Does a domain controller need a certificate

Hi,
I have a certificate related question.  While checking the logs on our domain controller, I discovered a certificate problem.  In the Personal store is a Domain controller Template certificate that expired last year.  It was created by an
enterprise CA that no longer exists and was not properly removed from the domain.  My question is:  Is the certificate needed for anything?    I inherited the administration of the domain and I am trying to clean it up.
Thansk
Ron Soulliard
Ron Soulliard Systems Administrator Polaris Ventures

Hi Ronald,
In addition to the Paul's input,
For your question Is the certificate needed for anything?, 
It depends on your security requirement, such as the level of confidential information you share through network. 
Certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN.
Regarding Certificate Services, it allows you to create and manage "self signed" certificates. 
It allows many security enhancements, but only to the point that any security service based on SSL certificates will be installed, configured, and enabled.
Also it allows you to be your own Certificate Authority, instead of purchasing a commercial SSL certificate.
Checkout the below thread dealing with the similar discussion,
Is Certificate Services necessary for a small domain?
Regards,
Gopi
JiJi
Technologies

Similar Messages

  • What happens if Domain Controller server authentication certificate expires?

    Dear People,
    We have got two Domain controller servers and accordingly two Azman servers. we
    have got two certificates issued for each Domain controllers to our two Azman servers. Both these certificates are going to expire in next few days. We have few Web
    & Desktop applications for which we authorize a large pool of users with the help of these two Azman servers.
    Now, Issue is, Domain Controller certificates are going to expire soon on both Azman servers. Can somebody tell me, what could be impact of expiration of these certificates?
    will all the application be down after that? Should I must go for renewal of certificates? Please help me as soon as possible otherwise I will be in big trouble. Thanks.

    Hi,
    Based on my research, Domain Controller Authentication certificate is used for client authentication, server authentication and smart card logon.
    You need to renew the certificates before they expire, otherwise problems about smart card logon and SSL connection will occur.
    More information for you:
    Processing Domain Controller Certificates
    http://technet.microsoft.com/en-us/library/cc787009(v=WS.10).aspx
    Best Regards,
    Amy

  • ChaRM - Support for 46C as Transport Domain Controller

    Good day.
    We are currently testing ChaRM with the Transport Domain Controller being on a 46C box. We are getting the following error when trying to create a Task List:
    Function module "TMW_DISPLAY_TRANSPORT_ROUTES" not found.
    Is the use of a TDC on 46C supported with ChaRM?
    Thanks,
    Charles.

    Hey Charles,
    CHARM can only be implemented on satellite Systems with SAP Version 4.6 C onwards and above...
    However, even then domain controller needs to be on 4.7.. i.e it requires WAS 620 aplication server...
    Therefore we can conclude that CHARM cannot be implemented with the satellite system you had mentioned above..
    Please Reward for useful points...
    Regards,
    Anand

  • Certificate for Domain Controller Will not import

    Hi,
    I am having an issue importing a Certificate .crt file on a Windows Server 2008 R2 Domain Controller.  The Certiificate is needed for migrating our 2003 Domain Controllers to 2008r2.   When I try to use the command line to import the certificate
    using the following:
    I receive the following output:
    Cannot find object or property. 0x80092004 (-2146885628)  
    I also tried this command 
    certreq.exe -accept hostname.crt -machine   and received the same error.
    When I try to import the Certificate using the GUI it works but there is no "private key" found.   
    The Certificate was issued from Digicert.    
    Does anyone know how to resolve this so my certificate imports correctly with a private key intact?   
    Thanks,
    Kevin C.

    Here are the steps as explained by Digicert:
    How to Import and Export your SSL Certificate
    https://www.digicert.com/import-export-ssl-certificate.htm
    Note that I've used Digicert and haven't had a problem with the private key. If the private key's missing, there will be missing functionality. And also note, that Digicert's tech support is free and they are actually pretty good and can help almost immediately
    as soon as you call them. They've helped me a number of times.
    Give them a call 24/7: 1.801.701.9600
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • New Domain Controller does not show in our different site's Domain controller's Sites and Services

