Hello everyone!
To give you guys a general idea, this was what has happened:
I have 2 DCs on server 2008 R2 running Active Directory. DC1 is my primary domain controller witch holds all the FSMO roles. DC2 is my backup domain controller witch also runs MDT and WSUS.
Now, DC2 has crashed during the weekend and could not boot normally, so I decided to restore the server from my previously good backup image, because I didn't want to loose all my MDT configurations, images, etc.
I now think that this was my mistake. I have read that a domain controller shouldn't be recovered using a complete system image because that could leave Active Directory in a inconsistent state. Well, unfortunately that was exactly what happened.
My DC1 is ok and Active Directory seems to be running normally. My DC2 is up and running again but AD is not receiving replications from DC1. DC1 shows replication errors in AD events and system event viewer also shows "security-Kerberos" errors from DC2, witch points to some changes that I didn't make. Here´s that system error (I have removed my server names for obvious reasons):
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc2$. The target name used was "...". This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (...) is different from the client domain (..), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Can I restore my AD replication on my backup domain controller DC2 without reinstalling the server?
Thanks in advance.
Regards,
JPN