Solved

EMERGENCY>>>>STUPID MISTAKE!!!!

Posted on 2006-06-29
25
519 Views
Last Modified: 2012-06-27
This is a one horse shop, 2 servers, both domain controllers.  Named:  mail and company1 (name changed to protect the innocent)

By Mistake, I built a new desktop and without thinking, wanting to use something generic, chose the name of one of the domain controllers.  I realized the mistake right away as it said there exists a duplicate name on the network.  I changed it right away, but now I"m getting kerberos erros when replicating to the domain controller.  Checking AD, the DC stayed in the same OU, but was removed from the domain controllers group, and placed in the domain computers group.  I'm starting to see errors across the network with authentication.  I think most have been authenticating on this particular server.  The MS article said to remove all duplicate names, which have been done.  I have changed group membership of the DC and returned it to domain controllers, and removed it from domain computers.  But am afraid to reboot lest the server eat itself.  Am I safe to reboot?  I don't know if it is the global catalog host or not.
0
Comment
Question by:IDPInc
  • 10
  • 8
  • 5
  • +2
25 Comments
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Well, don't feel alone.  One of our tech's here did that once and we ended up having to re-do the exchange server.  Once hopes that the server that has been effected this time was not the exchange server.

Do you have a system state available for the one DC that has been affected?  One optio would be to restore the system state from yesterday and set the AD restore to be authoratative.  That way you get the AD back the way it was and also get the DC back into the domain the way it was.

I am looking for a good KB for the situation... but this is not one that happens very often.

Regards,
M
0
 

Author Comment

by:IDPInc
Comment Utility
It was not an exchange server, just a DC.   I have a BackupDC.  One suggestion was to demote it and repromote it.  Will I run into any issues if it is the PDC or the Global Catalog server?
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Check your DNS since it was probably changed in DNS because the client would have registered the same name with a different IP.  Delete all the DNS references to the bad ip.

Also cleanup WINS if you have it.  You should not have to do a Auth restore to fix this.
0
 

Author Comment

by:IDPInc
Comment Utility
DNS is fine, it was never really affected.   The duplicate name was only for an instant.  
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Ours was for 23 seconds... and that was all it needed.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
I can't believe this hooped you DC.  I'm going to have to test this out in the LAB.

have you used netdiag on the DC?
0
 

Author Comment

by:IDPInc
Comment Utility
I ran a DC Diag on it.  

D:\Program Files\Support Tools>dcdiag /fixmachineaccount

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NDRI1
      Starting test: Connectivity
         ......................... NDRI1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NDRI1
      Starting test: Replications
         ......................... NDRI1 passed test Replications
      Starting test: NCSecDesc
         ......................... NDRI1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... NDRI1 passed test NetLogons
      Starting test: Advertising
         ......................... NDRI1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NDRI1 passed test KnowsOfRoleHold
      Starting test: RidManager
         ......................... NDRI1 passed test RidManager
      Starting test: MachineAccount
         * NDRI1 is not a server trust account
         Cannot repair the computer account flags. The error is 8341
         ......................... NDRI1 failed test MachineAccount
      Starting test: Services
         ......................... NDRI1 passed test Services
      Starting test: ObjectsReplicated
         ......................... NDRI1 passed test ObjectsReplicat
      Starting test: frssysvol
         ......................... NDRI1 passed test frssysvol
      Starting test: frsevent
         ......................... NDRI1 passed test frsevent
      Starting test: kccevent
         ......................... NDRI1 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 06/29/2006   15:49:37
            (Event String could not be retrieved)
         ......................... NDRI1 failed test systemlog
      Starting test: VerifyReferences
         ......................... NDRI1 passed test VerifyReference

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossR

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckS

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossR

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckS

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValida
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRe
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSD

   Running partition tests on : ndri
      Starting test: CrossRefValidation
         ......................... ndri passed test CrossRefValidati
      Starting test: CheckSDRefDom
         ......................... ndri passed test CheckSDRefDom

   Running enterprise tests on : ndri.com
      Starting test: Intersite
         ......................... ndri.com passed test Intersite
      Starting test: FsmoCheck
         ......................... ndri.com passed test FsmoCheck


ANy thoughts?
0
 

Author Comment

by:IDPInc
Comment Utility
Netdiag returned this error.  Anything Fatal can't be good!


Kerberos test. . . . . . . . . . . : Failed
        [FATAL] Kerberos does not have a ticket for host/NDRI1.ndri.com.


If I rename the server,  I lose all of my shares, yes?
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
On the computer object for the new DC, what does the Operating system tab indicate?  Also does the Delegation tab have "Trust this computer for delegation to any service (Kerboros only) selected?  If not selected it.
0
 

Author Comment

by:IDPInc
Comment Utility
General Tab:  role:workstation or server
OS tab,  Windows Server 2003 v 5.2(3790) SP1
Member of:  It was Domain Computers,  I changed it to Domain Controllers, but havent rebooted since.  

Delegation Tab:  Trust this computer for delegation to any service (kerberos only) is selected.
0
 

Author Comment

by:IDPInc
Comment Utility
So, I'm thinking when i joined the workstation to the domain, i killed the SID associated with the DC of the same name.  

Is there any general agreement that a DCPromo will work without having to change the name of the machine?

Will I have to change the name of my machine?

Any chance that a simple reboot will do it?

