAK is the Additional
DC of "CKDA.COM". I also made an "image" of two servers' partition by
running Norton Ghost 2003-these images are done on August, 06th. 2005 and
have name "060805.ghs".
Up to Now, Two above servers don't have any problems, they replicated
together AD's database well.
But after I only restored this image of "DASBAK's partition "060805.ghs" by
running Norton Ghost 2003, ("DAS" server don't restore it's image). two
servers have many problems.

On some workstations (not all of them) :
They (some workstations, but not of all) cannot log on to domain "CKDA"
although they inputed their user names and password correctly, the error
display "Windows cannot connect to the domain either because the domain
controller is down or otherwise is unavailable" or "the primary sytem
computer account is missing".
Besides they cannot access "the other" workstations or DAS or DASBAK for
example "workstation1" by running "\\workstation1", the error inform "Logon
Failure: The target account name is incorrect" but can access the other
workstation by running "\\192.168.x.x"- IP Address of Workstation1, DAS,
DASBAK. in Another times a day , they can log on to domain "ckda"
successfully

On two servers DAS, DASBAK:
-DAS or DASBAK cannot access "the other" workstations for example
"workstation1" by running "\\workstation1", the error inform "Logon Failure:
The target account name is incorrect"
-On DAS, at "AD Sites and Services", I click "Check Replication Topology" ,
the error occur "the following error occured during the attempt to contact
the domain controller. The target principal name is incorrect",
-When I denote "dasbak", this error display : "the target principal name is
incorrect". Active Directory could not transfer the remaining data in
directory partition CN=Shema, CN=Configuration, DC=CKDA, DC=com, to domain
controller DAS.CKDA.COM"
-On DAS's event view :
+this Kerberos error display: "the kerberos client reeived a
KRB_AP_ERR_MODIFIED error from the server host/dasbak.ckda.com. The target
nam used was. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonlly this
is due to indenticallly name machine accounts in the target realm
(ckda.com.vn), and the client realm."
+This netlogon error display: "the session setup from the computer
DASBAK failed to authenticate. The name(s) of the account(s) referenced in
the security database is DASBAK.
+The local Domain Controller has not received replication
information from a number of domain controllers within the configured
latency interval
-On DASBAK's event view:
+this Kerberos error display: "the kerberos client reeived a
KRB_AP_ERR_MODIFIED error from the server host/das.ckda.com. The target nam
used was DAS$. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonlly this
is due to indenticallly name machine accounts in the target realm
(ckda.com.vn), and the client realm."
+This netlogon error display: "the Windows cannot authenticate with
\\das.ckda.com, a Windows domain controller for domain ckda.com, and
therefore this computer might deny logon request. This inablility may be
causes by another computer on the same network using the same name or the
password for this computer account is not recognized.
+The local Domain Controller has not received replication
information from a number of domain controllers within the configured
latency interval

I guess that error is Active directory database replication promblem. And
the reason caused by I make "restore the image of partition of
DASBAK -060805.ghs", is that right? It affect the AD replication between DAS
and DASBAK and affect all workstation, kerberos "username and password" ,
because I think the "SID" of DASBAK is the same as the "SID" of DASBAK's
before restoring image, is that right (AD still remember the old SID)?
Therefore, please help me urgentlly to correct it without reinstall DAS,
DASBAK because two SErvers is working continuously and must run all times
day by day. can This errors are correct by "ntdsutil" command line, or
Server AD support tools,etc,v..v, I think but I don't know, please help me
clearly. I never do a stupid action as "restore a ghost image" with my
servers.
Thanks a lot for listening to me, and please reply to me as soon as
possible.!

You would have to restore both DCs at the same time. When machine accounts
are refreshed on a shedule over the SecureChannel, I believe the account's
*hidden-random* password is changed. When you restore just one of the DCs
and not the other the machines accounts are "broken".

