Solved

changing domain controller clients use for authentication

Posted on 2013-11-11
4
931 Views
Last Modified: 2013-11-18
HI,
recently, the domain controller for one of our remote sites was not able to replicate for few months since our vpn was down all that time so server tombstoned.  I stressed to management the importance of not allowing vpn to be down this long but they didnt take my advice so anyway, now they have a dedicated high speed connection that bridges both our office sites so wanted to know how i can point the pcs in the remote site to use the main domain controller in the main office for domain authentication since they have been getting trust relationship errors in the past 2 weeks most likely due to losing connection our communication to the tombstoned domain controller so i thought by pointing to the main domain controller this would be fixed as well but just this morning when the tombstoned server went down actually, i was not able to rejoin one of the pcs to the domain after  giving message that there no active directory domain controller for the domain cannot be contacted.  Thanks.
0
Comment
Question by:dankyle67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Expert Comment

by:iradatsiddiqui
ID: 39638611
Please add a new domain controller with a different name at the remote site and join all the systems to the domain.
0
 

Author Comment

by:dankyle67
ID: 39638637
I tried that but the new domain controller isnt able to replicate to the main domain controller at the main office site.  The main domain controller was recently set up for test purposes as a vpn server so we had to enable the 2nd nic card on it so now that server is multihomed so would that cause a problem with replication since maybe the new domain controller i set up last week cant find the main domain controller properly?  I also never did a restart of the new domain controller when i created it so should i do that?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39639319
check if AD authentication ports are opened between remote site client subnet and main office DC
On the DC in main office, in network card advanced binding order, keep local production network card at top.
Then reboot the DC once and then try to promote ADC at remote site
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39643612
You need to reboot the server if the DC is promoted.Also VPN on DC is not recommend.Multihomed DCs is not recommended: http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

How to properly Multihomed DCs :http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

You also need to demote/promote the server which has reached tombstone lifecycle period.You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm
Authorative time server: http://support.microsoft.com/kb/816042

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

To fix the trust relationship  error on client you need to rejoin the client computer to domain.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question