Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC

How old is the backup you restored of the DC? (Hopefully not older than 60 days) (or tombstone lifetime)
If so. Shutdown the restored DC and remove it using http://support.microsoft.com/kb/216498.

If not. You have to reset the secure channel.

How to use Netdom.exe to reset machine account passwords of a Windows 2000 Domain Controller
http://support.microsoft.com/default...;EN-US;q260575
How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 Domain Controller
http://support.microsoft.com/default...b;en-us;325850

--
Regards
Christoffer Andersson
TrueSec - Executive Consultant
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------

http://www.truesec.com

"Darius Sanders" <DariusSanders@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5ADDB099-9653-42A5-8B86-87B7026DE378@xxxxxxxxxxxxxxxx
Thanks for the info. Since the last post I was able to bring the old DC
backup and I have a new server on its way. I am less than confident in the
current servers ability to handle the task. WIth the old DC up I am getting
EventID 4 from Kerberos

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/dc01.mycompany..com. The target name used was . This indicates that the
password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (MYCOMPANY.COM), and the client realm. Please
contact your system administrator."

on my second domain contoller. I am not sure what this means and what I need
to do to clear it up so that I can proceed with moving the DC to a newer
server. Any insight would be much appreciated. Thanks.
--
Darius Sanders


"chriss3 [MVP]" wrote:

Hello.

1. Make sure that you remove the Domain Controller that failed from Active
Directory using metadata cleanup (If there is no possibility to use DCPROMO
to demote it)
FYI: http://support.microsoft.com/kb/216498

2. Seize the FSMO roles to an other DC.
FYI: http://support.microsoft.com/kb/255504

3. Install Windows Server Support Tools (Found on your Windows Server CD)
and run the command nltest /dsregdns on your remaining DC. Review the _msdcs
zone and see of the record of the remaining DC is created.. Clean up records
in your DNS zones from the failed DC. Make sure that the remaining DC is
made a name server for the zones.

--
Regards
Christoffer Andersson
TrueSec - Executive Consultant
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------

http://www.truesec.com

"Darius Sanders" <DariusSanders@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:940EEB33-1285-4A83-8ED9-87DF8671429A@xxxxxxxxxxxxxxxx
>I have a situations were the first domain controller in our small, >single
> site domain, has suffered a substantial hardware problem and is not
> operational. We have a second domain controller that is running DNS and > is
> operating as a Global Catalog. Active directory seems to be operating
> normally for now even though the fsmo roles wer on the failed machine.
> When I
> go into the forward look up zone for the still operating DC and look > under
> the _msdcs folder I see one entry for the server that has failed. > Should
> that
> be modified to refer to the second DC that is still operational? If so,
> how
> is that accomplished. Any insight on this would be very much > appreciated.
> Thanks in advance.
> -- > Darius Sanders
>
> -- > Darius Sanders



.

Relevant Pages

  • Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
    ... Darius Sanders ... Domain Controller ... How to use Netdom.exe to reset machine account passwords of a Windows Server ... Active directory seems to be operating ...
    (microsoft.public.windows.server.active_directory)
  • Users should not shutdown or restart servers
    ... We have one server ... "Security Settings> Local Policies> User Rights Assignment" I see the ... I understand that there may be settings on the domain controller ...
    (microsoft.public.win2000.security)
  • Re: Client performance problem windows 2003 server...
    ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
    (microsoft.public.windows.server.networking)
  • Re: Client performance problem windows 2003 server...
    ... Testing server: Verkstadsgatan\VERKTYG ... Deploying Active Directory for Branch Office Environments ... results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
    (microsoft.public.windows.server.networking)
  • RE: NTDS.dit file is currupt
    ... "microsoft" wrote:> We are currently facing a serious problem with one our client server. ... > After rebooting the machine in directory services restore mode, I had> followed the steps below; ntdsutil neither defrag Active Directory Database> nor repair. ... Restart the domain controller. ... Check the integrity of the Active Directory database. ...
    (microsoft.public.win2000.active_directory)