Solved

Cant rename server, account already exists.

Posted on 2014-10-06
8
884 Views
1 Endorsement
Last Modified: 2014-10-08
I am having a strange case after renaming a domain controller.
I am in the process of replacing 3 of my win 2008 R2 DCS with 3 new Win 2012 R2 DCs.
Ive done 2 so far by renaming them to -OLD, then promoting a new DC with original name.

On my 3rd DC which is also the primary FSMO, I was able to rename it  to SERVER1-OLD, I also transfered all 5 roles to SERVER2.
Now I am ready to rename SERVER1-NEW to original name SERVER1, but its giving me error computer already exists.
Ive given it 2 hrs to replicate after renaming the DC, the AD record no longer exists, The DC is called SERVER1-OLD , the DNS record also doesnt exits. I did a search in AD for computer SERVER1 and it didnt find it.
I also checked ADSI Edit, and its all clean, no mention of the record.
My DC diag looks ok, except some SNMP error, and no errors show in event logs for AD for over 2 hrs now.
I used the same method on my 2 other DC with no issues. The only different is this one was primary DC.
http://technet.microsoft.com/en-us/library/cc794951(v=ws.10).aspx

I tried renaming it to SERVER1-NEW2, and it worked, so its not a issue with my new server or the renaming process, it just doesnt like the original name SERVER1

Ill give it 12 more hrs to replicate, I hope it works by then, it should now but it doesnt.
Ive created new objects in AD, and they replicate in 15min.

Help is appreciated.
Thanks
1
Comment
Question by:baysysadmin
  • 5
  • 3
8 Comments
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40365295
A few questions in order to get a proper picture of your problem and correct me if I am wrong.

You are replacing 3 of  of your win 2008 R2 DCS with 3 new Win 2012 R2 DCs.

Your PDC which was " SERVER1" you renamed to SERVER1-OLD. At this point did you make sure the change was replicated in your AD?

You transferred your FSMO from   SERVER1-OLD (which is win2008 R2) to SERVER2 (which is win 2012 R2). Have you re IP'd the old server?

As per the MS, renaming a domain controller occurs when;

    New hardware is purchased to replace an existing domain controller.
    Domain controllers are decommissioned or promoted and renamed to maintain a naming convention.
    Domain controllers are moved or placed in sites.


Do you fall in any of the above? I mean are you planning to decommission your win 2008 R2s?
0
 

Author Comment

by:baysysadmin
ID: 40366055
I am going to decommision the old ones, ive done 2 so far, this SERVER1 is the last one.
Eventually I keep the original IP and name.
Yes I did wait for the name and dns to replicate, no issues.
I did have a hickup after renaming SERVER1 to old, it would get stuck at applying settings after reboot.
I had to go to safe mode and disable the NIC, then login as normal and re enable the NIC. The replication continued fine after that.

I tried renaming it again after 12 hrs, no luck same error.
0
 

Author Comment

by:baysysadmin
ID: 40366232
I just tried joining a new PC with a name SERVER1 rather than renaming an existing one.

I got a differnt error. No Mapping between account anmes and security IDs was done.

This error usuall shows when the object with same name from previous server still exists in AD.
So it looks like my hickup left something in the AD, but ADSI Edit cant see any left over object.
Is there another place to look, like deleted items or something.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:baysysadmin
ID: 40366263
I think i figured it out, looks like my SERVER1-OLD didnt rename properly.
When looking at the object in ADSI the long string that has the computer name in it for every type of service starts with SERVER1-OLD but then when I scroll over some of the entries at the end still have the original name SERVER1


serverReferenceBL: CN=SERVER1-OLD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fp,DC=domain,DC=com;
servicePrincipalName (40): ldap/SERVER1-OLD/FP; HOST/SERVER1-OLD/FP; ldap/SERVER1-old.domain.com/domain.com; ldap/SERVER1-OLD; ldap/SERVER1-old.domain.com/FP; HOST/SERVER1-old.domain.com/domain.com; HOST/SERVER1-old.domain.com; HOST/SERVER1-OLD; HOST/SERVER1-old.domain.com/FP; RestrictedKrbHost/SERVER1-OLD; RestrictedKrbHost/SERVER1-old.domain.com; GC/SERVER1-old.domain.com/domain.com; NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/SERVER1-old.domain.com; ldap/SERVER1-old.domain.com/ForestDnsZones.domain.com; TERMSRV/SERVER1-old.domain.com; TERMSRV/SERVER1-OLD; ldap/SERVER1-old.domain.com/DomainDnsZones.domain.com; DNS/SERVER1-old.domain.com; ldap/SERVER1-old.domain.com; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/SERVER1.domain.com; TERMSRV/SERVER1; TERMSRV/SERVER1.domain.com; HOST/SERVER1/FP; ldap/SERVER1/FP; ldap/SERVER1.domain.com/ForestDnsZones.domain.com; ldap/SERVER1.domain.com/DomainDnsZones.domain.com; DNS/SERVER1.domain.com; GC/SERVER1.domain.com/domain.com; RestrictedKrbHost/SERVER1.domain.com; RestrictedKrbHost/SERVER1; HOST/SERVER1.domain.com/FP; HOST/SERVER1; HOST/SERVER1.domain.com; HOST/SERVER1.domain.com/domain.com; ldap/SERVER1.domain.com/FP; ldap/SERVER1; ldap/SERVER1.domain.com; ldap/SERVER1.domain.com/domain.com; E3514235-4B06-11D1-AB04-00C04FC2DCD2/1d4d3bfa-699e-456c-8363-7b739da65928/domain.com; ldap/1d4d3bfa-699e-456c-8363-7b739da65928._msdcs.domain.com;
userAccountControl: 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION );
0
 

Author Comment

by:baysysadmin
ID: 40366298
I renamed it again to SERVER1-OLD2, but no luck, the last few records still have the name SERVER1, they just dont update.

What are my options here, try to manually edit the object, or demote the DC now, and delete the object.
Hopefully when I join the server with SERVER1 name it would work?
0
 
LVL 9

Accepted Solution

by:
Zacharia Kurian earned 500 total points
ID: 40367741
If your new windows 2012  R2 server has all the FSMO roles assigned, and the other additional domains (windows 2012 R2s) are getting replicated to  your PDC (windows 2012 R2), then you can decommission the old server and delete any objects related.

But make sure that you do not have absolutely any issues with your current windows 2012 R2 DCs.  Check the AD health and the DNS. Run the BPA against all the roles installed in your windows 2012 DCs.  Above all take a complete backup of your windows 2012 R2 DCs, along with the DNS backup too.
0
 

Author Comment

by:baysysadmin
ID: 40368579
I ended up decommisioning the old one. And then removing it from domain.
I did have to cleanup some DNS records which didnt get removed, replication was messed up after that.
After I cleaned things up, it replicated fine in about 30min.

Thanks
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40368883
Glad that you made it. Make sure to backup your AD & DNS. Keep monitoring your new DCs from time to time.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question