Link to home
Start Free TrialLog in
Avatar of msCCare
msCCare

asked on

Domain Controller off network for a few months

We have a domain controller that has been off of the network for a few months and we recently put it back on.  We attempted to demote it to a member server but received the following message:

Logon Failure: The target account name is incorrect

I have been seeing a lot of conflicting advice on removing it with people saying that you should not run a dcpromo /forceremoval and others saying you should.  Keep in mind the server has been added back onto the network.  Some users were having logon problems and kerberos errors.  Turning the server off makes everything ok.  Should we treat it as an orphaned domain controller and never put it back onto the network and clean up metadata? or should we try to properly demote it so it cleans up all that junk on its own?

Here are the results of a dcdiag.exe:
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
   
   Testing server: Default-First-Site-Name\NYDC01
      Starting test: Connectivity
         ......................... NYDC01 passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\NYDC01
      Starting test: Replications
         [Replications Check,NYDC01] A recent replication attempt failed:
            From CTDATA01 to NYDC01
            Naming Context: DC=DomainDnsZones,DC=sciameco,DC=sciame,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2009-02-13 08:58:01.
            The last success occurred at 2009-02-11 10:48:49.
            59 failures have occurred since the last success.
         [CTDATA01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,NYDC01] A recent replication attempt failed:
            From CTDATA01 to NYDC01
            Naming Context: DC=ForestDnsZones,DC=sciameco,DC=sciame,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2009-02-13 08:58:01.
            The last success occurred at 2009-02-12 20:38:03.
            13 failures have occurred since the last success.
         [Replications Check,NYDC01] A recent replication attempt failed:
            From CTDATA01 to NYDC01
            Naming Context: CN=Schema,CN=Configuration,DC=sciameco,DC=sciame,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2009-02-13 08:58:44.
            The last success occurred at 2009-02-11 10:51:33.
            48 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,NYDC01] A recent replication attempt failed:
            From CTDATA01 to NYDC01
            Naming Context: CN=Configuration,DC=sciameco,DC=sciame,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2009-02-13 08:58:23.
            The last success occurred at 2009-02-12 20:37:57.
            13 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,NYDC01] A recent replication attempt failed:
            From CTDATA01 to NYDC01
            Naming Context: DC=sciameco,DC=sciame,DC=com
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2009-02-13 08:58:01.
            The last success occurred at 2009-02-12 20:41:24.
            13 failures have occurred since the last success.
            The source remains down. Please check the machine.
         REPLICATION-RECEIVED LATENCY WARNING
         NYDC01:  Current time is 2009-02-13 09:17:44.
            DC=DomainDnsZones,DC=sciameco,DC=sciame,DC=com
               Last replication recieved from CTDATA01 at 2009-02-11 10:48:49.
            DC=ForestDnsZones,DC=sciameco,DC=sciame,DC=com
               Last replication recieved from CTDATA01 at 2009-02-12 20:38:05.
            CN=Schema,CN=Configuration,DC=sciameco,DC=sciame,DC=com
               Last replication recieved from CTDATA01 at 2009-02-11 10:55:26.
            CN=Configuration,DC=sciameco,DC=sciame,DC=com
               Last replication recieved from CTDATA01 at 2009-02-12 20:37:58.
            DC=sciameco,DC=sciame,DC=com
               Last replication recieved from CTDATA01 at 2009-02-12 20:41:23.
         ......................... NYDC01 passed test Replications
      Starting test: Topology
         ......................... NYDC01 passed test Topology
      Starting test: CutoffServers
         ......................... NYDC01 passed test CutoffServers
      Starting test: NCSecDesc
         ......................... NYDC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... NYDC01 passed test NetLogons
      Starting test: Advertising
         ......................... NYDC01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NYDC01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NYDC01 passed test RidManager
      Starting test: MachineAccount
         ......................... NYDC01 passed test MachineAccount
      Starting test: Services
         ......................... NYDC01 passed test Services
      Starting test: OutboundSecureChannels
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... NYDC01 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         ......................... NYDC01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NYDC01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
 
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
 
         Group Policy problems. 
         ......................... NYDC01 failed test frsevent
      Starting test: kccevent
         ......................... NYDC01 passed test kccevent
      Starting test: systemlog
         ......................... NYDC01 passed test systemlog
      Starting test: VerifyReplicas
         ......................... NYDC01 passed test VerifyReplicas
      Starting test: VerifyReferences
         ......................... NYDC01 passed test VerifyReferences
      Starting test: VerifyEnterpriseReferences
         ......................... NYDC01 passed test VerifyEnterpriseReferences
      Starting test: CheckSecurityError
         Source DC CTDATA01 has possible security error (1722).  Diagnosing...
               Error 53 querying time on DC CTDATA01.  Ignoring this DC and continuing...
               Time skew error between client and 1 DCs!  ERROR_ACCESS_DENIED or down machine recieved by:
               		CTDATA01
         Ignoring DC CTDATA01 in the convergence test of object CN=NYDC01,OU=Domain Controllers,DC=sciameco,DC=sciame,DC=com, because we cannot connect!
         ......................... NYDC01 failed test CheckSecurityError
 
DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : sciameco
      Starting test: CrossRefValidation
         ......................... sciameco passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... sciameco passed test CheckSDRefDom
   
   Running enterprise tests on : sciameco.sciame.com
      Starting test: Intersite
         ......................... sciameco.sciame.com passed test Intersite
      Starting test: FsmoCheck
         ......................... sciameco.sciame.com passed test FsmoCheck
      Starting test: DNS
         Test results for domain controllers:
            
            DC: nydc01.sciameco.sciame.com
            Domain: sciameco.sciame.com
 
                  
               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
                  Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
                  
               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure sciameco.sciame.com.
         
         Summary of test results for DNS servers used by the above domain controllers:
 
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
               
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
               
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
               
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
               
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
               
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
               
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
               
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
               
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
               
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
               
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
               
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
               
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: sciameco.sciame.com
               nydc01                       PASS PASS FAIL PASS WARN PASS n/a  
         
         ......................... sciameco.sciame.com failed test DNS

Open in new window

Avatar of flyingsky
flyingsky

my suggestion is treated it as orphaned and clean the metadata. You will have a lot of weird problem if the DC has been offline for more than 2 months.
Avatar of msCCare

ASKER

but did i cause more problems in the domain by having it on already?
ASKER CERTIFIED SOLUTION
Avatar of flyingsky
flyingsky

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of msCCare

ASKER

Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Before getting into ntdsutil and removing the NTDS objects, do I need to remove the lingering objects with repadmin?  From reading about, it appears the tombstoned server needs to be turned on but in this case, we are treating it as if the server is dead.  Is this step necessary?
the key here is a feature called "Strict Replication Consistency" (check here for how to set/check this
http://technet.microsoft.com/en-us/library/cc816938.aspx). By default, it is enabled, which means

"If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object and locally halts inbound replication of the directory partition from that source domain controller."
Note here, destination dc is your other DCs in AD (not the one in question, which is source DC).
So basically, if you have never touched the "Strick Replication Consistency" on the other DCs, you don't need to worry about lingering objects.
Avatar of msCCare

ASKER

flyingsky,

thanks for your help.  i was able to successfully get rid of that server using ntdsutil.

i'm going to post this article I found helpful for anyone else that is looking for help on this subject:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm