BIG AD MESS .. DC with no computer account

  • Thread starter Thread starter Mark Heywood
  • Start date Start date
M

Mark Heywood

Scenario:

We have a client with a single domain forest with a remote site which is
connected via VPN.
The DC at the remote site was dying and a new DC was installed. This new DC
only replicated to the other (dying) DC at the remote site, as the VPN link
was not working properly.
The original DC at the remote site has now failed completely.

This means:
We have a DC at the remote site which is completely orphaned from the rest
of AD at head office.
The AD at HO doesn't have a computer account for this DC, so there is no
Kerberos trust relationship.

Is there a way to create the missing entries manually, or shall we attempt
to demote this 'DC' and re-promote it ?

The other thing is they have created some accounts in the remote DC which do
not exist in HO since there has been no AD Replication.

Thanks
Mark.
 
What you're likely going to have to do is ldifde dump the new users from the
remote site, and then demote the server at the remote site and run metadata
cleanup against the home site for the remote site servers. You'll lose
their passwords. Small loss considering all things.

237677 Using LDIFDE to Import and Export Directory Objects to Active
Directory
http://support.microsoft.com/?id=237677

Then re-promote the remote site server and make sure replication happens.
Hint (1): You may want to set MaxPacketSize low due to the VPN.

244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474

Hint (2): 332199 Using the DCPROMO /FORCEREMOVAL Command to Force the
Demotion of Active
http://support.microsoft.com/?id=332199

Hint two may help you with the demotion.

--Shawn

This posting is provided "AS IS" with no warranties and confers no rights.
 
Back
Top