So to use Ghost for DCs you have to back up and restore all the DCs at the
same time. Even then you may have to remove/rejoin workstations back to the
domain the correct the machine accounts.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Huy Nguyen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Now, I have two servers running Windows 2003 sp1. This one is "DAS", the
> other is "DASBAK". Some Workstaions run Windows 2000 Professional, other
run
> "Windows XP Professional"
> DAS is root Domain Controller (DC) of "CKDA.COM", DASBAK is the Additional
> DC of "CKDA.COM". I also made an "image" of two servers' partition by
> running Norton Ghost 2003-these images are done on August, 06th. 2005 and
> have name "060805.ghs".
> Up to Now, Two above servers don't have any problems, they replicated
> together AD's database well.
> But after I only restored this image of "DASBAK's partition "060805.ghs"
by
> running Norton Ghost 2003, ("DAS" server don't restore it's image). two
> servers have many problems.
>
> On some workstations (not all of them) :
> They (some workstations, but not of all) cannot log on to domain "CKDA"
> although they inputed their user names and password correctly, the error
> display "Windows cannot connect to the domain either because the domain
> controller is down or otherwise is unavailable" or "the primary sytem
> computer account is missing".
> Besides they cannot access "the other" workstations or DAS or DASBAK for
> example "workstation1" by running "\\workstation1", the error inform
"Logon
> Failure: The target account name is incorrect" but can access the other
> workstation by running "\\192.168.x.x"- IP Address of Workstation1, DAS,
> DASBAK. in Another times a day , they can log on to domain "ckda"
> successfully
>
> On two servers DAS, DASBAK:
> -DAS or DASBAK cannot access "the other" workstations for example
> "workstation1" by running "\\workstation1", the error inform "Logon
Failure:
> The target account name is incorrect"
> -On DAS, at "AD Sites and Services", I click "Check Replication Topology"
,
> the error occur "the following error occured during the attempt to contact
> the domain controller. The target principal name is incorrect",
> -When I denote "dasbak", this error display : "the target principal name
is
> incorrect". Active Directory could not transfer the remaining data in
> directory partition CN=Shema, CN=Configuration, DC=CKDA, DC=com, to domain
> controller DAS.CKDA.COM"
> -On DAS's event view :
> +this Kerberos error display: "the kerberos client reeived a
> KRB_AP_ERR_MODIFIED error from the server host/dasbak.ckda.com. The target
> nam used was. This indicates that the password used to encrypt the
kerberos
> service ticket is different than that on the target server. Commonlly this
> is due to indenticallly name machine accounts in the target realm
> (ckda.com.vn), and the client realm."
> +This netlogon error display: "the session setup from the
computer
> DASBAK failed to authenticate. The name(s) of the account(s) referenced in
> the security database is DASBAK.
> +The local Domain Controller has not received replication
> information from a number of domain controllers within the configured
> latency interval
> -On DASBAK's event view:
> +this Kerberos error display: "the kerberos client reeived a
> KRB_AP_ERR_MODIFIED error from the server host/das.ckda.com. The target
nam
> used was DAS$. This indicates that the password used to encrypt the
kerberos
> service ticket is different than that on the target server. Commonlly this
> is due to indenticallly name machine accounts in the target realm
> (ckda.com.vn), and the client realm."
> +This netlogon error display: "the Windows cannot authenticate
with
> \\das.ckda.com, a Windows domain controller for domain ckda.com, and
> therefore this computer might deny logon request. This inablility may be
> causes by another computer on the same network using the same name or the
> password for this computer account is not recognized.
> +The local Domain Controller has not received replication
> information from a number of domain controllers within the configured
> latency interval
>
> I guess that error is Active directory database replication promblem. And
> the reason caused by I make "restore the image of partition of
> DASBAK -060805.ghs", is that right? It affect the AD replication between
DAS
> and DASBAK and affect all workstation, kerberos "username and password" ,
> because I think the "SID" of DASBAK is the same as the "SID" of DASBAK's
> before restoring image, is that right (AD still remember the old SID)?
> Therefore, please help me urgentlly to correct it without reinstall DAS,
> DASBAK because two SErvers is working continuously and must run all times
> day by day. can This errors are correct by "ntdsutil" command line, or
> Server AD support tools,etc,v..v, I think but I don't know, please help me
> clearly. I never do a stupid action as "restore a ghost image" with my
> servers.
> Thanks a lot for listening to me, and please reply to me as soon as
> possible.!
>
>

Now, I have two image files "060805.ghs" of partition of DAS and DASBAK
servers. Two image files are backuped at the same time, which two DCs have
no any problems. Therefore, if I restore two Image "060805.ghs" at the same
time to DAS, and DASBAK, can my problem replication of AD is solved ? these
errors that I told can be resloved completely?
(if can some workstations not logon to CKDA domain, I disjoin them CKDA
domain , and then join them CKDA Domain, those workstations doesn't never
have this error again, is that right?
Please help me an advice to do that.
Thanks a lot


