3

I have never been to heavily involved with managing AD2003 domain controllers.
Now I get a broken domain dumped in my lap.
I need some advice how to proceed.

Here is the story:

Earlier today I inherited an old, badly managed, 3 server domain from another division.
(It was operated by an outsourced service-provider that went belly-up a year ago, since then it went uncared for.)
2 Windows 2003R2 DC's and a 2003R2 server running 1 application and SQL2000 server.
During the physical transport of the hardware 1 DC broke beyond repair. There is, as you probably already guessed, no backup at all.

The remaining 2 machines booted up and on both the ip-address was changed to a new address in my own range. After that both machines were rebooted once. DC first and the application server only after the DC had fully booted.
I have Domain Admin access to this domain. I can login to both surviving servers.
Both servers take ages (DC 15 minutes, app server 10 minutes) boot to a login prompt. After login it takes ages to get to a desktop (another 5-10 minutes).

Now it is my problem: I need to get that application running again until the end of the year.

First order of business seems to get rid of the failed DC. Then start doing cleanup on these servers (there are a lot of leftovers of removed an/or partially disabled applications on both).

Thing is: I'm not sure about how to do the DC removal.
Do i need to do dcpromo first, then ntdsutil/remove server ?
Just ntdsutil/remove server ?
Has the changing of ip-addresses impact on this ? (I can temporarily put the old ip-addresses back if needed.)

This domain, by the way, had a trust-relation with our normal domain. Does this impact the DC removal ?
Does something needs to be done regarding this trust-relation because of the ip-address changes ?

Any help will be highly appreciated.

UPDATE I fixed the DNS issues on both machines. Primary DNS on DC and app-server now point to DC itself. And I updated the DNS records for both machines in the DNS.
(I can't make a proper reverse PTR for either machine. Don't know how problematic that is going to be. The new ip-range isn't in the reverse zones here and this DC isn't allowed to update reverse pointers if I add the zone as a copy.)

This seems to have cured the excessive slowness of both machines.
Remote desktop logons are functional now. Still a bit sluggish but apparantly that was already the case before everything got messed up.

I'm now waiting for user-feedback regarding the application.

Tonny
  • 6,332
  • 1
  • 18
  • 31
  • Put the IP addresses back to what they were, gateway, DNS, all of it. that will likely cure the long boot and login times. – DanBig Nov 21 '13 at 21:04
  • Easier said than done. That old ip-range isn't valid anymore. It would allow the machines to talk to each other, but make them unreachable for the users. – Tonny Nov 21 '13 at 21:12

1 Answers1

2

Removing the failed DC should probably be the last thing you care about right now.

You changed the IP address of the DC, which is presumably also the DNS server for the domain. You need to reconfigure the DC itself to use itself for a DNS server, and of course you have the reconfigure the client to use the DC as the DNS server.

If the DC is not a valid DNS server for the domain, you'll have quite a bit more work to do of course.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • I get your point about the DNS, should have thought about that immediately myself, but it was the end of a 16 hour day. Not thinking that clearly anymore. But... The DNS on both servers was pointing to the DNS of the trusted domain. I don't know at this time if that was the case already BEFORE the ip-address change or that the guy doing the ip-change changed the DNS too out of habit. Regardless which is the case. That is something I'm going to fix as soon as I'm back in the office tomorrow. – Tonny Nov 21 '13 at 21:11
  • 1
    DNS was the main thing. AFter I had put the DC as primary DNS server for itself and the client, added a fresh primary reverse DNS zone for the new range and corrected all the DNS records pointing to the old addresses everything started working again. After that it was just ntdsutil/"remove server" to get rid of the broken DC. – Tonny Nov 22 '13 at 19:37
  • It usually is. Glad to hear you're fixed up. – mfinni Nov 22 '13 at 21:57