Solved

Why some servers have to rejoin the domain again?

Posted on 2013-11-24
7
316 Views
Last Modified: 2013-12-01
This is using MS W2K3 AD Domain. Recently, due to some reason, I got no choice but to change the DC's IP from .8 to .9. After that, I did some clean-up on the AD, DNS, to make sure that DC is using .9 for all the communications.

Recently, users stated to feedback to me that they are not able to logon to the domain. Secondly, I also found that few servers, have to be remove and then re-join to the domain, why? What went wrong? How to solve it? The DC was originally a physical server, and has since been converted to be a hyperv VM.

Shall I setup a second VM DC (a clean setup), to take over the above DC?
0
Comment
Question by:MichaelBalack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39672675
When you said you did some cleanup, what did you do?  What IP were clients (static an DHCP) using for DNS?  Have they all been updated to the new .9 address?  

Make sure the networking is setup properly in the virtualization infrastructure too.


Thanks

Mike
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39673460
Typically I never virtualize DCs. Normally because it is so easy to just throw up another one. I would just build a new DC in the virtual environment like you said.

Also, I assume the DC was also acting as a DNS server? Is there any chance that the DHCP scopes are still listing the old address to clients for DNS? Or static entries on servers?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39673630
Most of the time above issue indicates that secure channel between the DC and client is broken,can you post what error message you recieve when the issue occur before you join machine/server to domain,most of the time it is due to dns misconfig.Also verify the health of existing dc to by dcdiag /q and repadmin /replsum and post the log if error is reported.

(1) Check the DNS & WINS entries?
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

(2) Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

(3) Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the same.

(4) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
http://support.microsoft.com/kb/260575

(5)Also check the DNS console for duplicate record for the host machine and remove the same.

(6)It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

(7)If the system were prepared by imaging ensure that sysprep is executed.Disjoin the PC from domain run sysyperp and the add machine to domain.
Please refer to the following two Microsoft TechNet blogs for more information.

The Machine SID Duplication Myth (and Why Sysprep Matters)http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

Sysprep, Machine SIDs and Other Myths
http://blogs.technet.com/b/deploymentguys/archive/2009/12/03/sysprep-machine-sids-and-other-myths.aspx
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 1

Author Comment

by:MichaelBalack
ID: 39677632
Hi MKline71,

The dc was virtualized from a HP physical server. It seems that there are 1 hidden NIC that holding on .8, beside the .9 on an "regconised NIC".

Shall I have to remove the hidden nic?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39683458
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39688022
Hi Sandeshdubey,

The link no more working.
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39688024
Excellence
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question