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> You would have to restore both DCs at the same time. When machine
accounts
> are refreshed on a shedule over the SecureChannel, I believe the account's
> *hidden-random* password is changed. When you restore just one of the DCs
> and not the other the machines accounts are "broken".
>
> So to use Ghost for DCs you have to back up and restore all the DCs at the
> same time. Even then you may have to remove/rejoin workstations back to
the
> domain the correct the machine accounts.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
> "Huy Nguyen" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Now, I have two servers running Windows 2003 sp1. This one is "DAS", the
> > other is "DASBAK". Some Workstaions run Windows 2000 Professional, other
> run
> > "Windows XP Professional"
> > DAS is root Domain Controller (DC) of "CKDA.COM", DASBAK is the
Additional
> > DC of "CKDA.COM". I also made an "image" of two servers' partition by
> > running Norton Ghost 2003-these images are done on August, 06th. 2005
and
> > have name "060805.ghs".
> > Up to Now, Two above servers don't have any problems, they replicated
> > together AD's database well.
> > But after I only restored this image of "DASBAK's partition "060805.ghs"
> by
> > running Norton Ghost 2003, ("DAS" server don't restore it's image). two
> > servers have many problems.
> >
> > On some workstations (not all of them) :
> > They (some workstations, but not of all) cannot log on to domain "CKDA"
> > although they inputed their user names and password correctly, the error
> > display "Windows cannot connect to the domain either because the domain
> > controller is down or otherwise is unavailable" or "the primary sytem
> > computer account is missing".
> > Besides they cannot access "the other" workstations or DAS or DASBAK for
> > example "workstation1" by running "\\workstation1", the error inform
> "Logon
> > Failure: The target account name is incorrect" but can access the other
> > workstation by running "\\192.168.x.x"- IP Address of Workstation1, DAS,
> > DASBAK. in Another times a day , they can log on to domain "ckda"
> > successfully
> >
> > On two servers DAS, DASBAK:
> > -DAS or DASBAK cannot access "the other" workstations for example
> > "workstation1" by running "\\workstation1", the error inform "Logon
> Failure:
> > The target account name is incorrect"
> > -On DAS, at "AD Sites and Services", I click "Check Replication
Topology"
> ,
> > the error occur "the following error occured during the attempt to
contact
> > the domain controller. The target principal name is incorrect",
> > -When I denote "dasbak", this error display : "the target principal name
> is
> > incorrect". Active Directory could not transfer the remaining data in
> > directory partition CN=Shema, CN=Configuration, DC=CKDA, DC=com, to
domain
> > controller DAS.CKDA.COM"
> > -On DAS's event view :
> > +this Kerberos error display: "the kerberos client reeived a
> > KRB_AP_ERR_MODIFIED error from the server host/dasbak.ckda.com. The
target
> > nam used was. This indicates that the password used to encrypt the
> kerberos
> > service ticket is different than that on the target server. Commonlly
this
> > is due to indenticallly name machine accounts in the target realm
> > (ckda.com.vn), and the client realm."
> > +This netlogon error display: "the session setup from the
> computer
> > DASBAK failed to authenticate. The name(s) of the account(s) referenced
in
> > the security database is DASBAK.
> > +The local Domain Controller has not received replication
> > information from a number of domain controllers within the configured
> > latency interval
> > -On DASBAK's event view:
> > +this Kerberos error display: "the kerberos client reeived a
> > KRB_AP_ERR_MODIFIED error from the server host/das.ckda.com. The target
> nam
> > used was DAS$. This indicates that the password used to encrypt the
> kerberos
> > service ticket is different than that on the target server. Commonlly
this
> > is due to indenticallly name machine accounts in the target realm
> > (ckda.com.vn), and the client realm."
> > +This netlogon error display: "the Windows cannot authenticate
> with
> > \\das.ckda.com, a Windows domain controller for domain ckda.com, and
> > therefore this computer might deny logon request. This inablility may be
> > causes by another computer on the same network using the same name or
the
> > password for this computer account is not recognized.
> > +The local Domain Controller has not received replication
> > information from a number of domain controllers within the configured
> > latency interval
> >
> > I guess that error is Active directory database replication promblem.
And
> > the reason caused by I make "restore the image of partition of
> > DASBAK -060805.ghs", is that right? It affect the AD replication between
> DAS
> > and DASBAK and affect all workstation, kerberos "username and password"
,
> > because I think the "SID" of DASBAK is the same as the "SID" of DASBAK's
> > before restoring image, is that right (AD still remember the old SID)?
> > Therefore, please help me urgentlly to correct it without reinstall DAS,
> > DASBAK because two SErvers is working continuously and must run all
times
> > day by day. can This errors are correct by "ntdsutil" command line, or
> > Server AD support tools,etc,v..v, I think but I don't know, please help
me
> > clearly. I never do a stupid action as "restore a ghost image" with my
> > servers.
> > Thanks a lot for listening to me, and please reply to me as soon as
> > possible.!
> >
> >
>
>

