Advice needed !!!

[Jay Shi]

Problem:
--------
Serve5 (one of DCs) cannot synch/replic with
Server2 (primary DC). Server5 does have
connection to network and can be accessed
from computers.


Advice needed:
--------------
- How to fix the problem ?
- Can we disconnect Server5 from network and
forcibly delete its information in AD of
Server2 and Server1, then completely rebuild
Server5 with same name ?



Network info:
---------------------
Total 3 DCs (Server1, Server2, Server5),
Server2 is primary

Server1: W2k Server, DC, upgraded from NT4.0 BDC
Server2: W2k Server, DC, upgraded from NT4.0 PDC
Server4: W2k Server, memb, upgraded from NT4.0 Server
Server5: W2k Server, DC, upgraded from NT4.0 member
Server, then promoted to DC
Server6: W2k Server, memb, newly built W2k member Server

NetBEUI domain name: ATR
DNS domain name: atr1.com


Comment:
We tried to use netdom2.exe to find the cause
and reset computer acct, but it seems no success.
-------------------------------------------------

A:\>netdom2 query /d:ATR pdc /verify
Primary domain controller for the domain:
Server2
The command completed successfully.


Command used on SERVER2 (primary DC)
-------------------------------------
A:\>netdom2 query /d:ATR Server /verify
Verifying secure channel setup for domain members:
Machine Status/Domain Domain Controller
======= ============= =================
....
\\Server4 ATR \\Server2
\\Server6 ATR \\Server2.atr1.com
\\Server5 ERROR! (The security database on the
Server does not have a computer account for this
workstation trust relationship.)

The command completed successfully



Command used on SERVER5
-----------------------
A:\>netdom2 query /d:workgroup Server /verify
Verifying secure channel setup for domain members:
Machine Status/Domain Domain Controller
======= ============= =================
....
\\Server4 ERROR! (Logon Failure: The target account
name is incorrect.)
\\Server6 ATR \\Server2.atr1.com
\\Server5 ERROR! (The security database on the
Server does not have a computer account for this
workstation trust relationship.)

The command completed successfully.


Command used on SERVER2 (primary DC)
-------------------------------------
A:\>netdom2 query /d:atr1.com fsmo
Schema owner Server2.atr1.com
Domain role owner Server2.atr1.com
PDC role Server2.atr1.com
Infrastructure owner Server2.atr1.com
The command completed successfully


Comment: Above are correct/current setting.



Command used on SERVER5
----------------------------------
A:\>netdom2 query /d:atr1.com fsmo
Schema owner Server2.atr1.com
Domain role owner Server2.atr1.com
PDC role Server2.atr1.com
Infrastructure owner Server5.atr1.com
The command completed successfully

Comment: Infrastructure owner is incorrect,
it has been transferred to Server2, comparing
the result of same command on Server2.


A:\>netdom2 verify /d:atr1.com Server5
The secure channel from Server5 to atr1.com is invalid.
The security database on the Server does not have a
computer account for this workstation trust relationship.
The command FAILED to complete successfully.

Thanks for any idea.

 

[Shawn Rabourn \(MS\)]

You can either fix your replication problem which usually lies within four
possibilities (name resolution - DNS, user rights - group policy,
permissions - security ACLs, authentication - bad secure channel)

and it looks like you fall within the fourth possibility which is easily
fixed by setting the Kerberos KDC to Manual/Stopped on SERVER5 and on
SERVER1 run:

netdom resetpwd /server:server5 /userd:ATR\Administrator /passwordd:*

and then reboot SERVER5 and restart the KDC and set it back to Automatic

260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a
Windows
http://support.microsoft.com/?id=260575


Or if your server SERVER5 is at SP4 you can run through the steps in 332199
on SERVER5 and 216498 on SERVER1 or SERVER2

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
http://support.microsoft.com/?id=216498

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

Be sure to follow up with us on this one.

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.

 

[Jay Shi]

Thank you, Shawn,

I've already run

netdom resetpwd /server:server5 /userd:ATR\Administrator
/passwordd:*

on Server5, no effect. According to your advice, it
should be run on Server1. I will try it again.

I will keep you informed.

Jay

-----Original Message-----
You can either fix your replication problem which usually lies within four
possibilities (name resolution - DNS, user rights - group policy,
permissions - security ACLs, authentication - bad secure channel)

and it looks like you fall within the fourth possibility which is easily
fixed by setting the Kerberos KDC to Manual/Stopped on SERVER5 and on
SERVER1 run:

netdom

resetpwd /server:server5 /userd:ATR\Administrator /passwor
dd:*

 

[Jay shi]

11/4/03

We did following,
1. On Server5, setting the Kerberos KDC to Manual/Stopped
2. On Server2 (primary DC), running netdom command

A:\>netdom2
resetpwd /server:Server5 /userd:ATR\administrator /passwor
dd:*
Type the password associated with the domain user:
The machine account password for the local machine has
been successfully reset.
The command completed successfully.

3. reboot Server5 and restart the KDC and set it back to
Automatic

We did see one thing changed, "net time" command can be
used successfully.

C:\>net time \\nt2 /set /y
Current time at \\nt2 is 11/2/2003 9:53 PM
The command completed successfully.

One or two weeks ago, "net time" generated error 5
message.

Anything else remains changed,
Server5 says Server1/Server2/Server5 are DC.
Server1 says Server1/Server2/Server5 are DC.
Server2 says only Server1/Server2 are DC, Server5 is a
member srv.

Both Server1/Server2 say Server2 is Infrastructure owner.
But, Server5 says itself is Infrastructure owner.

Server5 does have SP4, we will use 216498/332199
knowledge to demote if we cannot find any other way.

-----Original Message-----
You can either fix your replication problem which usually lies within four
possibilities (name resolution - DNS, user rights - group policy,
permissions - security ACLs, authentication - bad secure channel)

and it looks like you fall within the fourth possibility which is easily
fixed by setting the Kerberos KDC to Manual/Stopped on SERVER5 and on
SERVER1 run:

netdom

resetpwd /server:server5 /userd:ATR\Administrator /passwor
dd:*