Workstaion domain logon screwy after replacing server

Discussion in 'OT Technology' started by mdaniel, Mar 6, 2007.

  1. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,501
    Likes Received:
    315
    Location:
    Northwest Mejicooooooo
    Windows 2000/2003 server configured as domain controller with several 2000/XP Pro desktops joined to the domain. Server takes a dump and either needs to be physically replaced or have its Windows blown out and reloaded from scratch. Windows get reloaded with the same host name, domain name, IP address, etc. as before.

    In situations like this, even after adding the computer and user accounts to the new domain controller, the workstations have trouble logging in. They'll log in if you enter the domain account and password as soon as the logon prompt appears but if you wait too long, it won't accept it and instead say the DC is unavailable. DNS is working fine though. Once logged on, they can access resources on the server but accessing other hosts in the domain is hit or miss.

    If the domain members are disjoined and rejoined to the domain after the server is replaced, they'll work fine but that means migrating all of the user's settings over to the new profile.

    I'm guessing that even though the old and new server have the same host and domain name, since the SID/GUID are different, the domain members recognizes it as their domain.

    Is there an easy way to make they part of the "new" domain without disjoining/rejoining?
     
  2. XR250rdr

    XR250rdr OT Supporter

    Joined:
    Mar 1, 2004
    Messages:
    24,484
    Likes Received:
    21
    Location:
    Ca
    If you created a new domain even with the same name its a different domain. Each domain has a unique identifier. Thats one reason why a second domain controller is important.

    I imagine a disjoin/rejoin script could be written. I'm not that talented in scripting to do it myself though. How many machines are we talking?
     
  3. MattR2

    MattR2 New Member

    Joined:
    Sep 6, 2004
    Messages:
    408
    Likes Received:
    0
    did that server originally host any FSMO roles?
     
  4. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,501
    Likes Received:
    315
    Location:
    Northwest Mejicooooooo
    Yeah it was the first, one, and only DC.
     
  5. JayC71

    JayC71 Guest

    In short, no.

    You can't simply create the computer accounts with the same name, those accounts are identified in AD by the Security ID (SID) and computer account password. The name you give them is just a friendly name that AD maps to a SID, just like with user accounts. The SID contains the ID of the domain and the host(or user), when try to access the domain with the computers as they are now, your new server does not recognize them (doesn't have an account for them in it's database, actually) and kerberos authentication fails. They have to be re-joined, which basically creates a new computer account and establishes a trust password (machine account password).

    Situations like this are the classic reasoning for having multiple DCs.
     
  6. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    And the reason why if you wait too long it doesn't work is because you are logging on with cached credentials.

    I don't know of any easy way to do this. If you don't have more than one server then hopefully the number of users is small enough that the time doing it manually would be shorter than doing it by a script.
     
  7. MattR2

    MattR2 New Member

    Joined:
    Sep 6, 2004
    Messages:
    408
    Likes Received:
    0
    so did you promote another server and seize the roles? Or once that server was down you just rebuilt it?

    How did you do the rebuild? Build identical server then restore system state from backup?

    details..
     
  8. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,501
    Likes Received:
    315
    Location:
    Northwest Mejicooooooo
    Yeah that's pretty much what I figured. I was just hoping there was a procedure I didn't know about for getting the domain members to rejoin without all the extra work associated with disjoining/rejoining.

    I've seen this a few times after someone's replaced a DC without transferring fsmo roles or if the DC died without a good backup. I had one of those yesterday. The single DC's Windows installation shit itself so I loaded a 2nd copy of Windows into a different folder to get them back up ASAP. I knew it would result in these authentication issues though. Unfortunately, most of the people that call me rarely backup much less have a 2nd DC. Luckily, that also means that the networks are small enough that disjoining/rejoining the workstations while tedious, isn't the end of the world.
     
  9. JayC71

    JayC71 Guest


    Yeah, that happens often in small networks. It's not always easy to convince a small business that they *really* should invest in two servers to prevent this from happening. It's a cost vs. risk scenario, and cost usually wins. If nothing else, once you have all the clients rejoined and user accounts created, etc.... setup at the very least an ntbackup job to do a system state once a week or so. That way, if this does happen again you'll at least have a chance of recovery.
     
  10. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Microsoft themselves say that if your domain controller takes a shit and you don't have a backup, you're pretty much done for.

    All you can really do is say "Microsoft specifically designs their networks to be like this so people can't copy your user accounts and steal your files, so the only thing you can do to keep from losing your domain is make backups, and if you don't there isn't a single damn thing I can do to help you."
     

Share This Page