Domain Controller in Unusable State

About 2 months ago we utitlzed VMware to performa P2V of one of our Domain Controllers.  Last week we were trying to make some Group Policy changes and we noticed lots of errors on our DC's.  We have Mission Critical support on the Dell servers that are running ESX which also allows us to obtain support on all applications running on these servers.  We called them to get assistance resolving some of these errors and they were able to get one of the replication errors cleared up.  There are still numerous errors though and the technician told us that it is never good to perform a P2V on a DC, contrary to what our consultants said.  He said it would be simpler to correct these issues by doing the following:
             1.  Transfer the FSMO roles off of the DC with issues to our other DC.
             2.  Demote the DC with issues and then disjoin it from the Domain.
             3.  Bring up a new virtual server, promote it to a DC, and the transfer the FSMO roles back.

After looking into this, I noticed there are some additional factors that are coming into play.  I thought before spending the time to open a support call with Microsoft, I would reach out to the EE community first for guidance which might save me a lot of phone time and money.  Below are my concerns:
            1.  The DC that is having problems is only performing the FSMO roles of "Schema Owner" and "Domain Role Owner".  We only have 1 other DC in our environment.  Is there an issue have all FSMO roles on the 1 DC for a short period of time?  What other issues might I experience moving the FSMO roles over to the good DC?
            2.  The DC that is having issues is also the Global Catalog server?  What exactly does this mean and what is the process of making the other DC the global catalog server?
            3.  The DC that is having problems also serves as our secondary DNS server.  What is the proces for shutting down the DNS function on it properly and then making the new virtual server the secondary DNS server?
            4.  Once we have all the roles and functions moved off the server with issue, what is the proper procedure to demote it and clean it up from our Domain?
            5.  After bring the new virtual server up, what are the tricks to migrating all the roles the old one was previously taking to this new server?
            6.  We would like to give the new virtual server DC the same IP Addresses as the old DC because all of our servers have it hard-coded as their secondary DNS server.  Will we experience any issues giving the new DC the same IP as the old one?  Does it need to have the same name as the old one or can it have a different name?

I know this question should probably be worth 1,000,000 points but I will greatly appreciate any feedback I get.

  John David Lambert
Neptune ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1.  No problem having all the FSMO on 1 server
2. Adding global Cat is easy.  In AD Sites and Services expand the DC you want to add it on > NTDS Settings > right click > properties > checkmark global catalog

You should have at least 2 global catalogs normally.

3.  DNS isn't a big issue.  When you demote dns will just function off your primary.  The exception might be exchange.  Exchange might not roll over so make sure its not the primary dns on your exchange server.  Just don't leave the network with 1 DNS server forever.

4.  DCpromo is what you want to use to remove it.

5. You should know how to do this from transfer of the rolls the first time.  Link below should be useful for understanding FSMO

6.  Name shouldn't matter.  It will have a new identifier in active directory.  Just make sure your AD replication took place successfully and you can reuse the ip address.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
In case your consultant left this stuff out too

1) Don't use suspend option on VMware for AD Domain controllers
2) Don't use snapshots it will mess up the USNs

Neptune ITAuthor Commented:
Some additional questions about your reply:

1.  We only have 1 DC running as the Global Catalog.  We think the information on the GC may be corrupt.  Currently we cannot autenticate to our Exchange POP3 server and from some research POP3 we think uses the GC to authenticate.  If we turn on our good DC as a GC server, will it replicate invalid information from the bad DC or will it create this information anew?

2.  How do we determine what DNS server our Exchange environment is using?  If it is using the bad DNS server, how do we change it?

3.  As for the VMware, what actually is the suspend option?

 Thanks for all your assistance.
       John David Lambert
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

1.  I've never heard of the GC actually being corrupt so I'm not sure.  Exchange does depend on the GC for sure though.  If you really had a corruption you would have to restore from backup I believe.  Not sure how long ago your P2V was but I think you only get 60 days on tombstone so that might not even be an option.  

I would probably just add the GC and see if it works.  

2.  Exchange server will use whatever the primary assigned to the network card is.

3.  VMware suspend is like pausing a VCR.  Problem with this is active directory can change via other servers while your in 'paused' state and it causes issues.
Brett DanneyIT ArchitectCommented:
Just some advice. I was told by Microsoft that the primary DC, the one holding the FSMO roles and schema will not be supported by them if it is a virtual machine. I am running three DC's as virtual machines with another DC loaded on a physical server in order to satisfy this. I have had not issues with running the VM DC's which are DC's, DNS servers and global catologue servers. Transfering the roles from the VM to a physical server is really simple and will not cause any hassles. You can use the manage my computer wizard found in Administrative tools to demote the DC, if this wizard runs through correctly without errors you will not need to do any additional AD cleanup.
Neptune ITAuthor Commented:
We've turned on our good DC as a Global Catalog server but before we demote the DC having issues, how do we determine if the DC that we made a Global Catalog server is actually taking on the role as one?  We can't seem to find where to determine this.
Neptune ITAuthor Commented:
Excellent solution to this problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.