Solved

Domain Controller Problems

Posted on 2013-12-10
2
426 Views
Last Modified: 2013-12-19
I have a problem that my company has inherited from a client's previous IT Director. We don't have nearly enough information on the situation but are working with what we have been able to decipher from his notes.

We were having an issue with an old domain controller. It is no longer the primary domain controller, but it is still playing some roles in the network. Trying to get a snapshot of it in VSphere someone took the server down. This caused some DNS problems with Sharepoint, the print server, and caused some permissions issues with some shared drives. The person who took it down was able to make a new machine and load an old backup. A backup from September, I know, shitty situation but also inherited from former IT Director. Anyways, it appears that this DC hasn't synced with the primary domain controller or either of the other backup domain controllers since a few weeks before this backup.

Since the virtual server of the backup was stood up we continue to see problems with Sharepoint permissions, some shared drives permissions, and we continue to get domain trust problems on many people's computers. I also appear to be seeing problems with Group Policy updates on many user's machines.

I know this isn't much information to go off of but I was hoping this might be able to jump start s discussion that could lead me in the right direction with what to do.

I was thinking of removing the problematic dc altogether and setting up a different server for the shared drives that were running on it. So I would then go to the servers that are pointing to it and change the dns servers they look at in the network settings. I'm not sure what to do about the rights issues however. I assume the shared drive problems will clear as i set everything up on the new file server, but my problems with Sharepoint and the domain trust issues I am seeing I am not sure what to do with.
0
Comment
Question by:OmegaKzoo
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39710410
Your first problem was restoring the old domain controller image back into your production environment. In most cases if you have multiple DC's and you have 1 problematic one the best thing to do is demote this DC from your domain.

This is why replicaiton is not happening and also all of the computer trust issues as well. When you restored the DC image back into the domain using that image the USN (update sequence number) were not insync which casuse replication to not function properly, or at all. For your users that are getting trust issues with computer account are probbaly the users that are authenticating to the old restored domain controller.

Recommended steps below that you should follow.
- Ensure that your PDC (FSMO role holder) is working accordingly
- Configure your DHCP DNS entries for only the DC's that are functioning properly (PDC)
- Do the same for servers in your environment (DNS settings point to PDC)
- Try gracefully decommissioning the resotred domain controller
- If decommission is successful check to ensure that all objects have been removed (metadata cleanup)
- Once the DC has been removed from the domain do repadmin /replsum and repadmin /showrepl and also DCDiag /v
- Check the SRV records in DNS to ensure that the old DC no longer exists, if there are any records associated to the SRV records i.e. _msdcs Kerberos, Ldap or GC delete the objects
- Open Sites and Services and ensure that the computer object/s for the old DC no longer exist, if they do delete them
- Check event logs to ensure they are clean and perform the replicaiton tests repadmin /replsum and repadmin /showrepl to ensure that replicaiton is working accordingly

Metadata cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 

Author Closing Comment

by:OmegaKzoo
ID: 39729884
You sir have hit the nail on the head.  Thank you.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now