Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC

Thanks for the info. Since the last post I was able to bring the old DC
backup and I have a new server on its way. I am less than confident in the
current servers ability to handle the task. WIth the old DC up I am getting
EventID 4 from Kerberos

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc01.mycompany..com. The target name used was . This indicates that the
password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (MYCOMPANY.COM), and the client realm. Please
contact your system administrator."

on my second domain contoller. I am not sure what this means and what I need
to do to clear it up so that I can proceed with moving the DC to a newer
server. Any insight would be much appreciated. Thanks.
--
Darius Sanders


"chriss3 [MVP]" wrote:

Hello.

1. Make sure that you remove the Domain Controller that failed from Active
Directory using metadata cleanup (If there is no possibility to use DCPROMO
to demote it)
FYI: http://support.microsoft.com/kb/216498

2. Seize the FSMO roles to an other DC.
FYI: http://support.microsoft.com/kb/255504

3. Install Windows Server Support Tools (Found on your Windows Server CD)
and run the command nltest /dsregdns on your remaining DC. Review the _msdcs
zone and see of the record of the remaining DC is created.. Clean up records
in your DNS zones from the failed DC. Make sure that the remaining DC is
made a name server for the zones.

--
Regards
Christoffer Andersson
TrueSec - Executive Consultant
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------

http://www.truesec.com

"Darius Sanders" <DariusSanders@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:940EEB33-1285-4A83-8ED9-87DF8671429A@xxxxxxxxxxxxxxxx
I have a situations were the first domain controller in our small, single
site domain, has suffered a substantial hardware problem and is not
operational. We have a second domain controller that is running DNS and is
operating as a Global Catalog. Active directory seems to be operating
normally for now even though the fsmo roles wer on the failed machine.
When I
go into the forward look up zone for the still operating DC and look under
the _msdcs folder I see one entry for the server that has failed. Should
that
be modified to refer to the second DC that is still operational? If so,
how
is that accomplished. Any insight on this would be very much appreciated.
Thanks in advance.
--
Darius Sanders

--
Darius Sanders


.

Relevant Pages

  • RE: Lab OS Choices
    ... You also want to have a variety of operating ... somewhere...then you lab can grow. ... I think I'd start with an unpatched Windows 2000 server. ... wipe the drives before you mess with 'em. ...
    (Pen-Test)
  • Re: Blocking SMT Connections by clients
    ... - you're operating with an "allow all" policy. ... associate this CAS with the SMTP protocol rule. ... Our SBS2000 server is currently ... The network is regularly ...
    (microsoft.public.isa.configuration)
  • Re: Problem with tcsh?
    ... > I downloaded Openssh today. ... > I have a problem with a special server in our college. ... > I don't have cygwin on my computer. ... My operating system is windows xp ...
    (comp.security.ssh)
  • Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
    ... Darius Sanders ... Domain Controller ... How to use Netdom.exe to reset machine account passwords of a Windows Server ... Active directory seems to be operating ...
    (microsoft.public.windows.server.active_directory)
  • Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
    ... How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 Domain Controller ... "Darius Sanders" wrote in message ... Active directory seems to be operating ...
    (microsoft.public.windows.server.active_directory)