_enIT
asked on
2003 AD DC problems - Duplicate name / DNS / LDAP
Hi there,
I came into the office this morning to find out I have a sick DC (2003 R2 BDC). We believe the issue was caused by a duplicate name and/or SPN on the network. We found the problem, there was a server that had gotten named the same name as our BDC and that's where the fun began. We changed that name and turned that server off, but looks like the damage is done, our BDC is having major issues now.
I ran DCDiag and got a bunch of errors. I then checked the event logs and am seeing a bunch of failed Kerberos login attempts in there. After that I checked DNS and found there are NO DNS zones (forward or reverse) on the BDC what so ever. Not sure if this is the primary cause of all of the issues, or a result from another issue though.
Is there an easy way to get this guy back online without having to dcpromo it down.
We’ve tried running DCDiag /fix to no avail, still getting a bunch of errors on that. I’ve attached the outcome of DCDiag /fix in the attachments.
Any ideas anyone? Is DCPromo going to be my only option?
I came into the office this morning to find out I have a sick DC (2003 R2 BDC). We believe the issue was caused by a duplicate name and/or SPN on the network. We found the problem, there was a server that had gotten named the same name as our BDC and that's where the fun began. We changed that name and turned that server off, but looks like the damage is done, our BDC is having major issues now.
I ran DCDiag and got a bunch of errors. I then checked the event logs and am seeing a bunch of failed Kerberos login attempts in there. After that I checked DNS and found there are NO DNS zones (forward or reverse) on the BDC what so ever. Not sure if this is the primary cause of all of the issues, or a result from another issue though.
Is there an easy way to get this guy back online without having to dcpromo it down.
We’ve tried running DCDiag /fix to no avail, still getting a bunch of errors on that. I’ve attached the outcome of DCDiag /fix in the attachments.
Any ideas anyone? Is DCPromo going to be my only option?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Doesnt look like that would be best path, also bear in mind to relocate the IP of your DC to another if its used as Primary/Secondary DNS server
ASKER
I did need to seize (since it wouldn't transfer) the schema master role from the dead DC afterall...
So at this point I'm building my new DC (backup) and will then promote that to a new DC with a new/unique name. After that I'll demote the dead DC, clean up DNS and AD, then reload the OS. Once the OS is reloaded and patched I'll assign in it's old IP and rename it to it's previous DC name, then promote it to a DC.
I'll then run DCDiag on all 3 DC's to verify everything looks okay.
See anything I'm missing here? Any other tests or steps I should/need to run throughout this process?
Thanks,
So at this point I'm building my new DC (backup) and will then promote that to a new DC with a new/unique name. After that I'll demote the dead DC, clean up DNS and AD, then reload the OS. Once the OS is reloaded and patched I'll assign in it's old IP and rename it to it's previous DC name, then promote it to a DC.
I'll then run DCDiag on all 3 DC's to verify everything looks okay.
See anything I'm missing here? Any other tests or steps I should/need to run throughout this process?
Thanks,
Looks good, also check replication via repadmin /replsummary
ASKER
So far everything is looking pretty good on the new DC. However, when I run DCDiag I am getting some Replication Latency Warnings... I've attached a screen shot. I don't see the failed DC anywhere in the DC Diag Output, only the Primary DC (which seems to be okay)
I'm guessing this has to do with the failed DC (haven't removed it yet), but wanted to be sure before I do remove it.
Thanks again for your help!
I'm guessing this has to do with the failed DC (haven't removed it yet), but wanted to be sure before I do remove it.
Thanks again for your help!
That will be related to the initial replication of the new DC - should be good to continue
ASKER
So Demoting is the only option?