fshepherdci
asked on
Need Kerberos Help after removing a DC
I recently removed a third "unused" domain controller from our Windows environment. Apparently, it was in use from a Kerberos or Active Directory standpoint and now a handful of applications (BizTalk/SSO) are having trouble (lots of errors in the event logs, eg.).
I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
ASKER
Thanks for the quick reply...I'll take a crack at each question to the best of my knowledge:
1. I did not. I attempted to do some of this with the resource kit after the removal. It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.
2. I did not make sure that this was the case. The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?
3. All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.
4. I did not demote the server with DCPROMO.
1. I did not. I attempted to do some of this with the resource kit after the removal. It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.
2. I did not make sure that this was the case. The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?
3. All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.
4. I did not demote the server with DCPROMO.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggestions. It looks like I'm in the clear with everything. It appears that some of my file permission problems are stemming from file system errors, which have typically been removed after a chkdsk.
If I discover more specific problems, I will open a cousin of this ticket then.
Again, thank you for the concise answer and solid reference points.
FS
If I discover more specific problems, I will open a cousin of this ticket then.
Again, thank you for the concise answer and solid reference points.
FS
1. Move any FSMO roles from that DC to another DC?
2. Make sure you had another DC designated as a global catalog server?
3. Make sure you changed the DNS settings for any machines on your domain that were set to use that DC as a DNS server?
4. Run DCPROMO to demote the DC to a member server and allow time for replication of the change across your domain?
If you missed any of these steps, or any of these steps weren't successfully completed, it might be the cause of your problems.