Solved

Corrupt AD database

Posted on 2014-10-06
5
98 Views
Last Modified: 2014-10-06
Ok so here's the deal. We have a corrupt DC, but I cannot simply demote it because a previous admin put Exchange on it. I've worked with Microsoft and the safest method to resolve this is to move Exchange to a new VM. This is not an easy process since we don't run a DAG, but is in the planning process.

In the mean time here is my issue, any new user added can access OWA and email, but no other network resources such as terminal servers or network drives. My hunch is that it is because the corrupt DC is handling the authentication request and since the DC's aren't replicating it doesn't see the user as valid, but the good DC is handling the OWA request. So how can I force the authentication to look at the working DC? I've made sure all FSMO roles are with the good DC, but it still didn't work. Obviously the fix is to move exchange and kill the bad DC, but until then I need a workaround.

They are both Windows Server 2008 (one of them being R2).

Thoughs?
0
Comment
Question by:bhieb
5 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40364063
Option 1
Is the good DC also running the DHCP and DNS server? If not, it needs to, then you can disable the DNS Server role on the exchange DC.

Option 2
You can also look at the DHCP scopes and remove the bad dc from being a DNS server at all. Then it will not service any requests
0
 

Author Comment

by:bhieb
ID: 40364067
Yes it is, there is no DHCP or DNS on the bad one.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 250 total points
ID: 40364227
Make the good DC a global catalog and remove the GC from the bad DC. I'm not certain that'll help, but it's worth a shot.
0
 
LVL 9

Accepted Solution

by:
stu29 earned 250 total points
ID: 40364329
There is no simple way to do this, and even the workarounds usually dont guarantee the auth request will hit the desired DC.
1.  Configure the LdapSrvPriority registry setting on your domain controllers so that the good DC has the highest priority. For more info about this setting, see here:

http://technet.microsoft.com/library/cc957290

In addition you can configure the LdapSrvWeight registry setting on domain controllers to assign a weighted priority for each one:

http://technet.microsoft.com/en-us/library/cc957291

Of course, this will mean that all client computers  will prefer the good DC for logons, and it doesn't actually guarantee the good DC will be used because if the good DC is unavailable then domain controllers with lower weighted priority will be tried in order.

2. If you get more desperate .... Create a new site in Active Directory and move both the workstations and the good DC to the new site. Of course you would probably only want to do this in a test environment, so if you're in a production environment you will have to use another method.

These options will only give you breathing space.  The auth process is very fickle and more complex than this, but it may help.
0
 

Author Comment

by:bhieb
ID: 40364506
Not sure what method did the trick. I noticed on the technet links that it was reg settings to the netlogon service. So I just stopped that service on the bad DC. That then broke the OWA login, so I restarted it, and now the other DC is servicing the terminal login requests and the OWA is working. That was my primary goal, I also did the GC change so not sure what did it but I'll split the points.

I'm sure it isn't going to be a perfect fix, but it will at least hold together for a week or so. Also I had a thought that I could just block the LDAP ports on the bad box, making any query failover to the good one.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Determine if SQL is installed in Server 2008 R2 4 57
Hyper V cluster 2 34
Office 365 SSO and Shared Devices 6 41
Unexpected Windows system folders on D drive 16 74
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now