A funny question

[getndz]

Hello,

We have installed a new win2003 server as DC, DNS server , correct TCP/IP and so on.
Shipped to Dubai.
The server is since 6 months in Dubai and would not be connected to the main office ( domain ) in Europe.
Now we will connect this SRV but someone has said that we have to reinstall the server because if a server stays as standalone for a long time it could not be joined to a domain.
It looses the trust or something like that.
I find it very funny and can not believe it......
Can someone confirm the joke ?

regards
getndz

 

[Davetoo]

Is the server in Dubai a DC for it's own domain, or a DC for a larger domain? If it's for a larger domain, then it may very well not connect due to Kerberos issues. If your AD has changed in the past six months, then you may very well have issues.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[ntinlin]

They are incorrect. A standalone server can be joined to a domain at any time without issues.

However if a server has been joined to the domain then disconnected you can get problems with secure channel password expiry. If memory serves the default period is 30 days and the account would be disabled after 60 days. i.e. The DC would make 2 attempts to change the password.

To fix you could then either disjoin and rejoin the server or reset the secure channel.

But for your situation there shouldn't be a problem at all.

Neill

 

[itsp1965]

I agree with ntinlin, if this server was setup as a DC and has disconnected for a period of more than 30 days then yes the secure channel will no longer be working.
If it is configured as a DC already I would try using the netdom command to re-initialize the secure channel otherwise if it is just a domain member at this point, remove it and re-add it to the domain

 

[ntinlin]

My apologies, didn't read the initial question thoroughly enough to note that it had actually already been installed as a DC.

Neill

 

[getndz]

Thanks to all !!!

A question , how can reset the secure channel.
It is possible to logon locally and reset it ?

regards
getndz

 

[paella33]

Ik think the period has been extended from 30 (60?) days to 180 days when installing 2003SP2 from scratch. Upgrading to it lets it stay at the old default.

 

[Davetoo]

Uh..yeah, like I said...if it's a DC from a larger domain that it hasn't "seen" in six months, then you're going to have issues.

Check out example 17 from this page,

http://technet2.microsoft.com/windo...b4f-445f-aac0-2df5448181c11033.mspx?mfr=true,

it may be your best shot to get it to work remotely.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[theravager]

definitely will be a drama as the dc will refuse to work due to the time expiry, I can't think of the figure off the top of my head but theres a hardset time limit that the dc will not replicate to avoid issues with tombstoned objects etc which you cannot get around.

As a general rule of thumb for remote dcs that won't be able to replicate in less then 2 weeks from promotion to shipping to the desired location do a ad backup to a file on the dc in question and do a dcpromo with the adv option and use the backup to install ntds. This way only the changes since the backup will be needed to be replicated over the wan link.