Domain Controller Deleted (Incorrectly)

  • Thread starter Thread starter Jeffrey Walton
  • Start date Start date
J

Jeffrey Walton

Hi All,

The title says it all.. Someone deleted a Domain Controller by
deleting the computer account in AD. DNS seems fairly clean, but we
are seeing lots of ghosts from the previous controller using ntutils
and adsiedit.

Tapes are no longer available for a non authoritative restore - they
been over written. KB332199 does not really apply. Any guidance on
this would be appreciated.

Thanks,
Jeff
Jeffrey Walton
 
what is the OS and SP level?

on the DC the computer account belongs to.... is the computer still in the
local replica?

also have a look at :
MS-KBQ257288_How to Recover from a Deleted Domain Controller Machine Account
in Windows 2000

if I'm not mistaken in W2K3 (and maybe only with SP1) when the owner DC of
some computer account detects a deletion on another DC that inbound
replicates to the owner DC, it will perform an authoritative restore of the
computer account. Because of that the deletion is prevented and it
replicates back to other DCs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Hi Jorge,

Thank you for the reply.

Windows Server 2003, SP 2 (fully patched). We completed a hand
cleaning (for better or for worse). We now cannot open GPEdit. We
inheritated this problem - the actual deletions seems to have occured
around April, 2007 (with some additional issue clouding).

We are unable to open GPEdit. GPEdit.log states:

GPEDIT(10d8.10e0) 13:57:57:157 TestDC: Failed to access <\
\Server.Domain.com\sysvol\*.*> with 53
GPEDIT(10d8.10e0) 13:57:57:266 TestDC: Failed to access <\
\Server.Domain.com\sysvol\*.*> with 53
GPEDIT(10d8.10e0) 13:57:57:266 GetDCName: Failed to find a domain
controller
GPEDIT(10d8.10e0) 13:57:57:266 CGroupPolicyObject::OpenDSGPO: Failed
to get DC name with 53

Server.Domain.com is not the actual query (we cleaned for anonymity).

* Ping Server.Domain.com is OK.
* Start -> Run: \\Server.Domain.com\sysvol is OK
* DNS _appears_ to be OK (keyword "appears")

Any ideas? I _think_ something may be broken in the directory itself
(such as a canonical name reference: CN=...), but I'm not sure.

Jeff
 
Results od DCDiag from the suspect machine (1 of 2 having problems):

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\CORPSERVER
Starting test: Connectivity
......................... CORPSERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\CORPSERVER
Starting test: Replications
......................... CORPSERVER passed test Replications
Starting test: NCSecDesc
......................... CORPSERVER passed test NCSecDesc
Starting test: NetLogons
......................... CORPSERVER passed test NetLogons
Starting test: Advertising
......................... CORPSERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CORPSERVER passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... CORPSERVER passed test RidManager
Starting test: MachineAccount
......................... CORPSERVER passed test
MachineAccount
Starting test: Services
......................... CORPSERVER passed test Services
Starting test: ObjectsReplicated
......................... CORPSERVER passed test
ObjectsReplicated
Starting test: frssysvol
......................... CORPSERVER passed test frssysvol
Starting test: frsevent
......................... CORPSERVER passed test frsevent
Starting test: kccevent
......................... CORPSERVER passed test kccevent
Starting test: systemlog
......................... CORPSERVER passed test systemlog
Starting test: VerifyReferences
......................... CORPSERVER passed test
VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom

Running partition tests on : Domain
Starting test: CrossRefValidation
......................... Domain passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Domain passed test CheckSDRefDom

Running enterprise tests on : Domain.com
Starting test: Intersite
......................... Domain.com passed test Intersite
Starting test: FsmoCheck
......................... Domain.com passed test FsmoCheck

C:\>
 
Not sure what flags you set but I would use the following

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

When complete search for fail, error and warning messages.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
If you have a dc that won't demote then just flatten it (Re-Install the
o/s). You will need to clean up your metadata to remove the references to
the old dc.

http://support.microsoft.com/?id=216498

From your dc try running dnslint /ad /s "ip address of your dc"

Description and download
http://support.microsoft.com/kb/321045

DCGPOFix can help with your gp problems but it should probably be a last
resort
http://technet2.microsoft.com/Windo...1907-4149-b6aa-9788d38209d21033.mspx?mfr=true
http://technet2.microsoft.com/windo...3d25-4e5e-9320-e5db0b0c9f8a1033.mspx?mfr=true

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Paul,
clean up your metadata to remove the references to the old dc.
Click to expand...
We found a reference to the old DC in DomainDNSZones (found using the
DNS snapin). We missed it when using ADSIEdit to clean the metadata.

Thanks,
Jeff

We found
 
Back
Top