Error ADSI

Question

Hi Everybody,

I had to do an AD restore on my main DC (Windows 2008 R2) , and after that I noted that when I open the property from ADSI edit of one RODC it appears a popup with the error attached:

I noticed that afterwhile it opens the attributes but it lacks of the distinguished name ("not set" and not editable).
Do you have any suggestion?

Answer 1

Restoring a domain controller is not recommended when there are multiple DCs. Better option is to seize roles (if necessary)
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

then perform cleanup
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then rebuild the failed one.

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Now, I know :-) the problem was that the main DC lost all the accounts after an exchange removal, and then it replicates on the second one, so the only way for me to restore the situation was do a restore. And now I should manage the situation.

Answer 3

Hello @Tony C ,

Thank you for posting here.

To better understand your issue, please confirm the following information at your convenience:
1.Is your AD environment single forest with only one domain?

2.If your AD environment is single forest with only one domain, how many DCs are there in this domain? How many RODCs and RWDCs?

3.If your AD environment is not single forest with only one domain, how many domains do you have? How many DCs are there in each domain?

4.What is your forest functional level and domain functional level?

5.If you connect other DC in ADSI Edit, can you open the property from ADSI edit without any error message?

Please check if AD environment is healthy:

1.Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.

2.Check if AD replication works properly by running commands below on PDC.

repadmin /showrepl
repadmin /replsum
repadmin /showrepl * /csv >c:\repsum.csv

3.Check if both SYSVOL folder and Netlogon folder are shared by running net share on each DC.

4.Check we can update gpupdate /force on each DC successfully.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

1.Is your AD environment single forest with only one domain?
yes

2.If your AD environment is single forest with only one domain, how many DCs are there in this domain? How many RODCs and RWDCs?
2 DC RW 1 DC RO

3.If your AD environment is not single forest with only one domain, how many domains do you have? How many DCs are there in each domain?
NA

4.What is your forest functional level and domain functional level?
2008R2

5.If you connect other DC in ADSI Edit, can you open the property from ADSI edit without any error message?
yes, the error at the moment is present only on the domain controller that had the problem and that has all the fsmo roles

1.Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
Here I think I found the problem: on the rodc the Kdc service is not started and when I try to start I have an error 1450 that pointed me to the fact that the krbtgt_##### account for the RODC was removed. I'm trying to refer to this link

I restored the account on the RW DC but cannot replicate on the Ro since I receive the error:
Server Error: 00002095: SvcErr: DSID-03211156, problem 5012 (DIR_ERROR), data 87

LDAP error 1 (Operations Error) Win32 Err 110.