"Huy Nguyen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Now, I have two image files "060805.ghs" of partition of DAS and DASBAK
> servers. Two image files are backuped at the same time, which two DCs have
> no any problems. Therefore, if I restore two Image "060805.ghs" at the
same
> time to DAS, and DASBAK, can my problem replication of AD is solved ?
these
> errors that I told can be resloved completely?
> (if can some workstations not logon to CKDA domain, I disjoin them CKDA
> domain , and then join them CKDA Domain, those workstations doesn't never
> have this error again, is that right?

Yes, but I'm not guaranteeing anything. The point is that Ghost really
isn't the best solution for backing up DCs. The whole point of having two
DCs is so that one acts as a "living backup" of the other one. There is
little chance of losing both of them at the same time. You reinforce this
method with tape backups using "System State Backup". Ghost would be
alright as a last resort that you could fall back to if nothing else
worked,...but I would only bother doing the DC that runs the PDC Emulator.

Ghost is best used for backing up Workstations in an *unjoined* state. You
would handle them by restoring with Ghost, renaming them, altering the SID
(with GhostWalker), then joining them to the Domain.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Because I need to do an emergency repair of DAS and DASBAK server, so I
restored "two image files 060806.ghs" at the same time on two servers.
Unfotunately, after restoring, when two servers restart completely,these
errors that I told you still happen again , "all workstations cannot logon
to CKDA domain", many old errors also exist on Event View of DAS, DASBAK. I
disjoin workstations from CKDA then join CKDA domain again, but this
solution can only fix temporality, because when workstations restart
machine, they cannot log on to CKDA domain again.

Especilly, an error on Event View (ID 2042) that I'd like to told you : "It
has been too long since this machine last replicated with name source
machine. the time between replications with this source has exceeded the
tombstone liftime.Replication has been stopped with this source.
The reason that replication is not allowed to continue is that the two
machine's views of delete objects may now be different. The source machine
may still have copies of objects that have bee deleted (and garbage
collected) on this machine. If they were allowed to relicate, the source
machine mighet return objects which have already been deleted.........

I found the solution how to fix this error (2042) on Microsoft site, but
these solutions seem complex to me..And I wonder if I do like the guide, can
my replication error correct perfectly?
Therefore, I need your help to instruct me more detailly as possible is very
good, step by step, the right order to do (DAS or DASBAK first) or how many
steps must I do to correct this error also "whole problem" that I'm facing.
And after fixing how can I check the problems was solved completely? Must I
disjoin all workstations from CKDA domain before correcting errors
replication of DAS, DASBAK or needn't do so . Or after correcting errors
replication of DAS, DASBAK Must I disjoin all workstations from CKDA domain
and then must be joined CKDA domain, is that right or not to need to do so?
can all workstations not loggon to CKDA domain or not access sharing folder
of other workstation again?

Especially you told me "If you can't do that because of data on the DC, then
the next best thing is to DCPROMO /FORCEREMOVAL, then do the metadata
cleanup on the old machine, then SYSPREP the now demoted machine and then
join to the domain and promote to a DC again"
in save more time, Can you help me to do in detail or the link wesite that
Microsoft post how to do it?
I know I say that make unconvenient to you, but I'm great grateful to you
for your help, because at now my servers has serious problems.

Thanks Philip Windell a lot.


"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> "Huy Nguyen" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Now, I have two image files "060805.ghs" of partition of DAS and DASBAK
> > servers. Two image files are backuped at the same time, which two DCs
have
> > no any problems. Therefore, if I restore two Image "060805.ghs" at the
> same
> > time to DAS, and DASBAK, can my problem replication of AD is solved ?
> these
> > errors that I told can be resloved completely?
> > (if can some workstations not logon to CKDA domain, I disjoin them CKDA
> > domain , and then join them CKDA Domain, those workstations doesn't
never
> > have this error again, is that right?
>
> Yes, but I'm not guaranteeing anything. The point is that Ghost really
> isn't the best solution for backing up DCs. The whole point of having two
> DCs is so that one acts as a "living backup" of the other one. There is
> little chance of losing both of them at the same time. You reinforce this
> method with tape backups using "System State Backup". Ghost would be
> alright as a last resort that you could fall back to if nothing else
> worked,...but I would only bother doing the DC that runs the PDC Emulator.
>
> Ghost is best used for backing up Workstations in an *unjoined* state.
You
> would handle them by restoring with Ghost, renaming them, altering the SID
> (with GhostWalker), then joining them to the Domain.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>

