Solved

Domain Controller Problems

Posted on 2013-12-10
2
437 Views
Last Modified: 2013-12-19
I have a problem that my company has inherited from a client's previous IT Director. We don't have nearly enough information on the situation but are working with what we have been able to decipher from his notes.

We were having an issue with an old domain controller. It is no longer the primary domain controller, but it is still playing some roles in the network. Trying to get a snapshot of it in VSphere someone took the server down. This caused some DNS problems with Sharepoint, the print server, and caused some permissions issues with some shared drives. The person who took it down was able to make a new machine and load an old backup. A backup from September, I know, shitty situation but also inherited from former IT Director. Anyways, it appears that this DC hasn't synced with the primary domain controller or either of the other backup domain controllers since a few weeks before this backup.

Since the virtual server of the backup was stood up we continue to see problems with Sharepoint permissions, some shared drives permissions, and we continue to get domain trust problems on many people's computers. I also appear to be seeing problems with Group Policy updates on many user's machines.

I know this isn't much information to go off of but I was hoping this might be able to jump start s discussion that could lead me in the right direction with what to do.

I was thinking of removing the problematic dc altogether and setting up a different server for the shared drives that were running on it. So I would then go to the servers that are pointing to it and change the dns servers they look at in the network settings. I'm not sure what to do about the rights issues however. I assume the shared drive problems will clear as i set everything up on the new file server, but my problems with Sharepoint and the domain trust issues I am seeing I am not sure what to do with.
0
Comment
Question by:OmegaKzoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39710410
Your first problem was restoring the old domain controller image back into your production environment. In most cases if you have multiple DC's and you have 1 problematic one the best thing to do is demote this DC from your domain.

This is why replicaiton is not happening and also all of the computer trust issues as well. When you restored the DC image back into the domain using that image the USN (update sequence number) were not insync which casuse replication to not function properly, or at all. For your users that are getting trust issues with computer account are probbaly the users that are authenticating to the old restored domain controller.

Recommended steps below that you should follow.
- Ensure that your PDC (FSMO role holder) is working accordingly
- Configure your DHCP DNS entries for only the DC's that are functioning properly (PDC)
- Do the same for servers in your environment (DNS settings point to PDC)
- Try gracefully decommissioning the resotred domain controller
- If decommission is successful check to ensure that all objects have been removed (metadata cleanup)
- Once the DC has been removed from the domain do repadmin /replsum and repadmin /showrepl and also DCDiag /v
- Check the SRV records in DNS to ensure that the old DC no longer exists, if there are any records associated to the SRV records i.e. _msdcs Kerberos, Ldap or GC delete the objects
- Open Sites and Services and ensure that the computer object/s for the old DC no longer exist, if they do delete them
- Check event logs to ensure they are clean and perform the replicaiton tests repadmin /replsum and repadmin /showrepl to ensure that replicaiton is working accordingly

Metadata cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 

Author Closing Comment

by:OmegaKzoo
ID: 39729884
You sir have hit the nail on the head.  Thank you.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question