• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

Need Kerberos Help after removing a DC

I recently removed a third "unused" domain controller from our Windows environment.  Apparently, it was in use from a Kerberos or Active Directory standpoint and now a handful of applications (BizTalk/SSO) are having trouble (lots of errors in the event logs, eg.).

I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
0
fshepherdci
Asked:
fshepherdci
  • 2
  • 2
1 Solution
 
Hypercat (Deb)Commented:
Did you do these things before removing the DC:

1.  Move any FSMO roles from that DC to another DC?
2.  Make sure you had another DC designated as a global catalog server?
3.  Make sure you changed the DNS settings for any machines on your domain that were set to use that DC as a DNS server?
4.  Run DCPROMO to demote the DC to a member server and allow time for replication of the change across your domain?

If you missed any of these steps, or any of these steps weren't successfully completed, it might be the cause of your problems.
0
 
fshepherdciAuthor Commented:
Thanks for the quick reply...I'll take a crack at each question to the best of my knowledge:

1.  I did not.  I attempted to do some of this with the resource kit after the removal.  It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.

2.  I did not make sure that this was the case.  The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?

3.  All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.

4.  I did not demote the server with DCPROMO.
0
 
Hypercat (Deb)Commented:
Responses:

1.  Probably OK.  If you show all 5 FSMO roles (Infrastructure, Operations Master, PDC Emulator, Schema Master and Domain Naming Master) as being assigned to other servers, you should be OK on this one.

2.  Not necessarily.  You can check this in the AD Sites and Services GUI - in the properties of the NTDS settings of each server.  Make sure at least one of them has the Global catalog checkbox on the General tab checked.

3.  Should be OK.

4.  This is probably the main source of your issues.  This is very bad, since it leaves remnants of the DC in Active Directory and DNS.  See this article about how to fix this and remove the traces from AD:

http://support.microsoft.com/kb/555846/en-us

This article refers to using ADSI Edit, which is one of the support tools that is installed from the Windows 2003 CD Support/Tools folder.  If you're not familiar with ADSI Edit, here's a place to start:

http://technet2.microsoft.com/WindowsServer/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
0
 
fshepherdciAuthor Commented:
Thanks for the suggestions.  It looks like I'm in the clear with everything.  It appears that some of my file permission problems are stemming from file system errors, which have typically been removed after a chkdsk.

If I discover more specific problems, I will open a cousin of this ticket then.  

Again, thank you for the concise answer and solid reference points.
FS
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now