msCCare
asked on
Domain Controller off network for a few months
We have a domain controller that has been off of the network for a few months and we recently put it back on. We attempted to demote it to a member server but received the following message:
Logon Failure: The target account name is incorrect
I have been seeing a lot of conflicting advice on removing it with people saying that you should not run a dcpromo /forceremoval and others saying you should. Keep in mind the server has been added back onto the network. Some users were having logon problems and kerberos errors. Turning the server off makes everything ok. Should we treat it as an orphaned domain controller and never put it back onto the network and clean up metadata? or should we try to properly demote it so it cleans up all that junk on its own?
Here are the results of a dcdiag.exe:
Logon Failure: The target account name is incorrect
I have been seeing a lot of conflicting advice on removing it with people saying that you should not run a dcpromo /forceremoval and others saying you should. Keep in mind the server has been added back onto the network. Some users were having logon problems and kerberos errors. Turning the server off makes everything ok. Should we treat it as an orphaned domain controller and never put it back onto the network and clean up metadata? or should we try to properly demote it so it cleans up all that junk on its own?
Here are the results of a dcdiag.exe:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NYDC01
Starting test: Connectivity
......................... NYDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NYDC01
Starting test: Replications
[Replications Check,NYDC01] A recent replication attempt failed:
From CTDATA01 to NYDC01
Naming Context: DC=DomainDnsZones,DC=sciameco,DC=sciame,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2009-02-13 08:58:01.
The last success occurred at 2009-02-11 10:48:49.
59 failures have occurred since the last success.
[CTDATA01] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,NYDC01] A recent replication attempt failed:
From CTDATA01 to NYDC01
Naming Context: DC=ForestDnsZones,DC=sciameco,DC=sciame,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2009-02-13 08:58:01.
The last success occurred at 2009-02-12 20:38:03.
13 failures have occurred since the last success.
[Replications Check,NYDC01] A recent replication attempt failed:
From CTDATA01 to NYDC01
Naming Context: CN=Schema,CN=Configuration,DC=sciameco,DC=sciame,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2009-02-13 08:58:44.
The last success occurred at 2009-02-11 10:51:33.
48 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,NYDC01] A recent replication attempt failed:
From CTDATA01 to NYDC01
Naming Context: CN=Configuration,DC=sciameco,DC=sciame,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2009-02-13 08:58:23.
The last success occurred at 2009-02-12 20:37:57.
13 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,NYDC01] A recent replication attempt failed:
From CTDATA01 to NYDC01
Naming Context: DC=sciameco,DC=sciame,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2009-02-13 08:58:01.
The last success occurred at 2009-02-12 20:41:24.
13 failures have occurred since the last success.
The source remains down. Please check the machine.
REPLICATION-RECEIVED LATENCY WARNING
NYDC01: Current time is 2009-02-13 09:17:44.
DC=DomainDnsZones,DC=sciameco,DC=sciame,DC=com
Last replication recieved from CTDATA01 at 2009-02-11 10:48:49.
DC=ForestDnsZones,DC=sciameco,DC=sciame,DC=com
Last replication recieved from CTDATA01 at 2009-02-12 20:38:05.
CN=Schema,CN=Configuration,DC=sciameco,DC=sciame,DC=com
Last replication recieved from CTDATA01 at 2009-02-11 10:55:26.
CN=Configuration,DC=sciameco,DC=sciame,DC=com
Last replication recieved from CTDATA01 at 2009-02-12 20:37:58.
DC=sciameco,DC=sciame,DC=com
Last replication recieved from CTDATA01 at 2009-02-12 20:41:23.
