Solved

changing domain controller clients use for authentication

Posted on 2013-11-11
4
879 Views
Last Modified: 2013-11-18
HI,
recently, the domain controller for one of our remote sites was not able to replicate for few months since our vpn was down all that time so server tombstoned.  I stressed to management the importance of not allowing vpn to be down this long but they didnt take my advice so anyway, now they have a dedicated high speed connection that bridges both our office sites so wanted to know how i can point the pcs in the remote site to use the main domain controller in the main office for domain authentication since they have been getting trust relationship errors in the past 2 weeks most likely due to losing connection our communication to the tombstoned domain controller so i thought by pointing to the main domain controller this would be fixed as well but just this morning when the tombstoned server went down actually, i was not able to rejoin one of the pcs to the domain after  giving message that there no active directory domain controller for the domain cannot be contacted.  Thanks.
0
Comment
Question by:dankyle67
4 Comments
 
LVL 6

Expert Comment

by:iradatsiddiqui
Comment Utility
Please add a new domain controller with a different name at the remote site and join all the systems to the domain.
0
 

Author Comment

by:dankyle67
Comment Utility
I tried that but the new domain controller isnt able to replicate to the main domain controller at the main office site.  The main domain controller was recently set up for test purposes as a vpn server so we had to enable the 2nd nic card on it so now that server is multihomed so would that cause a problem with replication since maybe the new domain controller i set up last week cant find the main domain controller properly?  I also never did a restart of the new domain controller when i created it so should i do that?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
check if AD authentication ports are opened between remote site client subnet and main office DC
On the DC in main office, in network card advanced binding order, keep local production network card at top.
Then reboot the DC once and then try to promote ADC at remote site
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
Comment Utility
You need to reboot the server if the DC is promoted.Also VPN on DC is not recommend.Multihomed DCs is not recommended: http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

How to properly Multihomed DCs :http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

You also need to demote/promote the server which has reached tombstone lifecycle period.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm
Authorative time server: http://support.microsoft.com/kb/816042

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

To fix the trust relationship  error on client you need to rejoin the client computer to domain.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now