• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

Trust between PDC and BDC?

Hi,
If you have two servers, one is the pdc and the other bdc and the original pdc machine has been resintalled, the actual domain name is still the same.

How can you re-establish the trust between the two? It is a case of setting the 2nd server up as a bdc again?
0
Vype
Asked:
Vype
  • 8
  • 5
  • 2
1 Solution
 
DarylxCommented:
If you've reinstalled the PDC, even if the domain name is the same, it's NOT the same domain.  The old domain and new domain will have different Security Identifiers.

If you need to reinstall the PDC, you need to promote the BDC to a PDC, then reinstall the original PDC as a BDC in the same domain.  You can then promote the new BDC (the original PDC) back to a PDC.
0
 
KCTSCommented:
OK first you don't have a PDC and a BDC since these died with WIndows NT.
Before you removed the original server did you transfer the FSMO foles to the other server?
Is the second server a Global Catalog Server
Where is your DNS.
When you re-installed the first server did you add it back as a Domain Controller specifying "additional domain controller in existing domain" ?
0
 
DarylxCommented:
I've assumed this is an NT domain, but just noticed we're in the 2003 zone.  Is this a Windows 2003 domain or an NT domain?

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
KCTSCommented:
OK assuming that you did not transfer the FSMO roles on to the second sever

First make sure the second sever has DNS installed

Make sure the second server is also a Global Catalog - Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

Make sure all clients use the second server as their preferred DNS server

You will now need to go to the second server and seize them http://www.petri.co.il/seizing_fsmo_roles.htm

Get rid of the fist server that you added again and get rid of all traces of it in AD by treating it as a failed Domain Controller http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Add the other machine back into the domain as a member server  then promote it to a DC with DCPROMO specifying Additional Domain Controller in Existing Domain

Transfer the FSMO roles back to the first server if desired http://www.petri.co.il/transferring_fsmo_roles.htm 
0
 
VypeAuthor Commented:
Right i didnt know about fsmo roles, so i didnt transfer them over. At the moment, the clients are using the first server as the domain controller, dns etc etc

Would it just be easier to remove the domain controller from the second machine, rejoin the new domain and start again?
0
 
KCTSCommented:
OK so you have effectivly created  a new domain with the same name.
You need to remove the second DC from the (old)domain and then add it to the new domain and make sure that you specify "Additional Domain Controller for an Existing Domain"
0
 
VypeAuthor Commented:
ah right ok, i'll get onto that now and post the results. Thanks for all the help
0
 
KCTSCommented:
Just one point - did you remove the clients from the old domsin and join then back to the new domain? You will need to do this - even thought the ols and new domains  have the same name they are different domains.
0
 
VypeAuthor Commented:
Kcts, yes i've done this. The clients have rejoined the domain, i've just tried to remove the other server as a domain controller and it wouldnt let me!

If i tick "the server is the last domain controller in the domain" I get
" the operation failed because the domain controller is not the last domain controller in the domain, the server is unwilling to process the request"

If i dont tick the above, i get:
"a domain controller could not be contacted for the domain XXX that contained an account for this computer, make the computer a member of the domain or workgroup then rejoin the domain"

Any ideas?
0
 
KCTSCommented:
try dcpromo /forceremoval
0
 
KCTSCommented:
If that does not work - remive it from the domain anyway, run the ad cleanup on the other dc - just to be sure http://www.petri.co.il/delete_failed_dcs_from_ad.htm.
0
 
VypeAuthor Commented:
dcpromo /forceremoval seems to be working so far :--)
0
 
KCTSCommented:
fingers crossed :->
0
 
VypeAuthor Commented:
Excellent that works, backup dns is now back and running.

So just make sure that "Additional Domain Controller for an Existing Domain" is selected when installing the 2nd domain controller now?
0
 
KCTSCommented:
Yep.

If you want to set up a second DC for redundancy then:-

Install Windows 2003 on the new machine (if not alreadiy done)

Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select "Additional Domain Controller in an existing Domain"

Make sure DNS is installed on the new DC - just install DNS - it will replicate automatically

Once Active Directory and DNS are installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

If you are using DHCP you should spread this across the domain controllers. In a simple single domain DHCP redundancy  is easiest achieved by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller.(eg have one DHCP server use a scope 192.168.1.50 to 192.168.1.150 and the other 192.168.1.151 to 192.168.1.251). Don't forget to set the default gateway (router) and DNS Servers.  You will need to activate the scope and authorise the new DHCP server.

Talking of DHCP clients all the clients (and indeed the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other. (set up forwarders  on the DNS server to handle external name resolution)

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a while at least should any one of them fail. However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned emergency the FSMO roles can be seized (see    http://www.petri.co.il/transferring_fsmo_roles.htm or http://www.petri.co.il/seizing_fsmo_roles.htm or http://support.microsoft.com/kb/255504)
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 8
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now