I have no idea what to do with that. If you have that big a mess, then
newsgroups are not going to be a solution. You need to be talking to MS
Support Services, not newsgroups peers.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Huy Nguyen" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Because I need to do an emergency repair of DAS and DASBAK server, so I
> restored "two image files 060806.ghs" at the same time on two servers.
> Unfotunately, after restoring, when two servers restart completely,these
> errors that I told you still happen again , "all workstations cannot logon
> to CKDA domain", many old errors also exist on Event View of DAS, DASBAK.
I
> disjoin workstations from CKDA then join CKDA domain again, but this
> solution can only fix temporality, because when workstations restart
> machine, they cannot log on to CKDA domain again.
>
> Especilly, an error on Event View (ID 2042) that I'd like to told you :
"It
> has been too long since this machine last replicated with name source
> machine. the time between replications with this source has exceeded the
> tombstone liftime.Replication has been stopped with this source.
> The reason that replication is not allowed to continue is that the two
> machine's views of delete objects may now be different. The source machine
> may still have copies of objects that have bee deleted (and garbage
> collected) on this machine. If they were allowed to relicate, the source
> machine mighet return objects which have already been deleted.........
>
> I found the solution how to fix this error (2042) on Microsoft site, but
> these solutions seem complex to me..And I wonder if I do like the guide,
can
> my replication error correct perfectly?
> Therefore, I need your help to instruct me more detailly as possible is
very
> good, step by step, the right order to do (DAS or DASBAK first) or how
many
> steps must I do to correct this error also "whole problem" that I'm
facing.
> And after fixing how can I check the problems was solved completely? Must
I
> disjoin all workstations from CKDA domain before correcting errors
> replication of DAS, DASBAK or needn't do so . Or after correcting errors
> replication of DAS, DASBAK Must I disjoin all workstations from CKDA
domain
> and then must be joined CKDA domain, is that right or not to need to do
so?
> can all workstations not loggon to CKDA domain or not access sharing
folder
> of other workstation again?
>
> Especially you told me "If you can't do that because of data on the DC,
then
> the next best thing is to DCPROMO /FORCEREMOVAL, then do the metadata
> cleanup on the old machine, then SYSPREP the now demoted machine and then
> join to the domain and promote to a DC again"
> in save more time, Can you help me to do in detail or the link wesite that
> Microsoft post how to do it?
> I know I say that make unconvenient to you, but I'm great grateful to you
> for your help, because at now my servers has serious problems.
>
> Thanks Philip Windell a lot.
>
>
> "Phillip Windell" <@.> wrote in message
> news:%(E-Mail Removed)...
> > "Huy Nguyen" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Now, I have two image files "060805.ghs" of partition of DAS and
DASBAK
> > > servers. Two image files are backuped at the same time, which two DCs
> have
> > > no any problems. Therefore, if I restore two Image "060805.ghs" at the
> > same
> > > time to DAS, and DASBAK, can my problem replication of AD is solved ?
> > these
> > > errors that I told can be resloved completely?
> > > (if can some workstations not logon to CKDA domain, I disjoin them
CKDA
> > > domain , and then join them CKDA Domain, those workstations doesn't
> never
> > > have this error again, is that right?
> >
> > Yes, but I'm not guaranteeing anything. The point is that Ghost really
> > isn't the best solution for backing up DCs. The whole point of having
two
> > DCs is so that one acts as a "living backup" of the other one. There is
> > little chance of losing both of them at the same time. You reinforce
this
> > method with tape backups using "System State Backup". Ghost would be
> > alright as a last resort that you could fall back to if nothing else
> > worked,...but I would only bother doing the DC that runs the PDC
Emulator.
> >
> > Ghost is best used for backing up Workstations in an *unjoined* state.
> You
> > would handle them by restoring with Ghost, renaming them, altering the
SID
> > (with GhostWalker), then joining them to the Domain.
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> > -----------------------------------------------------
> > Understanding the ISA 2004 Access Rule Processing
> > http://www.isaserver.org/articles/IS...cessRules.html
> >
> > Microsoft Internet Security & Acceleration Server: Guidance
> > http://www.microsoft.com/isaserver/t...dance/2004.asp
> > http://www.microsoft.com/isaserver/t...dance/2000.asp
> >
> > Microsoft Internet Security & Acceleration Server: Partners
> > http://www.microsoft.com/isaserver/partners/default.asp
> > -----------------------------------------------------
> >
> >
> >
>
>