Cleaning up after demoting old DC

active-directorydomain-controller

I recently added a new Server 2012 DC and took the previous 2003 DC offline. The Server 2012 DC is now the only DC on the network. I also added an alias (CNAME) so that the new server can be accessed with the old server's DNS name.

I am now seeing an error and several warnings in the event log which I suspect are related to some "leftovers" or otherwise configuration that attempts to sync to the old server. One of these events are:
[Error] Kerberos Event ID 4 – The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server new-srvr$. The target name used was cifs/old-srvr.

I was hoping someone could shed some more light on this with a possible resolution.

UPDATE: Adding some more detail
I did demote the 2003 DC using dcpromo before taking it offline. I did have to use the force option though because I was getting an error related to DomainDnsZones and fSMORoleOwner. Not sure why because I did verify all 5 of these roles have transferred ownership to the new server:
Schema Master
Domain naming master
Infrastructure Master
Relative ID (RID) Master
PDC Emulator
I followed the guide here.

Second, the reason I added the CNAME is for SMB and not domain-related. I wanted clients to be able to continue to use \old-server and so I followed the instructions here.

I wonder if perhaps this is a "dangerous" practice for DCs and cannot / should not be done.

Best Answer

"I also added an alias (CNAME) so that the new server can be accessed with the old server's DNS name."

Nice try, but the KRB_AP_ERR_MODIFIED error is Kerberos's way of telling you to $#@! off because the names don't match. All host names, DNS A records, and SPNs must match. CNAME/alias records cannot be used in this situation.

(To be more specific, clients construct SPNs for Kerberos using the DNS name of the computer that is hosting the service that the client wishes to connect to. If that SPN is not registered on the computer object in AD, which it won't be, because the new DC has a different name than the old DC, Kerberos won't work.)

You need to perform metadata cleanup of the old DC.

https://technet.microsoft.com/en-us/library/Cc816907(v=WS.10).aspx

Scroll down toward the bottom of the article where it explains how to use ntdsutil to perform metadata cleanup.

Delete that CNAME. Delete extant DNS records that refer to the old server. That includes A records, SRV records, PTR records, etc.

Check each and every domain member and ensure that they are using the IP address of the new domain controller as their only DNS resolver.

Related Topic