• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 474
  • Last Modified:

DC down, DC up again.

2 DCs. Master fails. I seized the FSMO roles to the second DC. Worked great. Cleaned up Metadata. I rebuilt DNS from scratch on new Master and DHCP.

After tinkering with the failed DC I got it to boot. I turned off DNS and DHCP on the "bad" server. I want this sever up a few more days so I can pull other service configs and some file shares off before I format and reinstall as a DC again.

It is interfearing with the GC. when I try to add a computer to the domain, it shows up under the ADUC of the bad DC and not the Good one. i tryied to rebuild the connections to allow replication. When I force replication it says "replication completed" but the new WS does not show up in the "Good" dc, only the "bad" one.

I checked the Metadata and the PDC roles on both servers and they both point to the "Good" server.

When i ping the domain.local from the Workstations it returns the IP of the Bad DC. flushdns did not fix it.

I want to put the bad DC into a member server role so that it will stop interfearing with the GC long enough to xcopy some files off of it and then format the raid. Keep in mind DCPROMO does not work, and ntdsutil does not see the bad DC.
1 Solution
Henrik JohanssonSystems engineerCommented:
If seizing FSMO-roles, the old DC holding FSMOs shall not be online as DC again until it has been demoted and cleaned up.
Use dcpromo/forceremoval on the bad DC and cleanup metadata before getting it back as DC again.
stephenwylesAuthor Commented:
This appears to be working, it got further than the normal "dcpromo" attempt. I will keep you posted.
stephenwylesAuthor Commented:
It appears to have worked... one problem. When it finished, it said it successfully removed AD from the computer... Restart Now or Restart Later?

That's a problem. I do not want to restart this server in the fear of it not coming back up. I feel as though it is on "life support" and if I shut it down it may never start back up. I need windows to restart so that I can continue to get the service config settings off of it.

Anyway to manually restart the individual services in order to clear the AD info from the server without actually restarting it?
Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

in a situation where a bad DC is interfering you're best option is to disconnect it from the network.
In this way, you can have the bad DC running and copy files or access it as required without it affeecting the existing domain. BY design, while the server is connected and thinks it is a DC, it will try to perform DC tasks and cause problems.

Krzysztof PytkoSenior Active Directory EngineerCommented:
After FSMO seizing old DC shouldn't be connected to the network. You have to reinstall OS first and then promote it to the domain controller again. If you do not proceed that way you can have problems with PDC.
Henrik JohanssonSystems engineerCommented:
The reboot is necessary to finish the removing of the DC role.
With the metadata cleanup on the good DC, it is not longer recognized as DC in the domain, but still beleaved it's a DC until used dcpromo/forceremoval to force it into member server role.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now