Solved

Corrupt AD database

Posted on 2014-10-06
5
95 Views
Last Modified: 2014-10-06
Ok so here's the deal. We have a corrupt DC, but I cannot simply demote it because a previous admin put Exchange on it. I've worked with Microsoft and the safest method to resolve this is to move Exchange to a new VM. This is not an easy process since we don't run a DAG, but is in the planning process.

In the mean time here is my issue, any new user added can access OWA and email, but no other network resources such as terminal servers or network drives. My hunch is that it is because the corrupt DC is handling the authentication request and since the DC's aren't replicating it doesn't see the user as valid, but the good DC is handling the OWA request. So how can I force the authentication to look at the working DC? I've made sure all FSMO roles are with the good DC, but it still didn't work. Obviously the fix is to move exchange and kill the bad DC, but until then I need a workaround.

They are both Windows Server 2008 (one of them being R2).

Thoughs?
0
Comment
Question by:bhieb
5 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Option 1
Is the good DC also running the DHCP and DNS server? If not, it needs to, then you can disable the DNS Server role on the exchange DC.

Option 2
You can also look at the DHCP scopes and remove the bad dc from being a DNS server at all. Then it will not service any requests
0
 

Author Comment

by:bhieb
Comment Utility
Yes it is, there is no DHCP or DNS on the bad one.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 250 total points
Comment Utility
Make the good DC a global catalog and remove the GC from the bad DC. I'm not certain that'll help, but it's worth a shot.
0
 
LVL 9

Accepted Solution

by:
stu29 earned 250 total points
Comment Utility
There is no simple way to do this, and even the workarounds usually dont guarantee the auth request will hit the desired DC.
1.  Configure the LdapSrvPriority registry setting on your domain controllers so that the good DC has the highest priority. For more info about this setting, see here:

http://technet.microsoft.com/library/cc957290

In addition you can configure the LdapSrvWeight registry setting on domain controllers to assign a weighted priority for each one:

http://technet.microsoft.com/en-us/library/cc957291

Of course, this will mean that all client computers  will prefer the good DC for logons, and it doesn't actually guarantee the good DC will be used because if the good DC is unavailable then domain controllers with lower weighted priority will be tried in order.

2. If you get more desperate .... Create a new site in Active Directory and move both the workstations and the good DC to the new site. Of course you would probably only want to do this in a test environment, so if you're in a production environment you will have to use another method.

These options will only give you breathing space.  The auth process is very fickle and more complex than this, but it may help.
0
 

Author Comment

by:bhieb
Comment Utility
Not sure what method did the trick. I noticed on the technet links that it was reg settings to the netlogon service. So I just stopped that service on the bad DC. That then broke the OWA login, so I restarted it, and now the other DC is servicing the terminal login requests and the OWA is working. That was my primary goal, I also did the GC change so not sure what did it but I'll split the points.

I'm sure it isn't going to be a perfect fix, but it will at least hold together for a week or so. Also I had a thought that I could just block the LDAP ports on the bad box, making any query failover to the good one.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now