    I was called to a client location today to help deal with an AD problem.

    The customer has "taken a few classes" over the years and was having some issues with his environment.

    A little background on the environment.

    He has one central location and 10 remote sites. The sites have anywhere fro 10 to 40 users. His total headcount is about 200 users.

    He has a domain controller and file server in each remote location.

    He recently moved his main office and had his T1's all relocated, etc.

    9 of the sites are fine, one site is a mess.

    He was having some errors in his event logs and decided that he needed to tweak DNS to make things well.


    in the process, he started poking around in the _msdsc, _sites, _dc folders and started deleting information and "adjusting" things to fit that role.

    At some point he decided that it was time to demote the DC in that site and promote it to fix it.

    He got RPC errors when he tried to demote it so he finally brought the machine back to the main office to demote and promote.

    He ended up blowing the machine away and creating a new one of the same name. No idea how much of his AD was scrubbed, as ntdsutil was a new word to him.

    I spent a few hours there today running dcdiag and netdiag on the domain and got errors about dc's not answering, dc's being resolved to ip addresses, but not being pingable (they are), rpc errors, angry things in the event log, etc.

    My final thoughts on it is that his DNS is so hosed up from him messing around in the system folders that at the very least that site is toast and who knows how much of his other AD environment.

    So the question is this (and I think I know the answer is "no" but going to ask anyway).

    Can DNS be repaired and rebuilt from scratch?

    Would it be worth it to whack that site from AD and rebuild that site from scratch? I would like to avoid rebuilding his entire domain, but I am concerned that's where it will be going.


    DNS is very simple to rebuild.

    1. Point all DCs to a single central DNS server
    2. Restart netlogon on all DCs
    3. Wait for replication
    4. Point DCs to themselves for DNS

    Just make sure to metadata cleanup the one DC he fubared.


      I would recommend to him that he puts in more than 1 DC in each site if at all possible. I would also be tempted to put the central site DC as the primary for all DC's and themselves as secondary as your link speed is ok (asuming it isn't saturated normally).

      As Meekrobe states restarting netlogon will recreate the records if they are missing. I would also have a look at the DCDiag and NetDiag tools to see if there is anything else showing up (link in Misc sticky).

