Link to home
Start Free TrialLog in
Avatar of Albert Widjaja
Albert WidjajaFlag for Australia

asked on

Workstations lost its trust relationship with AD domain after the only DC/GC in the AD Site is demoted but still have multiple other DC/GC in Data Center ?

People,

At the moment I'm currently in a emergency break after doing simple AD Domain Controller demotion that has gone beyond my understanding ?

Data Center AD Site;
2x Win 2008 R2 DC/GC

Head Office AD Site:
1x Win 2012 R2 DC/GC

Problem Site Office AD Site:
1x Win 2012 R2 DC/GC which is also running as AD-Integrated DNS & DHCP

What I did today this morning is to do completely harmless task of force demoting Windows Server 2012 R2 that is now cannot replicate into any other AD Sites.

Steps taken:
1.      Change the DHCP scope DNS to point to  Primary: Data Center DC/GC IP, Secondary: Itself where it is no longer functioning as DNS integrated since no Forward lookup zones Domain.com
2.      Reduce the DHCP scope into 6 hours, wait until today since yesterday morning.
3.      Force Demote AD role
4.      Reboot
5.      Manually go to AD Users & Computers console to perform metadata clanup (right click delete), followed by manually search the DNS containers  any name of the current DC server that has been demoted.
6.      Wait until 30 minutes, then... the problem starts to happens one by one.

The next steps is to be taken next week Because I cannot do it myself due to the large amount of user complaints bombdarding myself:
1.      Promote as AD domain controller
2.      Configure AD-Integrated (is it necessary ?)
3.      Change the DHCP scope back to 8 days
4.      Change the DHCP scope DNS into itself and one DNS server in Data Center AD Site.


Now the problem is:
One by one Workstations in the Problem Site office lost its trust relationship with the AD Domain ? Therefore the fix was to:
1. Exit the domain, Reboot
2. Rename the computer, Reboot
3. Join to the AD domain, Reboot
4. Change the name back to the previous name, Reboot
5. User can now login to their previous desktop.

There are 89 workstations in the problem site office and now I'm stuck having to manually perform 4 steps above one by one for the entire office.

What could have gone wrong in my steps above ?
I can make sure that all of the computer that have DHCP assigned IP and also the static can ping the DNS server in the Data center, but somehow this problem arised.

Any help would be greatly appreciated.

Thanks very muchly.
Avatar of Albert Widjaja
Albert Widjaja
Flag of Australia image

ASKER

Note: one thing that I always keep it the same is the name & IP of the server before and after the demotion.

Now the computer is just a member server running DHCP, File Server and Print Server.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok, so what else do I need to do tomorrow when I promote this server as the same Domain Controller ?
is there any caveats or special steps that I need to be aware of ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Guys, this is just a normal single forest domain, so no other child domain in this setup.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial