Active Directory DC out of sync after hard drive failure

Had a hard drive fail in one of our remote DC servers.  It was a mirrored config, and one drive went bad two months ago, then the other today.  Then it rebooted itself and booted from the one that went bad two months ago, so all the AD info is out of date and it cannot communicate with all the other DCs.  I get Event ID 4 Errors like this on the good DCs:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/SERVERNAME.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME), and the client realm.   Please contact your system administrator.

I'm not sure if at this point I should remove this DC out of AD, get new drive and rebuld from scratch, then set it up as a DC again?  If I do, what steps do I use to pull it out and when I reinstall, should I use the same name?  
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
Ran dcdiag /q on the healthy dc and check for errors.Is the secure channel between the DC broken or the offline server has reached the tombstone lifecycle period.

If in dcdiag the server which was offline has reached tombstone period then you need to forcefully demote the DC followed by metadatacleanup and promote the server back as DC.

If the secure channel between the DC are broken you need to rest the same.

Check the Directory service event id for lingering object on healthy DC if issue persist you need to remove the same to fix the replication issue:
Mike KlineConnect With a Mentor Commented:
If you can fix the drive issue then you can remove it and promote again

You can do a dcpromo /forceremoval

At the end of that the machine will be in a workgroup

From one of yoru good DCs do a metadata cleanup to get rid of it in AD

I'm assuming this box held no FSMO roles

Once the cleanup/changes have replicated you can join the box back to the domain and promote it again.

If you have to wipe and start over then you skp the /forceremoval part.



You need to check 2 possible options... First try to ping using UNC path C:\start \\DC1, if this get resolves then DC is fine. Thne just remove lingering opbjects using following KB link. That will fix the issue. If not fix the broken secure channel and download resource kit tools from microsoft site and use Kerbtray to purge Kerbaros tickets.

Fix Secure Channle: Stop and disable KDC from services.msc. use netdom to fix secure channel (netdom resetpwd /server:DC_name /userd:Domain\admin /passwordd:admin_pwd). Now recheck UNC path access and reboot the server, now start KDC service.

LingeringObjects Link:
jpletcher1Author Commented:
Thanks.  i actually called MS on this one and we are basically doing these things listed above.  It was over 60 days out of date, so it was tombstoned.  

zenvenky - thanks for your comments too.  If not tombstoned then this might have worked.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.