    Hi,
    we have two sites in our AD environment. OMA site and NY site. we have three domain controllers in our OMA site and two domain controllers in our NY site. All our DCs are windows server 2008R2 except one in our OMA site that is 2003R2 the domain
    functional level is also 2003R2.
    We decided to raise our functional level to 2008R2. I added a new domain controller in our OMA site and transferred all FESMOS from the DC that was running 2003R2 to this new domain controller.
    the issue now is that our NY site does not make any connection with the new domain controller in OMA site. it does not even show it under sites and services. I have checked the DNS settings and everything. if you try to replicate the connections
    from NY site it gives the following error: "The naming context is in the process of being removed or is not replicated from the specific server."
    can anyone plz tell me why this is happening mt brain is just frozen at this moment and cant figure out why is this happening

    Just noticed this replication issue has been going on for a while now but we never noticed until I added new DC. here is the error log for the NY site DC.
    Log Name:      Directory Service
    Source:        Microsoft-Windows-ActiveDirectory_DomainService
    Date:          1/4/2014 8:11:40 AM
    Event ID:      2042
    Task Category: Replication
    Level:         Error
    Keywords:      Classic
    User:          ANONYMOUS LOGON
    Computer:      NORDC1.vertrue.com
    Description:
    It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.
     The reason that replication is not allowed to continue is that the two DCs may contain lingering objects.  Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions
    of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".  If the local destination DC was allowed to replicate with the source DC, these potential lingering object
    would be recreated in the local Active Directory Domain Services database.
    Time of last successful replication:
    2013-05-16 15:26:38
    Invocation ID of source directory server:
    9236ac56-d046-4632-b072-acbe823c5f6c
    Name of source directory server:
    accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com
    Tombstone lifetime (days):
    90
    The replication operation has failed.
    User Action:
      The action plan to recover from this error can be found at
    http://support.microsoft.com/?id=314282.
     If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects
    <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source
    DC> <Destination DC DSA GUID> <NC>".
     If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at
    http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.
     If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:
    Registry Key:
    HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
     Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between
    DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime
    number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are
    located immediately.
    Alternate User Action:
    Force demote or reinstall the DC(s) that were disconnected.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
        <EventID Qualifiers="49152">2042</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>5</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2014-01-04T13:11:40.963263500Z" />
        <EventRecordID>38018</EventRecordID>
        <Correlation />
        <Execution ProcessID="660" ThreadID="1596" />
        <Channel>Directory Service</Channel>
        <Computer>NORDC1.vertrue.com</Computer>
        <Security UserID="S-1-5-7" />
      </System>
      <EventData>
        <Data>2013-05-16 15:26:38</Data>
        <Data>9236ac56-d046-4632-b072-acbe823c5f6c</Data>
        <Data>accde843-11b2-476c-9783-9b29252d0ba5._msdcs.vertrue.com</Data>
        <Data>90</Data>
        <Data>Allow Replication With Divergent and Corrupt Partner</Data>
        <Data>System\CurrentControlSet\Services\NTDS\Parameters</Data>
      </EventData>
    </Event>

  • Help with setting up active directory domain controller/DNS - need this for Clustering

    Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
    I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
    When I look at my server manager AD DS complain about DNS:
    NASE-2012-234    4015    Error    Microsoft-Windows-DNS-Server-Service    DNS Server    1/14/2014 12:54:06 AM
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
    When I click on DNS this is the error:
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
    Output of DCDiag -v is below.
    PS C:\Users\Administrator> dcdiag -v
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       * Verifying that the local machine NASE-2012-234, is a Directory Server.
       Home Server = NASE-2012-234
       * Connecting to directory service on server NASE-2012-234.
       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
    ntDSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
    e,DC=com
       Getting ISTG and options for the site
       * Identifying all servers.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
    SDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
    N=Configuration,DC=lab,DC=nase,DC=com
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\NASE-2012-234
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
             Check the DNS server, DHCP, server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... NASE-2012-234 failed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\NASE-2012-234
          Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
          Test omitted by user request: Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Test omitted by user request: FrsEvent
          Test omitted by user request: DFSREvent
          Test omitted by user request: SysVolCheck
          Test omitted by user request: KccEvent
          Test omitted by user request: KnowsOfRoleHolders
          Test omitted by user request: MachineAccount
          Test omitted by user request: NCSecDesc
          Test omitted by user request: NetLogons
          Test omitted by user request: ObjectsReplicated
          Test omitted by user request: OutboundSecureChannels
          Test omitted by user request: Replications
          Test omitted by user request: RidManager
          Test omitted by user request: Services
          Test omitted by user request: SystemLog
          Test omitted by user request: Topology
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: VerifyReferences
          Test omitted by user request: VerifyReplicas
          Test omitted by user request: DNS
          Test omitted by user request: DNS
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
       Running partition tests on : lab
          Starting test: CheckSDRefDom
             ......................... lab passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... lab passed test CrossRefValidation
       Running enterprise tests on : lab.nasecom
          Test omitted by user request: DNS
          Test omitted by user request: DNS
          Starting test: LocatorCheck
             GC Name: \\NASE-2012-234.lab.nasecom
             Locator Flags: 0xe000f3fd
             PDC Name: \\NASE-2012-234.lab.nasecom
             Locator Flags: 0xe000f3fd
             Time Server Name: \\NASE-2012-234.lab.nasecom
             Locator Flags: 0xe000f3fd
             Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
             Locator Flags: 0xe000f3fd
             KDC Name: \\NASE-2012-234.lab.nasecom
             Locator Flags: 0xe000f3fd
             ......................... lab.nase.com passed test LocatorCheck
          Starting test: Intersite
             Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
             provided.
             ......................... lab.nasecom passed test Intersite
    PS C:\Users\Administrator>

