I was having issues with the BDC that I did not take care of until it became too late.
The original problem was: "...KDC certificate was once valid, but now is invalid..."
Am I going to lose all my DNS, DHCP, WINS, DFS, and others load balancing configurations once I force demote the BDC?
Is it best for me to create a new BDC from scratch or will it be ok to re-promote the BDC?
I certainly wish I had known not to rely on the backups made by Norton Ghost for DCs.
Anyways, this is the output of dcdiag /v:
Code:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine srv1, is a DC.
* Connecting to directory service on server srv1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SRV1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SRV1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SRV1
Starting test: Replications
* Replications Check
[Replications Check,SRV1] A recent replication attempt failed:
From SRV1B to SRV1
Naming Context: DC=ForestDnsZones,DC=Tchegbe,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2008-06-15 23:46:17.
The last success occurred at 2007-07-04 23:02:47.
25 failures have occurred since the last success.
[SRV1B] DsBindWithSpnEx() failed with error 1753,
There are no more endpoints available from the endpoint mapper..
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 1524 (DcDiag)
System Time is: 6/16/2008 4:53:23:937
Generating component is 2 (RPC runtime)
Status is 1753: There are no more endpoints available from the endpoint mapper.
Detection location is 501
NumberOfParameters is 4
Unicode string: ncacn_ip_tcp
Unicode string: 3583f317-0caa-4426-9428-b4f2ca743341._msdcs.Tchegbe.com
Long val: -481213899
Pointer val: 629352
[Replications Check,SRV1] A recent replication attempt failed:
From SRV1B to SRV1
Naming Context: DC=DomainDnsZones,DC=Tchegbe,DC=com
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2008-06-15 23:46:17.
The last success occurred at 2007-07-04 23:02:50.
31 failures have occurred since the last success.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV1B to SRV1
Naming Context: CN=Schema,CN=Configuration,DC=Tchegbe,DC=com
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2008-06-15 23:46:17.
The last success occurred at 2007-07-04 22:53:36.
26 failures have occurred since the last success.
The directory on SRV1B is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
[Replications Check,SRV1] A recent replication attempt failed:
From SRV1B to SRV1
Naming Context: CN=Configuration,DC=Tchegbe,DC=com
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2008-06-15 23:46:17.
The last success occurred at 2007-07-04 22:57:41.
63 failures have occurred since the last success.
The directory on SRV1B is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
Ok, guys.
I have got the two DCs to replicate by forcing replication.
However, I still have the issue that all of my domain computers are failing to authenticate with the DCs.
This is not really a big problem. However, the BDC is not able to properly authenticate with the PDC.
Since, I cannot demote the BDC or remove it from the domain and then re-add it, I am stuck.
Any tip on how to get the BDC account to re-validate on the PDC?
Basically, I am getting errors of this type:
Code:
Pre-authentication failed:
User Name: SRV1B$
User ID: TCHEGBE\SRV1B$
Service Name: krbtgt/TCHEGBE.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
FYI, I fixed my issue by forcing replication on the DCs.
First, I restored both the PDC and BDC from the Ghost images.
Second, I set the PDC to allow replication with partners in inconsistent state and disabled strict replication.
I let a few replications take place, then I did the same on the BDC.
Also, I had to remove the BDC certificate as it had become invalid.
Removing it forced it to go get a new one.
All of the domain computers had to be removed and then re-added to the domain.
I think the order (PDC first then BDC) was important as it looked like the BDC had newer info than the PDC.
Bookmarks