If I could assign 1000 points to this I would have.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
The machine will have to reboot to implement the group change.  If a reboot doesn't work, you might have to bring the other machine online and transfer the FSMO roles to it and then dcpromo this box to a server and back to a DC.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Hi,

This does sound like fun though.  It is unreal that a duplicate name on the network can cause such a problem, but it does.  And strangely, only with DC's and mail servers.  Well, that is our experience in any case.  We did duplicate the error in a lab after we had our incident and the same thing happened again.  This time we were prepared and all we did was to take the failed DC, system state restore to before the error was experienced, set the AD to restore in Authoritative mode and all was well again after that.


0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
This worries me...@#$!@#$ Microsoft.
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Hay... look at it this way... if everything worked right all the time.... we wouldn't have jobs... and  people would have nothing to talk about... think... now you can tell your friends about this intersting thing that happened to you... :)
0
 
LVL 9

Expert Comment

by:rpartington
Comment Utility
Not a good answer really,
but IF you have VMWARE you can test your preferred option 1st by simulating your situation 1st,
then try your prefferred fix,
Of course this is of no use if you dont have vmware or a test lab.

Authoritive Restore would be my prefferred option in your situation,
After trying every other avenue 1st

however we have vmware to check this out, you may not.

http://support.microsoft.com/?kbid=914026

http://support.microsoft.com/default.aspx?scid=kb;en-us;321044

Also I used this today for a DC which I had cloned using VMWARE which gave me 2 identical 2003 DCs within VMWARE and I could not login to the 2nd one as it had the same SID as the original DC.
I used the following after logging into the troublesome DC using the LOCAL LOGIN and ran this tool which worked a treat and was so easy and extremely quick and fixed the problem instantly.

http://www.sysinternals.com/Utilities/NewSid.html
0
 

Author Comment

by:IDPInc
Comment Utility
I had VMWare in my former job.  If I had VMware here, it would be a very different story.  

I'm trying the Auth Restore idea.  

I don't think it will work, cause I screwed up the computername/sid in AD, so the server itself can't really see AD.  I'm hesitant to rename the server knowing I'd lose all my shares.  Just what I need.  So I"ll try this, and if it doesn't work.  

DCPromo wouldnt work because it couldnt talk to the domain because the SID was toast.  

Can't make it part of a workgroup because even though AD doesnt see it as a DC,  it considers itself a DC.  You can't unjoin a DC from a domain.  Catch-22.

This wonderful additional tidbit.  My predecessors didn't think that System State needed to be backed up on a daily basis.  Only weekly.  So I have to go back to monday (when I had to rerun a failed weekly backup from friday).  So I will also lose any changes i've made in the last 4 days.  

I hate it when a colossally stupid mistake ends up costing so much.  One click,  a neuron misfiring.  Had I fatfingered naming the workstation, none of this would have happened.  

Damn me and my thin fingers!!!
0
 

Author Comment

by:IDPInc
Comment Utility
Well none of that is going to work.  Cant log in to the box to do an authoritative restore.  It doesn't recognize domain log-ins when it comes to the box and as we all know, there are no local passwords on a DC.  

Its completely related to the SID.  AD Is looking for the servername with a particular SID, and it aint there.  Can't rename the server for some other reason.  Cant unjoin as the server itself thinks its a DC, DCPromo wont work cause it can't see AD, cause the SID is messed up.  I'm in quite a pickle here.  Just got done yelling at myself so it's a call to Microsoft.  And the windows won't open, so I can't jump. Pray for me everyone.  
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Do you have the AD restore mode password?  
You shoul de using the AD restore mode administrator account to gain access in restore mode.  You will get your SID back once you do the System State restore... promise.
0
 

Author Comment

by:IDPInc
Comment Utility
I don't have the restore mode password.  It was all set up before I got here.  Only 3 weeks on the job.
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
They must have it documented somewhere... this is one of those hings that just has to be there.... else it is re-install time...
0
 
LVL 13

Accepted Solution

by:
itcoza earned 350 total points
Comment Utility
If you have access to the computer and you can log on...

You can do this:
-Take the server off the network (the not so alive one)
-run dcpromo /forceremoval (http://support.microsoft.com/default.aspx?scid=kb;en-us;332199)
-remove the computer from the domain (all while you are off the network)
-Now - restart in safe mode and do the system state restore...
-You will then have the server back on the domain...
-Retrieve the restore mode password (http://support.microsoft.com/kb/322672)
-Put the server (while it is off) back on the Network with the other server
-Start the server up in restore mode (you should have it now)
-Do a authoritative restore of AD
-Boot normally... your AD should self repair.

Else - reinstall.
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Once you have the servers up and running, get the other servers restore mode password also.
0
 
LVL 15

Assisted Solution

by:harleyjd
harleyjd earned 150 total points
Comment Utility
Have you tried netdom?

How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 domain controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;325850


Netdom Overview
http://technet2.microsoft.com/WindowsServer/en/Library/460e3705-9e5d-4f9b-a139-44341090cfd41033.mspx?mfr=true
0
 

Author Comment

by:IDPInc
Comment Utility
THank you all for your help.  I worked through with Microsoft, and an autoritative restore was not necessary.  We had to reestablish the DC as a DC by making a change to its profile in ADSI edit to chage its category from computer to domain controller, Article: 837513

2. We Changed the 'UserAccountControl' value of SERVER1 to 532480 (article 837513)

3. We then stopped KDC and ran "netdom resetpwd /server:mail /userd: /passwordd:". We rebooted the DC and restarted KDC service. (article 837513)

4. DC came up fine with 1704 in its application log. We ran “dcdiag /q” to check if it passes all necessary tests..

5. We performed ‘metadata cleanup’ for DCs that did not exist anymore. (article 216498)

Thanks to you all. Fortunately there was no data or productivity loss.  So all around, a stupid mistake, but it cost only time and $245.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now