    http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions.  You might want to post your question there.
    .:|:.:|:. tim

  • SELFSSL.exe - can you create a Domain Controller certificate?

    As the title asks really.  Rather than setting up CA's, can you use selfssl.exe to create domain controller certificates?

    if you are not using certificates, then why not just delete certificates that cause warnings? Old trusted CA can be propagated from active directory. See this article:
    http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
    you need to perform only step 6 and 7.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Certificate Authority cannot find domain controller

    I recently started working for a company that has an offline CAROOT server and an online CASUB server. Prior to my arrival, the old 2008 DCs were replaced with new 2012 DCs, in a proper upgrade. After the new DCs worked, the old ones were demoted, shut down
    and eventually deleted.
    Unfortunately, it looks like one of the things that was missed was the re-jigging of the certificate authority to the new domain controller(s), such that after a few months, the CDP Locations have expired (they point at the correct location, the CASUB server).
    When I check the Manage AD Containers entry, I can see that the RootCA is now showing as "Untrusted Root" and all the entries in the CDP Container show as Expired.
    Is there an easy way to repair this (the old DCs can not be spun up again, they are gone), or will I need to set up an all new certificate infrastructure?
    We use certificates to determine what workstations are allowed on the network infrastructure (the Cisco switch ports exa, while workstations currently have unexpired certificates, they can still access the network, but when they start to expire, we will
    have workstations unable to connect to the network.
    I am fairly new to managing certificates and authorities.

    Hi Michael,
    the CDP Locations have expired (they point at the correct location, the CASUB server).
    You can publish a new CRL by right click on Revoked Certificates container.
    More information for you:
    How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
    http://social.technet.microsoft.com/wiki/contents/articles/19160.how-to-publish-new-certificate-revocation-list-crl-from-offline-root-ca-to-active-directory-and-inetpub.aspx
    Specify CRL Distribution Points
    https://technet.microsoft.com/en-us/library/cc753296.aspx
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Does Oracle 10G R2 support installation on Windows 2003 Domain Controller?

    Does Oracle 10g R2 support installation on Windows 2003 Domain Controller? I remember that 10g R1 had issues with the DC? Is it still the case. Does it work now?
    Any help is appreciated.
    Regards,
    Raghav

    We have Oracle 10g R2 running on a Windows 2003 domain controller. It was not a domain controller when Oracle was installed. The domain was created after installation. (I don't recommend that procedure. I spent a long day fixing the installation after they configured the domain.) If Oracle is unhappy with being on a domain controller, it has not shown it yet.

  • Installing Domain Controller certificates remotely - private key remains on local server!

