[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Domain Controller Problems

Posted on 2013-12-10
2
Medium Priority
?
442 Views
Last Modified: 2013-12-19
I have a problem that my company has inherited from a client's previous IT Director. We don't have nearly enough information on the situation but are working with what we have been able to decipher from his notes.

We were having an issue with an old domain controller. It is no longer the primary domain controller, but it is still playing some roles in the network. Trying to get a snapshot of it in VSphere someone took the server down. This caused some DNS problems with Sharepoint, the print server, and caused some permissions issues with some shared drives. The person who took it down was able to make a new machine and load an old backup. A backup from September, I know, shitty situation but also inherited from former IT Director. Anyways, it appears that this DC hasn't synced with the primary domain controller or either of the other backup domain controllers since a few weeks before this backup.

Since the virtual server of the backup was stood up we continue to see problems with Sharepoint permissions, some shared drives permissions, and we continue to get domain trust problems on many people's computers. I also appear to be seeing problems with Group Policy updates on many user's machines.

I know this isn't much information to go off of but I was hoping this might be able to jump start s discussion that could lead me in the right direction with what to do.

I was thinking of removing the problematic dc altogether and setting up a different server for the shared drives that were running on it. So I would then go to the servers that are pointing to it and change the dns servers they look at in the network settings. I'm not sure what to do about the rights issues however. I assume the shared drive problems will clear as i set everything up on the new file server, but my problems with Sharepoint and the domain trust issues I am seeing I am not sure what to do with.
0
Comment
Question by:OmegaKzoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39710410
Your first problem was restoring the old domain controller image back into your production environment. In most cases if you have multiple DC's and you have 1 problematic one the best thing to do is demote this DC from your domain.

This is why replicaiton is not happening and also all of the computer trust issues as well. When you restored the DC image back into the domain using that image the USN (update sequence number) were not insync which casuse replication to not function properly, or at all. For your users that are getting trust issues with computer account are probbaly the users that are authenticating to the old restored domain controller.

Recommended steps below that you should follow.
- Ensure that your PDC (FSMO role holder) is working accordingly
- Configure your DHCP DNS entries for only the DC's that are functioning properly (PDC)
- Do the same for servers in your environment (DNS settings point to PDC)
- Try gracefully decommissioning the resotred domain controller
- If decommission is successful check to ensure that all objects have been removed (metadata cleanup)
- Once the DC has been removed from the domain do repadmin /replsum and repadmin /showrepl and also DCDiag /v
- Check the SRV records in DNS to ensure that the old DC no longer exists, if there are any records associated to the SRV records i.e. _msdcs Kerberos, Ldap or GC delete the objects
- Open Sites and Services and ensure that the computer object/s for the old DC no longer exist, if they do delete them
- Check event logs to ensure they are clean and perform the replicaiton tests repadmin /replsum and repadmin /showrepl to ensure that replicaiton is working accordingly

Metadata cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 

Author Closing Comment

by:OmegaKzoo
ID: 39729884
You sir have hit the nail on the head.  Thank you.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question