......................... NYDC01 passed test Replications
Starting test: Topology
......................... NYDC01 passed test Topology
Starting test: CutoffServers
......................... NYDC01 passed test CutoffServers
Starting test: NCSecDesc
......................... NYDC01 passed test NCSecDesc
Starting test: NetLogons
......................... NYDC01 passed test NetLogons
Starting test: Advertising
......................... NYDC01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NYDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... NYDC01 passed test RidManager
Starting test: MachineAccount
......................... NYDC01 passed test MachineAccount
Starting test: Services
......................... NYDC01 passed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... NYDC01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
......................... NYDC01 passed test ObjectsReplicated
Starting test: frssysvol
......................... NYDC01 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NYDC01 failed test frsevent
Starting test: kccevent
......................... NYDC01 passed test kccevent
Starting test: systemlog
......................... NYDC01 passed test systemlog
Starting test: VerifyReplicas
......................... NYDC01 passed test VerifyReplicas
Starting test: VerifyReferences
......................... NYDC01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... NYDC01 passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
Source DC CTDATA01 has possible security error (1722). Diagnosing...
Error 53 querying time on DC CTDATA01. Ignoring this DC and continuing...
Time skew error between client and 1 DCs! ERROR_ACCESS_DENIED or down machine recieved by:
CTDATA01
Ignoring DC CTDATA01 in the convergence test of object CN=NYDC01,OU=Domain Controllers,DC=sciameco,DC=sciame,DC=com, because we cannot connect!
......................... NYDC01 failed test CheckSecurityError
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : sciameco
Starting test: CrossRefValidation
......................... sciameco passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... sciameco passed test CheckSDRefDom
Running enterprise tests on : sciameco.sciame.com
Starting test: Intersite
......................... sciameco.sciame.com passed test Intersite
Starting test: FsmoCheck
......................... sciameco.sciame.com passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:
DC: nydc01.sciameco.sciame.com
Domain: sciameco.sciame.com
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
Error: Root hints list has invalid root hint server: k.root-servers.net. (193.0.14.129)
Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
Error: Root hints list has invalid root hint server: l.root-servers.net. (199.7.83.42)
Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but not secure sciameco.sciame.com.
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
DNS server: 199.7.83.42 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: sciameco.sciame.com
nydc01 PASS PASS FAIL PASS WARN PASS n/a
......................... sciameco.sciame.com failed test DNS
my suggestion is treated it as orphaned and clean the metadata. You will have a lot of weird problem if the DC has been offline for more than 2 months.
ASKER
but did i cause more problems in the domain by having it on already?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Caution The administrator must also make sure that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
Before getting into ntdsutil and removing the NTDS objects, do I need to remove the lingering objects with repadmin? From reading about, it appears the tombstoned server needs to be turned on but in this case, we are treating it as if the server is dead. Is this step necessary?
Before getting into ntdsutil and removing the NTDS objects, do I need to remove the lingering objects with repadmin? From reading about, it appears the tombstoned server needs to be turned on but in this case, we are treating it as if the server is dead. Is this step necessary?
the key here is a feature called "Strict Replication Consistency" (check here for how to set/check this
http://technet.microsoft.com/en-us/library/cc816938.aspx). By default, it is enabled, which means
"If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object and locally halts inbound replication of the directory partition from that source domain controller."
Note here, destination dc is your other DCs in AD (not the one in question, which is source DC).
So basically, if you have never touched the "Strick Replication Consistency" on the other DCs, you don't need to worry about lingering objects.
http://technet.microsoft.com/en-us/library/cc816938.aspx). By default, it is enabled, which means
"If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object and locally halts inbound replication of the directory partition from that source domain controller."
Note here, destination dc is your other DCs in AD (not the one in question, which is source DC).
So basically, if you have never touched the "Strick Replication Consistency" on the other DCs, you don't need to worry about lingering objects.
ASKER
flyingsky,
thanks for your help. i was able to successfully get rid of that server using ntdsutil.
i'm going to post this article I found helpful for anyone else that is looking for help on this subject:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
thanks for your help. i was able to successfully get rid of that server using ntdsutil.
i'm going to post this article I found helpful for anyone else that is looking for help on this subject:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm