• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

How to "pause" a backup domain controller?

We have a two server domain running Windows server 2003. Due to a number of problems with the BDC that the previous IT person left, it has not replicated with the PDC in months. Amazing...

The problem now is that some authorization requests are going to  it and some fail if they need any recent AD data.

The whole DC is a  mess and there are many various errors logged and I have to slowly go through them and get it working. At this point I consider it a detriment to being a BDC and I'd like to stop it.

When I try and remove the BDC role, I get "login failure: the target account is invalid".

What I want to do is a way to "pause" it as a DC... not demote it (I'm not sure 100% all the ramifications of doing that at the  moment). I have even thought of just shutting it down. The PDC has all the FSMO roles, GC, DNS, WINS, DHCP, etc.

Is there some service or something that I can stop? Just so it doesn't try and respond to any authorization requests? This has the advantage that if it is causing a problem by not being "active" from home I can just restart it again.

I know there are bigger issues to address... for the short term I just want this BDC to be out of the picture in as simple a way as possible.

Thanks
0
CD-257
Asked:
CD-257
  • 4
  • 3
1 Solution
 
Mike KlineCommented:
when you run repadmin /showreps how long since last successful replication?  If it is past the tombstone lifetime period then you will have issues.  More on TSL her e   http://blogs.dirteam.com/blogs/jorge/archive/2006/07/23/1233.aspx

If it is past TSL then you can dcpromo /forceremoval  and then cleanup metadata and promote it again.  We can provide more steps on that if necessary.

Thanks

Mike
0
 
achaldaveCommented:
Try troubleshooting replication
http://technet.microsoft.com/en-us/library/cc738415(WS.10).aspx

if you can't resolve the replication issue then shutdown the second DC and remove it from directory.
http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx
0
 
CD-257Author Commented:
Yes, it is way past TSL. When I tried a normal removal I got "login failure: the target account is incorrect". So I'm forcing a removal... a simple dcpromo/forceremoval

Now I guess I need to know how to remove the metadata and restore it's role.

Or, if I don't want a BDC for now, do I still need to clean up the metadata? (my guess is yes and how)

Again, this is a quick hack to serious problems we are having right now (authentication issues). I just want this BDC to not be answering requests. I have looked at the error logs and various command tool outputs and are overwhelmed with where to start. Thus something quick...

It's in the (long?) process of removing itself from the AD.

Thanks for the help so far but I'm not quite out of the woods.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
CD-257Author Commented:
0
 
Mike KlineCommented:
The fix is not that bad

Since it can't replicate you use dpcromo /forceremoval to demote it   http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

When that is done the DC is in a workgroup

From the good DC you do a metadata cleanup   http://www.petri.co.il/delete_failed_dcs_from_ad.htm

You said the bad DC held no FSMOs so no need to worry about those

Normally you would wait for the metadata cleanup to replicate but you only have one DC left.  Once you have it cleaned up you can join the old box back to the domain and promote it again.

Thanks

Mike
0
 
CD-257Author Commented:
Thanks, this seemed to have done it. Well, the BDC is demoted but back in the domain. I guess since many times, leases, etc are for many days I won't know if anything with just the PDC is broken. I will  probably just let this run for a week or more w/o a BDC before confusing things and making sure there are no errors, stale entries, etc.

BTW, until a week or so ago, there were some FMSO roles that were held by the PDC that died well over two years ago! The new PDC was given a difernet DNS name. One can probably trace back some of these problems to that... well, it's probably the best it has been in two years! No BDC is better than one that isn't replicating... or outdated data...

When I get brace, I'll put a BDC back!

Thanks for all your  help and the quick replies.
0
 
Mike KlineCommented:
If there were fsmo roles not transferred properly you would need to seize those   http://www.petri.co.il/seizing_fsmo_roles.htm

I'll look for more questions when you are ready.

Thanks

Mike
0
 
CD-257Author Commented:
The BDC never had any FSMO roles. Just the PDC and another computer name that died years ago. I seized the remainder of the roles from that dead computer name a couple weeks ago. But I do appreciate the follow up reminder/check !
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now