W2k3 secondary domain controller recovery: join or trust with primary domain controller lost
Active Directory, Active Directory connection lost, Domain Controller, Windows 2003 DC Restore, Windows Server 2003, Windows Server 2003 Domain Controller
Hello, I’ve a problem which was driving me crazy…but the problem primarily was my lack of knowledge in domain controllers troubleshooting.
I have a Windows 2003 standard edition backup domain controller. I have been connecting to this one by RDP (only using s domain admin credentials, not the domain users accounts) since many years but recently I could not be able to access to the “BDC” anymore (it occurs only by RDP, the local admin login is working fine).
I tried to login the remote desktop session both with or without the /console option but nothing changed.
I tried to launch remote desktop session domain admin credentials from many of my XP pro clients on LAN and on any of these I’ve always received a message that translated sounds like this:
“unable to determine the computer role, group policies Processing interrupted ” (event id: 1053).
I checked this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;278433 and everything is compliant to it.
I received also this error message (sorry for the translation):
- Event id 1006: unable to complete domain join: (local error). group policies Processing interrupted
When I was trying to connect every domain user (this time I tried not only the domain admin but also some domain users accounts and the result has been the same), I received the following error:
- Event id 1219: Access denied for domainuser account. Unable to get Terminal server user profile: Error: access denied
In my opinion my Backup domain controller has lost “the join” with the Primary Domain controller but I don’t know how to “rejoin it”.
I tried DC promo but I received the error that “Before adding or removing Active Directory is necessary to remove Certification services”. Notice that this PDC has a Certification Authority installed and I don’t know how to remove and recover them after DCPROMO.
I tried something like this: netdom join dcbck.domain.local /Domain:domain.local /UserD:domainadministrator /PasswordD:xxxxxxxx but without succeeding (I obtained this error:” “This computer is a domain controller and can’t be disconnected from domain)”.
I will be very gratefull to all of us who will come back with detailed step-by-step suggestions or procedures.
Thanks a lot in advance.
Software/Hardware used:
Windows 2003 server standard edition Sp2
Software/Hardware used:
Windows 2003 server standard edition Sp2
ASKED:
January 26, 2010 4:23 PM
UPDATED:
January 28, 2010 10:01 AM
Answer Wiki:
This link will show you how to <a href="http://support.microsoft.com/kb/298138">transfer the certificate authority to another server</a>. Once that is done, uninstall Certificate Authority, Demote your DC, and promote it back. I would suggest that you demote the DC then do a fresh install of the OS before promoting it back.
To see all answers submitted to the Answer Wiki: View Answer History.
Thanks a lot for helping me, Mshen. I’m going to do this operation and then I will publish the resulting operations.