1st DC in Small Domain Failed, _msdcs still points to 1st DC

Discussion in 'Active Directory' started by Darius Sanders, Jun 3, 2008.

  1. I have a situations were the first domain controller in our small, single
    site domain, has suffered a substantial hardware problem and is not
    operational. We have a second domain controller that is running DNS and is
    operating as a Global Catalog. Active directory seems to be operating
    normally for now even though the fsmo roles wer on the failed machine. When I
    go into the forward look up zone for the still operating DC and look under
    the _msdcs folder I see one entry for the server that has failed. Should that
    be modified to refer to the second DC that is still operational? If so, how
    is that accomplished. Any insight on this would be very much appreciated.
    Thanks in advance.
     
    Darius Sanders, Jun 3, 2008
    #1
    1. Advertisements

  2. Hello.

    1. Make sure that you remove the Domain Controller that failed from Active
    Directory using metadata cleanup (If there is no possibility to use DCPROMO
    to demote it)
    FYI: http://support.microsoft.com/kb/216498

    2. Seize the FSMO roles to an other DC.
    FYI: http://support.microsoft.com/kb/255504

    3. Install Windows Server Support Tools (Found on your Windows Server CD)
    and run the command nltest /dsregdns on your remaining DC. Review the _msdcs
    zone and see of the record of the remaining DC is created.. Clean up records
    in your DNS zones from the failed DC. Make sure that the remaining DC is
    made a name server for the zones.

    --
    Regards
    Christoffer Andersson
    TrueSec - Executive Consultant
    Microsoft MVP - Directory Services


    No email replies please - reply in the newsgroup
     
    chriss3 [MVP], Jun 3, 2008
    #2
    1. Advertisements

  3. Thanks for the info. Since the last post I was able to bring the old DC
    backup and I have a new server on its way. I am less than confident in the
    current servers ability to handle the task. WIth the old DC up I am getting
    EventID 4 from Kerberos

    "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    host/dc01.mycompany..com. The target name used was . This indicates that the
    password used to encrypt the kerberos service ticket is different than that
    on the target server. Commonly, this is due to identically named machine
    accounts in the target realm (MYCOMPANY.COM), and the client realm. Please
    contact your system administrator."

    on my second domain contoller. I am not sure what this means and what I need
    to do to clear it up so that I can proceed with moving the DC to a newer
    server. Any insight would be much appreciated. Thanks.
    --
    Darius Sanders


     
    Darius Sanders, Jun 4, 2008
    #3
  4. How old is the backup you restored of the DC? (Hopefully not older than 60
    days) (or tombstone lifetime)
    If so. Shutdown the restored DC and remove it using
    http://support.microsoft.com/kb/216498.

    If not. You have to reset the secure channel.

    How to use Netdom.exe to reset machine account passwords of a Windows 2000
    Domain Controller
    http://support.microsoft.com/default...;EN-US;q260575
    How to use Netdom.exe to reset machine account passwords of a Windows Server
    2003 Domain Controller
    http://support.microsoft.com/default...b;en-us;325850

    --
    Regards
    Christoffer Andersson
    TrueSec - Executive Consultant
    Microsoft MVP - Directory Services


    No email replies please - reply in the newsgroup
    ------------------------------------------------

    http://www.truesec.com

     
    chriss3 [MVP], Jun 4, 2008
    #4
  5. Thanks for the input. I followed the directions in the KB articles and the
    problem is now fixed. Thanks again.
     
    Darius Sanders, Jun 4, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.