net ads leave weird errors due to replication not having occurred ...

[Richard Sharpe]

Hi folks,

We have seen a number of bugs in leaving a domain that seem related to
replication not having occurred when we try to leave the domain. This
will mostly occur in domains where there are multiple DCs if someone
does a net ads join and then a net ads leave for the same member
server before replication happens (defaults to once per hour, it
seems.)

We have seen cases where net ads leave:

1. fails to find the computer account because it looked on the wrong DC

2. gets errors like KRB5KDC_ERR_C_PRINCIPLE_UNKNOWN on a subsequent
authentication attempt after the first.

It would seem that we should:

1. Use the same KDC that we authenticated against in the first case.

2. If the first DC we contact does not know of the Machine Account, we
should grab the FSMO PDC role and contact that DC.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)