For some reason we had multiple Domain Controllers that refused any logon attempt in the last few weeks.
After getting a closer look at the event logs we found pages full of Kerberos errors. Somehow the machine account expired and wasn’t renewed, so the controller could no longer replicate and thou refused our logon attempts.
I tried to fix the Kerberos issue, but nothing I found was helping the situation. But how do I restore a Domain Controller I cannot logon to, without reinstalling the server?
After a quick search I found this: Microsoft Article KB332199, which had a useful subsection on the “If the domain controller cannot start in normal mode” issue.
First restart the Domain Controller in Directory Services Restore Mode (using F8) and open REGEDIT. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions and Edit the value of ProductType from “NavmanNT” to “ServerNT”. Be careful to spell this correctly! This will tell the server that it is only a member server in the domain, and you can use a local logon account.
Restart the system and logon using the Administrator account with the restore password. Open REGEDIT again and this time browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Find the Src Root Domain Srv Entry and delete it. This way the server will believe it’s the last Domain Controller in the current domain.
Start DCPROMO and create a new temporary domain. Yes, create. No need to delete anything yet. This will overwrite any Active Directory values stored on your local server. After it’s done restart and run DCPROMO again. This time we will shut down the temporary domain and remove all Domain Controller traces from the harddrive.
That’s it. All you need to do now is remove the Active Directory objects related to the original Domain Controller (KB216498) from the directory, wait for the replication to finish and run DCPROMO to add this server as Domain Controller of your domain.