I forgot to prep my 2003 domain before I added a 2008 R2 domain controller... can I fix this?
Posted on 2011-02-22
I had a domain with one 2003 R2 DC, and an Exchange 2003 server running on another 2003 R2 member server, along with a couple of other member servers and a mixture of XP Pro and Windows 7 clients.
I recently added a server 2008 R2 Standard member server, and promoted it to DC status. I then modified the DNS settings in each server and client in the domain to reflect the additional DNS server (the 2003 server is listed first, the 2008 server listed second). This worked well... for a while.
Monday, things began to blow up. I have a few Outlook clients (2007 and 2010) that now come up with a security logon, asking for username and password (this of course shouldn't happen with local clients)... entering usernames and passwords doesn't work, as the server rejects the logon.
I began to look into the problem, but it mysteriously resolved itself, and the affected clients began working again.
Today, the problem recurred, with one of the same client workstations and two new ones. As I dug into the event viewers, I see Kerberos authentication errors, mostly relating back to time discrepancies between the servers and the clients.
At this point, the 2003 DC is 10 minutes ahead of the member servers and many of the client workstations. The 2008 DC seems to be synced with the clients. If I do a net time /query from the mail server (2003), it returns time.nist.gov, rather than DC1.
As I thought through my installaiton and promotion of the 2008 server, I realize now that I totally blew the process, which may be the root cause of all my issues. I believe (its been a month, so I can't 100% confirm) that I dcpromo'd the 2008 server without prepping my 2003 active directory for the 2008 server.
Can I fix this?
My first thought is to demote the 2008 server, go around to every client and member server (i have manually assigned IP addresses) and remove the 2008 DC from their DNS listing, reboot each (or logoff and logon) to get them to reauthenticate with the 2003 DC only, and check the time on each to be sure it coincides with the 2003 DC.
Once I am sure things have settled down, I can then properly prep the 2003 DC's active directory, promote the 2008 to DC, and make it a global catalog server.
However, with the mess I made of the first go, I am worried I will make a bigger mess of things... does anyone have any suggestions as to how I can fix this?