Corrupt AD database

Ok so here's the deal. We have a corrupt DC, but I cannot simply demote it because a previous admin put Exchange on it. I've worked with Microsoft and the safest method to resolve this is to move Exchange to a new VM. This is not an easy process since we don't run a DAG, but is in the planning process.

In the mean time here is my issue, any new user added can access OWA and email, but no other network resources such as terminal servers or network drives. My hunch is that it is because the corrupt DC is handling the authentication request and since the DC's aren't replicating it doesn't see the user as valid, but the good DC is handling the OWA request. So how can I force the authentication to look at the working DC? I've made sure all FSMO roles are with the good DC, but it still didn't work. Obviously the fix is to move exchange and kill the bad DC, but until then I need a workaround.

They are both Windows Server 2008 (one of them being R2).

Thoughs?
bhiebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joshua GrantomSenior Systems AdministratorCommented:
Option 1
Is the good DC also running the DHCP and DNS server? If not, it needs to, then you can disable the DNS Server role on the exchange DC.

Option 2
You can also look at the DHCP scopes and remove the bad dc from being a DNS server at all. Then it will not service any requests
0
bhiebAuthor Commented:
Yes it is, there is no DHCP or DNS on the bad one.
0
DrDave242Commented:
Make the good DC a global catalog and remove the GC from the bad DC. I'm not certain that'll help, but it's worth a shot.
0
stu29Commented:
There is no simple way to do this, and even the workarounds usually dont guarantee the auth request will hit the desired DC.
1.  Configure the LdapSrvPriority registry setting on your domain controllers so that the good DC has the highest priority. For more info about this setting, see here:

http://technet.microsoft.com/library/cc957290

In addition you can configure the LdapSrvWeight registry setting on domain controllers to assign a weighted priority for each one:

http://technet.microsoft.com/en-us/library/cc957291

Of course, this will mean that all client computers  will prefer the good DC for logons, and it doesn't actually guarantee the good DC will be used because if the good DC is unavailable then domain controllers with lower weighted priority will be tried in order.

2. If you get more desperate .... Create a new site in Active Directory and move both the workstations and the good DC to the new site. Of course you would probably only want to do this in a test environment, so if you're in a production environment you will have to use another method.

These options will only give you breathing space.  The auth process is very fickle and more complex than this, but it may help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bhiebAuthor Commented:
Not sure what method did the trick. I noticed on the technet links that it was reg settings to the netlogon service. So I just stopped that service on the bad DC. That then broke the OWA login, so I restarted it, and now the other DC is servicing the terminal login requests and the OWA is working. That was my primary goal, I also did the GC change so not sure what did it but I'll split the points.

I'm sure it isn't going to be a perfect fix, but it will at least hold together for a week or so. Also I had a thought that I could just block the LDAP ports on the bad box, making any query failover to the good one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.