• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

Active Directory DC out of sync after hard drive failure

Had a hard drive fail in one of our remote DC servers.  It was a mirrored config, and one drive went bad two months ago, then the other today.  Then it rebooted itself and booted from the one that went bad two months ago, so all the AD info is out of date and it cannot communicate with all the other DCs.  I get Event ID 4 Errors like this on the good DCs:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/SERVERNAME.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME), and the client realm.   Please contact your system administrator.

I'm not sure if at this point I should remove this DC out of AD, get new drive and rebuld from scratch, then set it up as a DC again?  If I do, what steps do I use to pull it out and when I reinstall, should I use the same name?  
2 Solutions
Mike KlineCommented:
If you can fix the drive issue then you can remove it and promote again

You can do a dcpromo /forceremoval   http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

At the end of that the machine will be in a workgroup

From one of yoru good DCs do a metadata cleanup to get rid of it in AD   http://www.petri.co.il/delete_failed_dcs_from_ad.htm

I'm assuming this box held no FSMO roles

Once the cleanup/changes have replicated you can join the box back to the domain and promote it again.

If you have to wipe and start over then you skp the /forceremoval part.



You need to check 2 possible options... First try to ping using UNC path C:\start \\DC1, if this get resolves then DC is fine. Thne just remove lingering opbjects using following KB link. That will fix the issue. If not fix the broken secure channel and download resource kit tools from microsoft site and use Kerbtray to purge Kerbaros tickets.

Fix Secure Channle: Stop and disable KDC from services.msc. use netdom to fix secure channel (netdom resetpwd /server:DC_name /userd:Domain\admin /passwordd:admin_pwd). Now recheck UNC path access and reboot the server, now start KDC service.

LingeringObjects Link:
Ran dcdiag /q on the healthy dc and check for errors.Is the secure channel between the DC broken or the offline server has reached the tombstone lifecycle period.

If in dcdiag the server which was offline has reached tombstone period then you need to forcefully demote the DC followed by metadatacleanup and promote the server back as DC.

If the secure channel between the DC are broken you need to rest the same.

Check the Directory service event id for lingering object on healthy DC if issue persist you need to remove the same to fix the replication issue:
jpletcher1Author Commented:
Thanks.  i actually called MS on this one and we are basically doing these things listed above.  It was over 60 days out of date, so it was tombstoned.  

zenvenky - thanks for your comments too.  If not tombstoned then this might have worked.

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now