Kinit errors after AD DC restore

UCS - Univention Corporate Server
#1

Hi,
We had an issue with our Active Directory Domain Controller, an old Windows 2008 R2, so we had to restore it from a full VM backup.
That most recent and decent backup was almost one month ago, and after restoring it, our UCS 5.0.3 gives us all the time the usual kinit error message:

univention.connector.ad.kerberosAuthenticationFailed: The following command failed: “kinit --no-addresses --password-file=/tmp/tmpxw5m1tuecmspr01$” (1): kinit: password incorrect

We tried the old trick of checking /etc/machine.secrets.old and /etc/machine.secrets, but there is no password that gives us something different than “Password incorrect”. This worked some time ago, when the UCS server started to give us some errors like this one, with the difference of not being based on a restored AD DC server.
Is there any way to restore this with some command, or something like this? I already tried the Set-ADAccountPassword, but being 2008 R2, the command is not present on that version of Windows when using PowerShell.
Thanks a lot in advance, and best regards!
HeCSa.

#2

Well, I think I found some solution, let’s see if this works ok or not.
Just got the new password from /etc/machine.secret, and then opening the Active Directory module for PowerShell, and executing the following, the system started to work again:

Set-ADAccountPassword 'CN=UCS_HOSTNAME,CN=Computers,DC=EXAMPLE,DC=LOCAL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "EXTRACT_FROM_MACHINESECRET" -Force)

I still see some unsync’ed records, but let’s see that everything is working.
Thanks, and best regards.

Mastodon