Cannot access 2012 domain controller resources

Hi, just recently we cannot access mappings on one of our server which is also the main domain controller which is running windows 2012 R2.  We were getting the error "you might not have permission to use this network resource"  I disabled the firewall temporarily and checked if stored credentials was the issue but both not the issue. So then i tried replicating from another domain controller to that server and got error "the target principal name is incorrect"  so possibly this could be a kerberos issue.  Currently i am able to remote desktop to this server no problem and i can ping it using network name.
dankyle67Asked:
Who is Participating?
 
MaheshArchitectCommented:
if you deleted them from domain controllers ou and from sites and services, it's done
just remove any left over entry from dns as well, ns record specially
0
 
MaheshArchitectCommented:
run dcdiag /v and repadmin /showrepl on this dc from elevated prompt and post output here
0
 
dankyle67Author Commented:
The only problem is that this site used to replicate to their west coast office and they didnt wanna maintain their mpls connection between the 2 offices so after a long period of time the west coast office domain controllers went into tombstone and so they got a lot of errors with the dcdiag and i warned them this might cause issues down the road but they didnt do anything.  I will still try to post the results
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
MaheshArchitectCommented:
which is primary site?
how long primary site is not communicating with other side ?
0
 
dankyle67Author Commented:
Also, i was planning to force the demotion of the 2 domain controllers so that the east coast site at least will stop attempting to replicate to those servers
0
 
dankyle67Author Commented:
The primary site is the east coast site and this is the site that has the domain controller that is having issues right now and i would say there has been no replication between the sites for over a year.  The owner of the company was told about this and he said he was willing to just delete the other office domain controllers from active directory but i was hesitant coz thought they might change their mind and then we couldnt go back
0
 
dankyle67Author Commented:
Was able to get it working.  Went back to firewall settings and like before i disabled it and then renabled it but this time i was advised to allow all incoming connections for every app and program and then users were able to access their folders on that server.  Never tried this before but it worked.
0
 
MaheshArchitectCommented:
The problem exists with west coast site, if its more than year, you should remove those DC's without delay to avoid further issues as they won't get replicate with primary site DCs and vice versa and "Target principal Name incorrect" error will be triggered from both side, more even any request goes to west coast will likely fail to authenticate
Allowing any - any ports will not solve the issue
you can't demote them gracefully, so you have to demote them forcefully either by running dcpromo /forceremoval switch and then cleanup metadata
OR
from primary site DCs, remove computer object for those DC's and then do metadata cleanup, before doing this step shut down those DCs for ever
0
 
dankyle67Author Commented:
Ok after i deleted the westcoast dcs as you instructed it then everything started working correctly and ran replication just between the 2 eastcoast dcs and successful.  Most of today the replication was only working in one direction between the 2 eastcoast servers and was getting errors but now ran it serveral times and no errors and much faster.  Do i still have to run metadata cleanup or was this done already when i deleted the servers using sites and services and users and computers?  Do i use ntdsutil?
0
 
dankyle67Author Commented:
Sounds good, will do that.  Since the owner of the company takes full responsibility for allowing this to deteriorate over all this time, what do you think will happen to the westcoast site?  They have not replicated with the main domain controller for a year and yet they are able to still authenticate to the domain controllers there.  I would think they would have experienced more issues with logging on and accessing network shares etc.  Oh well at least the eastcoast office is good for now.  Thanks again.
0
 
MaheshArchitectCommented:
Your ad resources are not replicating across, at least users and computers or groups created in east coast will not replicate to west coast and this defeats the purpose of Ad
moreover if you have any application relyed on GC, u will face lookup problems and finally any major changes in ad config will not replicate there and this will defeat purpose of having active directory
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.