    Using a 3rd party CA (Entrust), I have successfully requested and installed Domain Controller certificates via the Certificates MMC snap-in.
    I did this from one Domain Controller, and then just used the (right click) "Connect to another computer" option to do the rest.  Everything looks absolutely fine, the certificates look ok.... certificate chain is complete, and valid (all
    CA certs are installed) and the certificates say "You have the private key that corresponds to this certificate".
    If I do a LDAPS bind using LDP.exe, it works fine on the first DC.
    Do this on the next and I get the error:
    Cannot open connection
    Error 81 = ldap_connect(hLdap, NULL);
    Server error: <empty>
    Error <0x51>: Fail to connect to DCHostname.
    After some checking I looked in the folder C:\ProgramData\Microsoft\Crypto\Keys
    This contains a lot of files on the DC I was logged onto when installing the certs, and no files on any of the other DCs.  I am guessing this is the private key file and it has stored all of them on the local machine I was running MMC from rather than
    on the machines I connected to from MMC.
    Is there any way to get these keys onto the correct DCs now - or will I have to re-request all of the others.  The private key was not exportable.
    I figured copying and pasting them was probably not going to work with a private key, but I tried it anyway just to be sure!
    It is pretty annoying as no clue was given during the process of requesting and installing the certificates, and there is no error when you look at the certificate - they all think they have the private key associated to them, even though it rather looks
    like they don't!
    It's a bit painful requesting certificates here, so any help in avoiding this would be appreciated!  Thank you

    Thank you Elke,
    So I copied the key files across from the server where they were all generated to the server I remotely connected to (which had no key files at all).  Copied all just to be sure, though I’m
    pretty sure which one actually relates to that server as I did them all in order - reflected by the time stamps.
    Ensured all the permissions were the same, and that they were marked as ‘system’ files.
    Ran the command
    certutil -repairstore my [SerialNumber of cert]as
    you suggested, but no luck unfortunately.
    So firstly, I get the same error message:
    Cannot find the certificate and private key for decryption.
    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
    And then I get:
    CertUtil: Access denied.
    Not sure why the access denied, I am running elevated with full local and domain administration rights.
    Toby

  • How does AGPM select a domain controller?

    Hi all,
    My apologies if this is common knowledge or available somewhere, can't seem to find it.
    Looking to understand how AGPM works.
    If I Import from... production, or Control a GPO.  Which domain controller does AGPM select from?  Does it behave like GPMC and use the PDC Emulator?  Does it pick from the site the AGPM server resides on?
    Same question when I Deploy a GPO.  Which domain controller does it deploy to?
    I ask this because when I edit a policy, I see a domain controller that certainly isn't PDC Emulator.  This makes sense given that we aren't editing a production GPO, just curious to see what's going on behind the scenes.  I'm assuming there isn't
    a way to say 'Deploy to this specific Domain Controller'.
    Also, going to bring this up in every AGPM post I make; where is the PowerShell support for AGPM?  Does it exist?  This is a very poor showing, and will be very limiting...
    Thanks!

    AGPM operates alongside a
    Group Policy Central Store and thus the production location from which it can control policies or to which it can deploy policies is located in the Central Store in the SYSVOL folder on the server on which
    the AGPM Server is installed. See the
    Technical Overview of AGPM.
    Brandon
    MDOP on the Springboard Series on TechNet

  • I am replacing a Domain Controller (Windows 2003 Server) with a 2012 box. Can I have the Certificate authority exist in both locations during the process?

    Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?

    > Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
    no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
    this is why it is not recommended to keep CA role on domain controllers.
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.

  • Windows Domain Controller certificate for non domain clients

    Hi,
    Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
    Regards

    Hi,
    Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
    Not sure that what you want to achieve here.
    However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
    meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
    Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Need to delete Transport system , which is not domain controller

    I need to delete transport system on machine which is not domain controller .
    our domain controller system is not avalible now .
    how can i delete the transport system on my machine as domain controller system is not avaliable .
    Please let me know what can i do ??
    Thanks,
    Asc

    Hi,
    Logon to any system which is in your transport path in client 000. Then in stms, go to Overview ---> Systems. Here you can find all the systems in your transport path. You can also find the domain controller which you have configured as before.
    Now, goto Extras----> Delete TMS Configuration.
    After deleting, logon to system which you want to make as domain controller in client 000. when you execute stms, now it will ask for new stms setup, which you might be aware of.
    If you need more guidance, let me know.
    Thanks,
    Sailesh K

  • Need advice in Recovering a domain controller

    Make sure a DCDIAG runs cleanly before you try to promote another DC.

    You will need to do a metadata cleanup before you deploy a replacement DC:https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/3984.domain-controller-demotion-and-metad...I would give it a different name tbh,just in case you have any stale data in AD that the metadata cleanup didn't deal with.

Maybe you are looking for