Solved

changing domain controller clients use for authentication

Posted on 2013-11-11
4
934 Views
Last Modified: 2013-11-18
HI,
recently, the domain controller for one of our remote sites was not able to replicate for few months since our vpn was down all that time so server tombstoned.  I stressed to management the importance of not allowing vpn to be down this long but they didnt take my advice so anyway, now they have a dedicated high speed connection that bridges both our office sites so wanted to know how i can point the pcs in the remote site to use the main domain controller in the main office for domain authentication since they have been getting trust relationship errors in the past 2 weeks most likely due to losing connection our communication to the tombstoned domain controller so i thought by pointing to the main domain controller this would be fixed as well but just this morning when the tombstoned server went down actually, i was not able to rejoin one of the pcs to the domain after  giving message that there no active directory domain controller for the domain cannot be contacted.  Thanks.
0
Comment
Question by:dankyle67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Expert Comment

by:iradatsiddiqui
ID: 39638611
Please add a new domain controller with a different name at the remote site and join all the systems to the domain.
0
 

Author Comment

by:dankyle67
ID: 39638637
I tried that but the new domain controller isnt able to replicate to the main domain controller at the main office site.  The main domain controller was recently set up for test purposes as a vpn server so we had to enable the 2nd nic card on it so now that server is multihomed so would that cause a problem with replication since maybe the new domain controller i set up last week cant find the main domain controller properly?  I also never did a restart of the new domain controller when i created it so should i do that?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39639319
check if AD authentication ports are opened between remote site client subnet and main office DC
On the DC in main office, in network card advanced binding order, keep local production network card at top.
Then reboot the DC once and then try to promote ADC at remote site
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39643612
You need to reboot the server if the DC is promoted.Also VPN on DC is not recommend.Multihomed DCs is not recommended: http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

How to properly Multihomed DCs :http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

You also need to demote/promote the server which has reached tombstone lifecycle period.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm
Authorative time server: http://support.microsoft.com/kb/816042

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

To fix the trust relationship  error on client you need to rejoin the client computer to domain.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question