Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Primary Domain controller lost trust relationship with Backup Domain controller Help!

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-08-13
Hi All

I restored our Main domain controller from image now the backup domain controller cannot see it and I cant demote the backup domain controller. I wanted to Demote the backup domain controller then put it onto a work group then add it back to the domain to reestablish the thrust relationship between the 2 servers. Then promote it back to a backup domain controller.

Both servers are running Windows Server 2003 SP 2.
Question by:kdonnelly81
LVL 37

Expert Comment

by:Neil Russell
ID: 36923393
Never restore a domain controller from an image if you can help it. Unless the image is like from today/yesterday.
Are BOTH domain controllers GC servers? Are clients authenticating against the one you reimaged or the other? Trusts and passwords are very sensitive to such things and you may find you need to trash one server or the other and rebuild.

This is why system state backups are soooo very important.

How old was the image?

Expert Comment

ID: 36923410
You will have to remove the server you just restored from the domain, then re-add to the domain (using the backup domain controller as the master for the moment). This means there will then be a trust, you would then be able to promote the restored server back to domain controller and the other can be de-moted to backup domain controller.

No AD settings should be lost with this as the backup domain controller holds all the information.

Anyother way is to look through the backup domain controllers ad, and see if the server is there at all (in either domain controllers or computers). Sometimes if the trust relationship has been lost (and its that simple) you will be able to "right click" and re-enable to account, which should restore the trust...
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 36923423

First of all, there is no more "Primary" and "Backup" domain controller notion since Active Directory exists.

About your problem, you should please explain us why you want to restore the first domain controller so that we can give you advice about the best way to do things.

Is it because the controller crashed ?
Is it because you want to restore accounts and groups state ?

If it's about a crash, and if your restored image doesn't work, and supposing your crashed DC doesn't contains users data files (only accounts and groups), the easiest way is to totally remove traces of this DC in your domain and then reinstall the DC, repromote it, reinstall services (DNS, WINS,...) and retransfer FSMO roles :
If you want to follow this way you'll have to pass by these steps :

1) identify FSMO roles that were hosted on the defunct DC and force transfer (seize) of these roles on the surviving DC (the one you call "backup"). You'll have to use ntdsutil command for that.
2) ensure that mandatory network services are still available on the surviving DC (DNS service, WINS if needed, DHCP if needed, etc...). Ensure that your users can still connect to the domain with the surviving DC.
3) remove any trace of the defunct DC in the AD domain. This can be done using ntdsutil command, this is called metadatacleanup...
4) Remove computer account of the defunct DC in the domain.
5) Reinstall Windows on the defunct DC server. Name it like it was before, configure IP settings as it was before. Make it join the domain as a member server.
6) Reinstall any network service (DNS WINS DHCP etc...) on the reinstalled server.
7) Promote the reinstalled server as a DC (dcpromo).
8) Transfer back FSMO roles on the reinstalled DC as it was before.

If it's about restoring accounts and groups as they were before, then what you tried to do is a really BAD way. YOU MUST NOT restore accounts and groups by restoring a complete image of a DC and destroy any other DC !!
Active Directory content restore use a specific procedure. You must restore the system state (only that) on a DC that you have restarted in the "AD restore mode".
You then have to force the authoritative mode on this DC so that the restored objects will be considered as fresh changes  by other DCs.
Finally you just have to restart the DC in normal mode and AD replication will do the rest.

As you can see things are really different depending of what you're trying to do. So the best thing is to explain us what is your final goal.

Have a good day.

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 36923434
Hi Neilsr,

It was 3 weeks old. Only the restored server was a GC. Yea i have had loads of problems but most solved now. To make thinks worse the domain controller that I restored is also our exchange server. I know its not recommended but we are currently moving over to office 365.

I have no problem trashing the domain controller with exchange when we do make the move. But I would like 2 keep the domain.

Author Comment

ID: 36923513
Hi PaciB,

I was restoring from 2 crashed disks in the RAID 5. Which took down the server until I replaced the 2 disks. Had 2 rebuild the array and restore the image. To make thinks worse the domain controller that I restored is also our exchange server. Thats why i had the server imaged. I know its not recommended but we are currently moving over to office 365.

All is working at the moment. But its a mess. I think the best thing to do is promote another server to AD then transfer the FSMO roles from the restored DC. then demote the restored DC and scrap it.

Author Comment

ID: 36923529
The restored DC is the master FSMO. If I transfer them to a new DC is it alright to scrap the old restored DC?

Lesson learned about backing up a DC (system state). Thanks guys for all the help!
LVL 16

Assisted Solution

by:Bruno PACI
Bruno PACI earned 2000 total points
ID: 36923877

FSMO roles is something you have to keep in mind when demoting or reinstallin DCs but it's not the big part of the problem.
Even if you forget to transfer FSMO roles before scrap a DC it's always possible to seize the roles and give the mto another DC. So there's always a way to make these roles to work somewhere on a DC.
The only thing to remember is that if your seize the roles instead of transfer them (meaning if you're forced to seize them because the hosting DC is unavailable at this time) you MUST NOT restart the old DC or you'll have a role conflict.

As your crashed DC is an Exchange server, demoting this server is not supported and might cause the Exchange server to fail with no way to make it work.

If you really want to get rid of this server I'm afraid you'll have to install a new DC with a new Exchange server and move all mailboxes to it. After moving all mailboxes you'll have to uninstall the first Exchange Server and then demote the server.

Have a good day.

Author Closing Comment

ID: 36924217
Thanks everyone!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question