Active Directory DC out of sync after hard drive failure

Posted on 2011-10-17
Last Modified: 2012-05-12
Had a hard drive fail in one of our remote DC servers.  It was a mirrored config, and one drive went bad two months ago, then the other today.  Then it rebooted itself and booted from the one that went bad two months ago, so all the AD info is out of date and it cannot communicate with all the other DCs.  I get Event ID 4 Errors like this on the good DCs:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/SERVERNAME.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME), and the client realm.   Please contact your system administrator.

I'm not sure if at this point I should remove this DC out of AD, get new drive and rebuld from scratch, then set it up as a DC again?  If I do, what steps do I use to pull it out and when I reinstall, should I use the same name?  
Question by:jpletcher1
    LVL 57

    Assisted Solution

    by:Mike Kline
    If you can fix the drive issue then you can remove it and promote again

    You can do a dcpromo /forceremoval

    At the end of that the machine will be in a workgroup

    From one of yoru good DCs do a metadata cleanup to get rid of it in AD

    I'm assuming this box held no FSMO roles

    Once the cleanup/changes have replicated you can join the box back to the domain and promote it again.

    If you have to wipe and start over then you skp the /forceremoval part.



    LVL 9

    Expert Comment

    You need to check 2 possible options... First try to ping using UNC path C:\start \\DC1, if this get resolves then DC is fine. Thne just remove lingering opbjects using following KB link. That will fix the issue. If not fix the broken secure channel and download resource kit tools from microsoft site and use Kerbtray to purge Kerbaros tickets.

    Fix Secure Channle: Stop and disable KDC from services.msc. use netdom to fix secure channel (netdom resetpwd /server:DC_name /userd:Domain\admin /passwordd:admin_pwd). Now recheck UNC path access and reboot the server, now start KDC service.

    LingeringObjects Link:
    LVL 24

    Accepted Solution

    Ran dcdiag /q on the healthy dc and check for errors.Is the secure channel between the DC broken or the offline server has reached the tombstone lifecycle period.

    If in dcdiag the server which was offline has reached tombstone period then you need to forcefully demote the DC followed by metadatacleanup and promote the server back as DC.

    If the secure channel between the DC are broken you need to rest the same.

    Check the Directory service event id for lingering object on healthy DC if issue persist you need to remove the same to fix the replication issue:

    Author Closing Comment

    Thanks.  i actually called MS on this one and we are basically doing these things listed above.  It was over 60 days out of date, so it was tombstoned.  

    zenvenky - thanks for your comments too.  If not tombstoned then this might have worked.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now