1st DC in Small Domain Failed, _msdcs still points to 1st DC

I have a situations were the first domain controller in our small, single
site domain, has suffered a substantial hardware problem and is not
operational. We have a second domain controller that is running DNS and is
operating as a Global Catalog. Active directory seems to be operating
normally for now even though the fsmo roles wer on the failed machine. When I
go into the forward look up zone for the still operating DC and look under
the _msdcs folder I see one entry for the server that has failed. Should that
be modified to refer to the second DC that is still operational? If so, how
is that accomplished. Any insight on this would be very much appreciated.
Thanks in advance.

 

Hello.

1. Make sure that you remove the Domain Controller that failed from Active
Directory using metadata cleanup (If there is no possibility to use DCPROMO
to demote it)
FYI: http://support.microsoft.com/kb/216498

2. Seize the FSMO roles to an other DC.
FYI: http://support.microsoft.com/kb/255504

3. Install Windows Server Support Tools (Found on your Windows Server CD)
and run the command nltest /dsregdns on your remaining DC. Review the _msdcs
zone and see of the record of the remaining DC is created.. Clean up records
in your DNS zones from the failed DC. Make sure that the remaining DC is
made a name server for the zones.

--
Regards
Christoffer Andersson
TrueSec - Executive Consultant
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup

 

Thanks for the info. Since the last post I was able to bring the old DC
backup and I have a new server on its way. I am less than confident in the
current servers ability to handle the task. WIth the old DC up I am getting
EventID 4 from Kerberos

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc01.mycompany..com. The target name used was . This indicates that the
password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (MYCOMPANY.COM), and the client realm. Please
contact your system administrator."

on my second domain contoller. I am not sure what this means and what I need
to do to clear it up so that I can proceed with moving the DC to a newer
server. Any insight would be much appreciated. Thanks.
--
Darius Sanders

 

How old is the backup you restored of the DC? (Hopefully not older than 60
days) (or tombstone lifetime)
If so. Shutdown the restored DC and remove it using
http://support.microsoft.com/kb/216498.

If not. You have to reset the secure channel.

How to use Netdom.exe to reset machine account passwords of a Windows 2000
Domain Controller
http://support.microsoft.com/default...;EN-US;q260575
How to use Netdom.exe to reset machine account passwords of a Windows Server
2003 Domain Controller
http://support.microsoft.com/default...b;en-us;325850

--
Regards
Christoffer Andersson
TrueSec - Executive Consultant
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------

http://www.truesec.com

 

Thanks for the input. I followed the directions in the KB articles and the
problem is now fixed. Thanks again.