Solved

Two domain controllers in error

Posted on 2011-09-08
8
1,540 Views
Last Modified: 2012-05-12
I'm having trouble with my DC's.
In the organization i have two domain controllers (DC1 and DC2).

The problem is that dc2 controller is in error.
I can't delete this DC because it can't connect to dc1.

If i call the function: change directory server. I can do this at dc1, then i select dc1 and this works.
When i try this for dc2, i get the same error dc1 can be find.

How do i reconnect them again? Fix up the dc system?
Thanks
0
Comment
Question by:jonas-p
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36505285
So you can't gracefully demote DC2?  

Without knowing the errors

You can foricbally remove DC2 dcpromo /forceremoval  great blog here on it   http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

You would then run a metadata cleanup of that dead DC (do this on DC1)   http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Then add it back and rejoin the domain.

If there are network/port issues you will need those fixed before adding it back. (has to be able to connect)

Thanks

Mike
0
 

Author Comment

by:jonas-p
ID: 36505938

When i try to do the first step: forceremoval, i get following error:

The operation failed because:
DFS replication: the target principal name is incorrect.
"The target principal name is incorrect."

Regards.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36515171
As the message you recieved is "The target principal name is incorrect",this indicates that the secure channel between the DC's are broken hence the replication is occuring.

1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.

2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.

3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.

4. Reset the Server domain controller account password on Server1 (the PDC
emulator).

To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter.

5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.

6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now.

Note:You need to have atleast 2 DC in the network for redendancy.I personally would not recommeend to demote the existing DC.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 26

Accepted Solution

by:
e_aravind earned 500 total points
ID: 36515850
Check if you have any DFSR configured?
Can you  "stop the DFS R service " then try the forceremoval
0
 

Author Comment

by:jonas-p
ID: 36519180
HI,

Thanks for the information. To reply:

1, done
2, can't find it on windows server 2008 r2 (is this an important step?)
3, i try this:
netdom resetpwd /server:dc2.domain.com /userd:domain.com\administrator /passwordd:password

but it give always a syntax error can find what i'm doing wrong.

Please help.
0
 

Author Closing Comment

by:jonas-p
ID: 36522429
.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question