Jul 12 2023 11:43 AM
Jul 12 2023 11:43 AM
Good thing this is just my test network! I have a VM clone of my ancient WS 2008 R2 ("OldDC") running AD DS in a test network along with two spiffy new instances of WS 2022 (NewDC1 and NewDC2), both also running AD DS, all on Domain Functional Level 2008 R2.
I want to remove AD DS from OldDC, in preparation for some upgrades, so I ran dcpromo on it, and when I got to the final step it failed with error:
The operation failed because: Managing the network session with NewDC2.MyDomain.pvt failed Logon Failure: The target account name is incorrect."
Based on these instructions I stopped the KDC service on NewDC1, set Startup to Manual, rebooted NewDC1, and then ran the following on NewDC1:
netdom resetpwd /s:NewDC2 /ud:MyDomain\Administrator /pd:*
and typed in the same password we've been using for the past few months, and which successfully logged into all 3 machines today. netdom reported success.
I rebooted OldDC, logged in with the same password, ran dcpromo, and I got the same error.
I tried browsing from OldDC to shares on NewDC1 and NewDC2, and those fail with a similar error:
\\NewDC2 is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Logon Failure: The target account name is incorrect.
If I try from OldDC:
net use \\NewDC1 \share
that results in:
System error 1396 has occurred. Logon Failure: The target account name is incorrect.
Curiously, if I type the IPs of NewDC1 and NewDC2 into Windows Explorer on OldDC, e.g. \\192.168.0.10 or \\192.168.0.6, respectively, I can see the shares and open their contents, including SYSVOL.
This also succeeds:
net use \\192.168.0.10 \share
OldDC's TCP/IP is set to use NewDC1's IP as its primary DNS server, and nslookup NewDC1 and nslookup NewDC2 from OldDC both return the correct addresses.
Browsing from NewDC1 and NewDC2 to \\OldDC works, and I can see OldDC's shares.
I've rebooted all 3 machines many, many times, just in case that might magically fix it, but it didn't.
What other options are there for me to fix this? Or do I need to fix? Can I remove AD DS from OldDC some other way? I still want to keep it around as a member of the domain. If I were to upgrade this in place to Server 2012-->Server 2022, would that magically fix the problem?
Last week I was on a Zoom call with a consultant who was trying to help me with GPOs for cybersecurity, and based on the intermittent network problems I was having at that time, but which are now fixed, he directed me to seize the roles from OldDC to either NewDC1 or NewDC2 (can't remember which) using fsmo maintenance. Could that be the root of the problem?
Jul 12 2023 02:21 PM
Simplest solution is to seize roles (if necessary) to another healthy one. Then turn off the failed one and do cleanup to remove the remnants from active directory.
Jul 12 2023 02:58 PM
Jul 12 2023 03:22 PM
Yes, just do the mentioned cleanup. I don't think it will remove it from the domain, but worst case you could join it again as a member server.
Jul 13 2023 06:13 AM
@TheWaterbug just checking if there's any progress or updates? please don't forget to mark helpful replies.
Jul 13 2023 09:34 AMSolution