?
Solved

2003 AD DC problems - Duplicate name / DNS / LDAP

Posted on 2011-10-13
7
Medium Priority
?
222 Views
Last Modified: 2012-06-21
Hi there,

I came into the office this morning to find out I have a sick DC (2003 R2 BDC).  We believe the issue was caused by a duplicate name and/or SPN on the network.  We found the problem, there was a server that had gotten named the same name as our BDC and that's where the fun began.  We changed that name and turned that server off, but looks like the damage is done, our BDC is having major issues now.  

I ran DCDiag and got a bunch of errors.  I then checked the event logs and am seeing a bunch of failed Kerberos login attempts in there.  After that I checked DNS and found there are NO DNS zones (forward or reverse) on the BDC what so ever.  Not sure if this is the primary cause of all of the issues, or a result from another issue though.

Is there an easy way to get this guy back online without having to dcpromo it down.  

We’ve tried running DCDiag /fix to no avail, still getting a bunch of errors on that.  I’ve attached the outcome of DCDiag /fix in the attachments.  

Any ideas anyone?  Is DCPromo going to be my only option?      
 DcDiag screen 1 DcDiag screen 2 DcDiag screen 3
0
Comment
Question by:_enIT
  • 4
  • 3
7 Comments
 
LVL 13

Accepted Solution

by:
Govvy earned 2000 total points
ID: 36962761
Seize any FSMO roles the DC had: http://support.microsoft.com/kb/255504

Demote
0
 

Author Comment

by:_enIT
ID: 36962787
Didn't have any FSMO roles, all of those our on our other DC.  Thinking we're going to build a second DC before doing anything with the dead DC.  

So Demoting is the only option?  
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36963020
Doesnt look like that would be best path, also bear in mind to relocate the IP of your DC to another if its used as Primary/Secondary DNS server
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:_enIT
ID: 36963233
I did need to seize (since it wouldn't transfer) the schema master role from the dead DC afterall...  

So at this point I'm building my new DC (backup) and will then promote that to a new DC with a new/unique name.  After that I'll demote the dead DC, clean up DNS and AD, then reload the OS.  Once the OS is reloaded and patched I'll assign in it's old IP and rename it to it's previous DC name, then promote it to a DC.  

I'll then run DCDiag on all 3 DC's to verify everything looks okay.

See anything I'm missing here?  Any other tests or steps I should/need to run throughout this process?

Thanks,
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36963242
Looks good, also check replication via repadmin /replsummary
0
 

Author Comment

by:_enIT
ID: 36963596
So far everything is looking pretty good on the new DC.  However, when I run DCDiag I am getting some Replication Latency Warnings...  I've attached a screen shot.  I don't see the failed DC anywhere in the DC Diag Output, only the Primary DC (which seems to be okay)

I'm guessing this has to do with the failed DC (haven't removed it yet), but wanted to be sure before I do remove it.  

 DCDiag_NewDC
Thanks again for your help!
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36963668
That will be related to the initial replication of the new DC - should be good to continue
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question