DC seems to have fallen off the Domain

wirestyle22

@nerdydad is this a VM or a standalone server?

NerdyDad

It's a vm. All of my DC's are vm's.

thwr

@Dashrender said in DC seems to have fallen off the Domain:

If you're DC is just a DC - you can demote it, then leave the domain, wipe and reload it, join the domain and promote.

If it's also a fileserver, etc, well - have fun.

This of course assumes you can't use the normal tools to remove the old AV cleanly.

mkfs.ntfs & format ... The only tools I know to fully remove Symantec products - except for a snapshot maybe.

Dashrender

@thwr said in DC seems to have fallen off the Domain:

@Dashrender said in DC seems to have fallen off the Domain:

If you're DC is just a DC - you can demote it, then leave the domain, wipe and reload it, join the domain and promote.

If it's also a fileserver, etc, well - have fun.

This of course assumes you can't use the normal tools to remove the old AV cleanly.

mkfs.ntfs & format ... The only tools I know to fully remove Symantec products - except for a snapshot maybe.

LOL

wirestyle22

@NerdyDad Is that secondary domain controller doing anything else like being a file server?

NerdyDad

@wirestyle22 said in DC seems to have fallen off the Domain:

@NerdyDad Is that secondary domain controller doing anything else like being a file server?

It is a secondary controller. FSMO roles are on another DC. The only other thing this server does is ots a print server and DHCP server.

Dashrender

@NerdyDad said in DC seems to have fallen off the Domain:

@wirestyle22 said in DC seems to have fallen off the Domain:

@NerdyDad Is that secondary domain controller doing anything else like being a file server?

It is a secondary controller. FSMO roles are on another DC. The only other thing this server does is ots a print server and DHCP server.

Well, as I said, if you can't remove the old AV using the typical tools, you do have other options, not great ones, but they are there.

NerdyDad

As I am digging into this more and more, I am finding replication issues between DC's, namely the original problem child.

<code>
Source DSA largest delta fails/total %% error

DOS3 38d.14h:20m:23s 5 / 10 50 (8457) The destination server is currently rejecting replication requests.

DOS4B 38d.14h:20m:22s 5 / 15 33 (8457) The destination server is currently rejecting replication requests.

SMC4A 38d.14h:20m:23s 5 / 15 33 (8457) The destination server is currently rejecting replication requests.

SMC4B 35d.14h:24m:28s 15 / 15 100 (8456) The source server is currently rejecting replication requests.

Destination DSA largest delta fails/total %% error

DOS3 35d.14h:16m:35s 5 / 15 33 (8456) The source server is currently rejecting replication requests.

DOS4B 35d.14h:02m:35s 5 / 15 33 (8456) The source server is currently rejecting replication requests.

SMC4A 35d.14h:22m:52s 5 / 10 50 (8456) The source server is currently rejecting replication requests.

SMC4B 38d.14h:20m:24s 15 / 15 100 (8457) The destination server is currently rejecting replication requests.
</code>

wirestyle22

repadmin /sync on all domain controllers. What does that return?

NerdyDad

@wirestyle22 said in DC seems to have fallen off the Domain:

repadmin /sync on all domain controllers. What does that return?

CALLBACK MESSAGE: Error contacting server cff6859a-1945-4334-aa88-e43a448de794._msdcs.smc.com (network error): -2146893
22 (0x80090322):
    The target principal name is incorrect.
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error contacting server cff6859a-1945-4334-aa88-e43a448de794._msdcs.smc.com (network error): -2146893022 (0x80090322):
    The target principal name is incorrect.

wirestyle22

@NerdyDad said in DC seems to have fallen off the Domain:

The target principal name is incorrect.

Check that these services are all running:
Active Directory Domain Services
Kerberos Key Distribution Center

NerdyDad

@wirestyle22 said in DC seems to have fallen off the Domain:

@NerdyDad said in DC seems to have fallen off the Domain:

The target principal name is incorrect.

Check that these services are all running:
Active Directory Domain Services.
Active Directory Replication

Have ADDS but not Active Directory Replication

wirestyle22

@NerdyDad Sorry, check:

Kerberos Key Distribution Center in services.msc

NerdyDad

@wirestyle22 said in DC seems to have fallen off the Domain:

@NerdyDad Sorry, check:

Kerberos Key Distribution Center in services.msc

There and Started.

NerdyDad

@wirestyle22 If I ever meet you, I owe you a drink at least.

wirestyle22

@NerdyDad Oh? you get it working?

NerdyDad

@wirestyle22 said in DC seems to have fallen off the Domain:

@NerdyDad Oh? you get it working?

Not yet. Just appreciating all of the help.

wirestyle22

@NerdyDad Don't worry about it. Everyone helps me all of the time.

Check this article out: https://support.microsoft.com/en-us/help/2090913/troubleshooting-ad-replication-error--2146893022-the-target-principal-name-is-incorrect.