Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Active Directory / July 2005

Tip: Looking for answers? Try searching our database.

DC's keys are out of date, won't update

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jordan Mills - 30 Jul 2005 01:14 GMT
When I try to do things, I get "the target account name is incorrect".
Like, when I try to demote it with dcpromo, replicate, etc.  Apparently they
DCs were out of contact for a Long Time and their account tickets diverged.
I can do a net view on another server's IP, but not by its netbios name.

I've tried disabling the KDC on the affected server and rebooting (and
rebooting the other servers).  But nothing fixes it.  I remember something
about a registry key I have to set to make the server discard the old
ticket, but I can't find documentation on it.  Am I on the right track?
Reply to this Message
Ulf B. Simon-Weidner [MVP] - 30 Jul 2005 01:47 GMT
> When I try to do things, I get "the target account name is incorrect".
> Like, when I try to demote it with dcpromo, replicate, etc.  Apparently
[quoted text clipped - 6 lines]
> about a registry key I have to set to make the server discard the old
> ticket, but I can't find documentation on it.  Am I on the right track?

Hello Jordan,

how long have the DCs been out of contact, and what Operating-System are we
talking about?

Signature

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org 

Reply to this Message
Jordan Mills - 30 Jul 2005 01:58 GMT
>> When I try to do things, I get "the target account name is incorrect".
>> Like, when I try to demote it with dcpromo, replicate, etc.  Apparently
[quoted text clipped - 12 lines]
> how long have the DCs been out of contact, and what Operating-System are
> we talking about?

Windows 2003 server on both, and I'm not sure how long.  WAY too long.
Couple of months or more?  Thanks for the fast reply.
Reply to this Message
Ulf B. Simon-Weidner [MVP] - 30 Jul 2005 02:38 GMT
>>> When I try to do things, I get "the target account name is incorrect".
>>> Like, when I try to demote it with dcpromo, replicate, etc.  Apparently
>>> they DCs were out of contact for a Long Time and their account tickets
>>> diverged. I can do a net view on another server's IP, but not by its
>>> netbios name.
[..]

>> how long have the DCs been out of contact, and what Operating-System are
>> we talking about?
>
> Windows 2003 server on both, and I'm not sure how long.  WAY too long.
> Couple of months or more?  Thanks for the fast reply.

Hi Jordan,

I assume we are talking about WS2k3 without SP1 before you installed AD, and
I also assume that we are talking about more than 60 days without
replication.

So you really need to turn down one of the servers. With Windows Server 2003
you can use the "dcpromo /forceremoval" switch. Afterwards you need to clean
up the Active Directory on the other server (metadata-cleanup - removes the
references to the old server) and afterwards you can repromote the server as
domain controller again.

The Knowledgebase-Articles you need for that task are mentioned on my site
http://www.windowsserverfaq.org/faq/AD/RemoveDC.asp
you need the one which describes Forceremoval and the one "How to cleanup
data after a failed Dc removal".

Good luck on this, keep in mind to take care of additional Services like DNS
if necessary, post back with additional questions and I'd apprechiate
feedback if your issue is resolved.

Signature

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org 

Reply to this Message
Juergen Heckel - 30 Jul 2005 09:12 GMT
> rebooting the other servers).  But nothing fixes it.  I remember something
> about a registry key I have to set to make the server discard the old
> ticket, but I can't find documentation on it.  Am I on the right track?

Hi,
you could try the following tip (from Chris Malone in
m.p.win2000.active_directory from 01.07.2005):

You would need to remove the DC that has been disconnected for 60+ days
from AD (clean the metadata) and then re-promote. There is a regkey
that allows replication between DCs after the tombstone lifetime has
expired which is HKLM\System\CCS\Services\NTDS\Parameters\Allow
Replication With Divergent and Corrupt Partner = 1 (reg_dword) but use
at your own risk. The tombstone lifetime was designed to prevent
problems with conflicting replicated objects after that time has
expired.

Clean the metadata using the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

chris

Signature

Juergen Heckel

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.