Solved

Need Kerberos Help after removing a DC

Posted on 2008-06-18
4
214 Views
Last Modified: 2013-11-11
I recently removed a third "unused" domain controller from our Windows environment.  Apparently, it was in use from a Kerberos or Active Directory standpoint and now a handful of applications (BizTalk/SSO) are having trouble (lots of errors in the event logs, eg.).

I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
0
Comment
Question by:fshepherdci
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21814812
Did you do these things before removing the DC:

1.  Move any FSMO roles from that DC to another DC?
2.  Make sure you had another DC designated as a global catalog server?
3.  Make sure you changed the DNS settings for any machines on your domain that were set to use that DC as a DNS server?
4.  Run DCPROMO to demote the DC to a member server and allow time for replication of the change across your domain?

If you missed any of these steps, or any of these steps weren't successfully completed, it might be the cause of your problems.
0
 

Author Comment

by:fshepherdci
ID: 21814858
Thanks for the quick reply...I'll take a crack at each question to the best of my knowledge:

1.  I did not.  I attempted to do some of this with the resource kit after the removal.  It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.

2.  I did not make sure that this was the case.  The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?

3.  All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.

4.  I did not demote the server with DCPROMO.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 21814947
Responses:

1.  Probably OK.  If you show all 5 FSMO roles (Infrastructure, Operations Master, PDC Emulator, Schema Master and Domain Naming Master) as being assigned to other servers, you should be OK on this one.

2.  Not necessarily.  You can check this in the AD Sites and Services GUI - in the properties of the NTDS settings of each server.  Make sure at least one of them has the Global catalog checkbox on the General tab checked.

3.  Should be OK.

4.  This is probably the main source of your issues.  This is very bad, since it leaves remnants of the DC in Active Directory and DNS.  See this article about how to fix this and remove the traces from AD:

http://support.microsoft.com/kb/555846/en-us

This article refers to using ADSI Edit, which is one of the support tools that is installed from the Windows 2003 CD Support/Tools folder.  If you're not familiar with ADSI Edit, here's a place to start:

http://technet2.microsoft.com/WindowsServer/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
0
 

Author Closing Comment

by:fshepherdci
ID: 31471024
Thanks for the suggestions.  It looks like I'm in the clear with everything.  It appears that some of my file permission problems are stemming from file system errors, which have typically been removed after a chkdsk.

If I discover more specific problems, I will open a cousin of this ticket then.  

Again, thank you for the concise answer and solid reference points.
FS
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question