Hey Guido, Jason We have this problem semi regularly. First, as far as I can tell the Kereberos password is reset every 10 days. As long as your DC is back up inside the 10 day window, it should automatically reconnect with no real issues. After 10 days you often will end up having to reset the password. A good way to test this is to force a replication and then run repadmin /showreps from the command prompt. You should get access denied errors if the password needs to be reset. The following KB will go through the steps to redo this:
http://support.microsoft.com/?kbid=260575 One other trick that I have seen work is to set a manual replication connection to a server you have never replicated to, and remove the automatic ones. This will often restart replicaton, and then later on you can let the KCC recreate the automatics. The other time period to be concerned about is 60 days. After 60 days AD will start to garbage collect things. If you bring a DC back online that is 60 days out of sync, it may recreate objects that have been previously deleted. With user accounts this is just an annoyance. If you have Domain controllers, or replication objects that have been removed this can create a major hassle as you end up forcibly removing things from the AD. Hope this helps; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |---------+----------------------------------> | | "GRILLENMEIER,GUIDO | | | (HP-Germany,ex1)" | | | <[EMAIL PROTECTED]| | | com> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 11/21/2003 09:46 PM CET| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Part of domain offline | >------------------------------------------------------------------------------------------------------------------------------| Hey Jason - are you saying ALL DCs of one of your domain are down? I.e. there is NO DC that would refresh the trust of the domains to your other domains? I'd have to look it up, but I think you're going to run into a trust-issue before the default tombstone lifetime. The secure-channel between your domain and the forest-root could be broken (I believe they have to refresh every 7 days - not like the 2000 workstations, which refresh every 30 days now). Nothing unfixable, but you may have to run NLTEST /SC_RESET or something similar. /SC_RESET is usually used to reset the secure channel between domain members and a DC - so you may need something else... Anybody ever ran into this? /Guido -----Original Message----- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 20. November 2003 08:02 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Part of domain offline Joe is correct ... Another important thing to notice is the fact that with W2000 SP3 a new feature can be enabled, namely "Strict replication". Having this feature enabled lessens the risks caused by DCs that have not replicated for some time. The risk is lessened because of the fact that the spread of lingering objects is prevented. Cheers! John -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: donderdag 20 november 2003 3:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Part of domain offline It depends on your tombstone lifetime. If you have a default forest the time is 60 days so you want to be offline less than that. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, November 19, 2003 1:46 PM To: '[EMAIL PROTECTED]' We have multiple domains (xwy.com and abc.com,etc.com) in our win2k AD forest. One of the domains has been disconnect from the rest of the forest of a week now. How long before the rest of the forest writes the missing domain off? I thought if a domain or DC was offline for too long you had to rebuild it because it couldn't re-sync with the rest of the forest. jb List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
