Solved

Need Kerberos Help after removing a DC

Posted on 2008-06-18
4
217 Views
Last Modified: 2013-11-11
I recently removed a third "unused" domain controller from our Windows environment.  Apparently, it was in use from a Kerberos or Active Directory standpoint and now a handful of applications (BizTalk/SSO) are having trouble (lots of errors in the event logs, eg.).

I would post the Event Logs themselves, but the bottom line is that I'm in search of someone that can provide me with the layman's version of what might have happened and how I can most effectively repair the damage.
0
Comment
Question by:fshepherdci
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21814812
Did you do these things before removing the DC:

1.  Move any FSMO roles from that DC to another DC?
2.  Make sure you had another DC designated as a global catalog server?
3.  Make sure you changed the DNS settings for any machines on your domain that were set to use that DC as a DNS server?
4.  Run DCPROMO to demote the DC to a member server and allow time for replication of the change across your domain?

If you missed any of these steps, or any of these steps weren't successfully completed, it might be the cause of your problems.
0
 

Author Comment

by:fshepherdci
ID: 21814858
Thanks for the quick reply...I'll take a crack at each question to the best of my knowledge:

1.  I did not.  I attempted to do some of this with the resource kit after the removal.  It appeared that there were 5 primary roles related to the Global Catalog server, etc., and those 5 roles all appear to be assigned to the remaining two domain controllers.

2.  I did not make sure that this was the case.  The server that I removed was the third and final DC in our domain, so would it be safe to assume that server #1 or server #2 already held that role?

3.  All DNS settings that were manually assigned (i.e. servers) have been updated to exclude the deleted server; for the rest (i.e. workstations), DHCP has been updated to omit the deleted server.

4.  I did not demote the server with DCPROMO.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 21814947
Responses:

1.  Probably OK.  If you show all 5 FSMO roles (Infrastructure, Operations Master, PDC Emulator, Schema Master and Domain Naming Master) as being assigned to other servers, you should be OK on this one.

2.  Not necessarily.  You can check this in the AD Sites and Services GUI - in the properties of the NTDS settings of each server.  Make sure at least one of them has the Global catalog checkbox on the General tab checked.

3.  Should be OK.

4.  This is probably the main source of your issues.  This is very bad, since it leaves remnants of the DC in Active Directory and DNS.  See this article about how to fix this and remove the traces from AD:

http://support.microsoft.com/kb/555846/en-us

This article refers to using ADSI Edit, which is one of the support tools that is installed from the Windows 2003 CD Support/Tools folder.  If you're not familiar with ADSI Edit, here's a place to start:

http://technet2.microsoft.com/WindowsServer/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
0
 

Author Closing Comment

by:fshepherdci
ID: 31471024
Thanks for the suggestions.  It looks like I'm in the clear with everything.  It appears that some of my file permission problems are stemming from file system errors, which have typically been removed after a chkdsk.

If I discover more specific problems, I will open a cousin of this ticket then.  

Again, thank you for the concise answer and solid reference points.
FS
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question