Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need Kerberos Help after removing a DC

Posted on 2008-06-18
4
Medium Priority
?
220 Views
Last Modified: 2013-11-11
I recently removed a third "unused" domain controller from our Windows environment.  Apparently, it was in use from a Kerberos or Active Directory standpoint and now a handful of applications (BizTalk/SSO) are having trouble (lots of errors in the event logs, eg.).

I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
0
Comment
Question by:fshepherdci
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21814812
Did you do these things before removing the DC:

1.  Move any FSMO roles from that DC to another DC?
2.  Make sure you had another DC designated as a global catalog server?
3.  Make sure you changed the DNS settings for any machines on your domain that were set to use that DC as a DNS server?
4.  Run DCPROMO to demote the DC to a member server and allow time for replication of the change across your domain?

If you missed any of these steps, or any of these steps weren't successfully completed, it might be the cause of your problems.
0
 

Author Comment

by:fshepherdci
ID: 21814858
Thanks for the quick reply...I'll take a crack at each question to the best of my knowledge:

1.  I did not.  I attempted to do some of this with the resource kit after the removal.  It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.

2.  I did not make sure that this was the case.  The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?

3.  All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.

4.  I did not demote the server with DCPROMO.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 1000 total points
ID: 21814947
Responses:

1.  Probably OK.  If you show all 5 FSMO roles (Infrastructure, Operations Master, PDC Emulator, Schema Master and Domain Naming Master) as being assigned to other servers, you should be OK on this one.

2.  Not necessarily.  You can check this in the AD Sites and Services GUI - in the properties of the NTDS settings of each server.  Make sure at least one of them has the Global catalog checkbox on the General tab checked.

3.  Should be OK.

4.  This is probably the main source of your issues.  This is very bad, since it leaves remnants of the DC in Active Directory and DNS.  See this article about how to fix this and remove the traces from AD:

http://support.microsoft.com/kb/555846/en-us

This article refers to using ADSI Edit, which is one of the support tools that is installed from the Windows 2003 CD Support/Tools folder.  If you're not familiar with ADSI Edit, here's a place to start:

http://technet2.microsoft.com/WindowsServer/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
0
 

Author Closing Comment

by:fshepherdci
ID: 31471024
Thanks for the suggestions.  It looks like I'm in the clear with everything.  It appears that some of my file permission problems are stemming from file system errors, which have typically been removed after a chkdsk.

If I discover more specific problems, I will open a cousin of this ticket then.  

Again, thank you for the concise answer and solid reference points.
FS
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question