AD issue with DC after Server was stolen

[Rob W]

Hi Guys, I had a DC at one of our remote depots, but it was stolen.
Before i properly thought about the issue, i got another replacement
bought and configured it exactly the same as the stolen one, and
dcpromo'd it onto the domain. It went on ok as i thought, but i
started to notice replication hadn't taken place with all my policies
within sysvol, DNS wouldn't play ball and now, every 3 mins i get a
SAM eror : Event ID 16650 in the system log. I have assumed myself,
that because the old stolen server wasn't removed from AD correctly
with DCPROMO and me adding an identical replacement server has screwed
everything up!!!! I have thought of an easy possible way round this,
and i am hoping somebody can confirm this would be ok. I am thinking
of DCPROMOing the new server off the domain again, then renaming it to
something completely different, then DCPROMOing it back onto the
domain again?? Would this simple idea be effective??

Any thoughts, or other ideas would be greatly appreciated!!

Kind regards

Rob W

 

[Herb Martin]

and i am hoping somebody can confirm this would be ok. I am thinking

of DCPROMOing the new server off the domain again, then renaming it to
something completely different, then DCPROMOing it back onto the
domain again?? Would this simple idea be effective??

Yes, it that is your only problem.

Most of the time the problem is DNS or DNS related.

You could even DCPromo, remove it from AD with NTDSUtil
"metadata cleanup" (you need to remove the old on anyway if
it doesn't remove) and then DCPromo again with the same name.

You should also force ALL passwords to be changed, and I
would recommend COMPLEXITY and MORE THAN 14
characters unless you have Legacy clients. (prior to Win2000).

 

[Nick]

The new DC has a different SID. You can't just make a new
machine and give it the same information. Your probably
better off giving it new information. Dcpromo it out,
give it a new name and then dcpromo it back in.

 

[Herb Martin]

The new DC has a different SID. You can't just make a new
machine and give it the same information. Your probably
better off giving it new information. Dcpromo it out,
give it a new name and then dcpromo it back in.

Are you sure? (I am not.)

As "domain" machines, DCs don't have SIDs (last I checked)
except the domain SID. They do have GUIDs but my experience
seems to indicate that a "new" DC with the same name will
DCPromo back into the domain and "work it out somehow."

I am perfectly willing to hear what really happens but it seems
to work most of the time.

 

[Rob W]

Thanks very much for the replies guys!! Is it easy enough to use
ntdsutil, as i've had a read about it and it all seems a little
daunting if anything should go wrong!!! I'm still tempted by the idea
of dcpromoing te server out, changing the name and dcpromoing back in
again!!!

thanks again

Rob

 

[Herb Martin]

Thanks very much for the replies guys!! Is it easy enough to use
ntdsutil, as i've had a read about it and it all seems a little
daunting if anything should go wrong!!! I'm still tempted by the idea
of dcpromoing te server out, changing the name and dcpromoing back in
again!!!

That IS a good idea -- but notice that if it isn't replicating
to the OTHER DCs you will STILL need to use use
NTDSUtil to remove it's ghost from AD.

NTDSUtil is not hard to use but it is incredibly TEDIOUS
(at least for this job.)

Search Google for:

[ ntdsutil remove "metadata cleanup" DC site:microsoft.com ]

Or:

[ ntdsutil remove "metadata cleanup" DC microsoft: ]

And you will get excellent articles describing the precise
(and tedious) steps.

 

[Guest]

That method could also leave confliciting objects in AD.
Once you demote or remove it, as Herb said, ntdsutil isn't hard just be sure
you perform the ADSIedit steps after that, listed in 216498

--
James Brandt [MSFT]

Thanks very much for the replies guys!! Is it easy enough to use
ntdsutil, as i've had a read about it and it all seems a little
daunting if anything should go wrong!!! I'm still tempted by the idea
of dcpromoing te server out, changing the name and dcpromoing back in
again!!!

That IS a good idea -- but notice that if it isn't replicating
to the OTHER DCs you will STILL need to use use
NTDSUtil to remove it's ghost from AD.

NTDSUtil is not hard to use but it is incredibly TEDIOUS
(at least for this job.)

Search Google for:

[ ntdsutil remove "metadata cleanup" DC site:microsoft.com ]

Or:

[ ntdsutil remove "metadata cleanup" DC microsoft: ]

And you will get excellent articles describing the precise
(and tedious) steps.

--
Herb Martin

thanks again

Rob

"Herb Martin" <[email protected]> wrote in message

 

[Rob W]

Thanks again guys, i'll give this ago!!!!

Kind regards

Rob W

That method could also leave confliciting objects in AD.
Once you demote or remove it, as Herb said, ntdsutil isn't hard just be sure
you perform the ADSIedit steps after that, listed in 216498

--
James Brandt [MSFT]

Thanks very much for the replies guys!! Is it easy enough to use
ntdsutil, as i've had a read about it and it all seems a little
daunting if anything should go wrong!!! I'm still tempted by the idea
of dcpromoing te server out, changing the name and dcpromoing back in
again!!!

That IS a good idea -- but notice that if it isn't replicating
to the OTHER DCs you will STILL need to use use
NTDSUtil to remove it's ghost from AD.

NTDSUtil is not hard to use but it is incredibly TEDIOUS
(at least for this job.)

Search Google for:

[ ntdsutil remove "metadata cleanup" DC site:microsoft.com ]

Or:

[ ntdsutil remove "metadata cleanup" DC microsoft: ]

And you will get excellent articles describing the precise
(and tedious) steps.

--
Herb Martin

thanks again

Rob

"Herb Martin" <[email protected]> wrote in message

The new DC has a different SID. You can't just make a new
machine and give it the same information. Your probably
better off giving it new information. Dcpromo it out,
give it a new name and then dcpromo it back in.

Are you sure? (I am not.)

As "domain" machines, DCs don't have SIDs (last I checked)
except the domain SID. They do have GUIDs but my experience
seems to indicate that a "new" DC with the same name will
DCPromo back into the domain and "work it out somehow."

I am perfectly willing to hear what really happens but it seems
to work most of the time.

--
Herb Martin



-----Original Message-----
Hi Guys, I had a DC at one of our remote depots, but it was stolen.
Before i properly thought about the issue, i got another replacement
bought and configured it exactly the same as the stolen one, and
dcpromo'd it onto the domain. It went on ok as i thought, but i
started to notice replication hadn't taken place with all my policies
within sysvol, DNS wouldn't play ball and now, every 3 mins i get a
SAM eror : Event ID 16650 in the system log. I have assumed myself,
that because the old stolen server wasn't removed from AD correctly
with DCPROMO and me adding an identical replacement server has screwed
everything up!!!! I have thought of an easy possible way round this,
and i am hoping somebody can confirm this would be ok. I am thinking
of DCPROMOing the new server off the domain again, then renaming it to
something completely different, then DCPROMOing it back onto the
domain again?? Would this simple idea be effective??

Any thoughts, or other ideas would be greatly appreciated!!

Kind regards

Rob W
.