Primary Domain controller lost trust relationship with Backup Domain controller Help!

Hi All

I restored our Main domain controller from image now the backup domain controller cannot see it and I cant demote the backup domain controller. I wanted to Demote the backup domain controller then put it onto a work group then add it back to the domain to reestablish the thrust relationship between the 2 servers. Then promote it back to a backup domain controller.

Both servers are running Windows Server 2003 SP 2.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
Never restore a domain controller from an image if you can help it. Unless the image is like from today/yesterday.
Are BOTH domain controllers GC servers? Are clients authenticating against the one you reimaged or the other? Trusts and passwords are very sensitive to such things and you may find you need to trash one server or the other and rebuild.

This is why system state backups are soooo very important.

How old was the image?
You will have to remove the server you just restored from the domain, then re-add to the domain (using the backup domain controller as the master for the moment). This means there will then be a trust, you would then be able to promote the restored server back to domain controller and the other can be de-moted to backup domain controller.

No AD settings should be lost with this as the backup domain controller holds all the information.

Anyother way is to look through the backup domain controllers ad, and see if the server is there at all (in either domain controllers or computers). Sometimes if the trust relationship has been lost (and its that simple) you will be able to "right click" and re-enable to account, which should restore the trust...
Bruno PACIIT ConsultantCommented:

First of all, there is no more "Primary" and "Backup" domain controller notion since Active Directory exists.

About your problem, you should please explain us why you want to restore the first domain controller so that we can give you advice about the best way to do things.

Is it because the controller crashed ?
Is it because you want to restore accounts and groups state ?

If it's about a crash, and if your restored image doesn't work, and supposing your crashed DC doesn't contains users data files (only accounts and groups), the easiest way is to totally remove traces of this DC in your domain and then reinstall the DC, repromote it, reinstall services (DNS, WINS,...) and retransfer FSMO roles :
If you want to follow this way you'll have to pass by these steps :

1) identify FSMO roles that were hosted on the defunct DC and force transfer (seize) of these roles on the surviving DC (the one you call "backup"). You'll have to use ntdsutil command for that.
2) ensure that mandatory network services are still available on the surviving DC (DNS service, WINS if needed, DHCP if needed, etc...). Ensure that your users can still connect to the domain with the surviving DC.
3) remove any trace of the defunct DC in the AD domain. This can be done using ntdsutil command, this is called metadatacleanup...
4) Remove computer account of the defunct DC in the domain.
5) Reinstall Windows on the defunct DC server. Name it like it was before, configure IP settings as it was before. Make it join the domain as a member server.
6) Reinstall any network service (DNS WINS DHCP etc...) on the reinstalled server.
7) Promote the reinstalled server as a DC (dcpromo).
8) Transfer back FSMO roles on the reinstalled DC as it was before.

If it's about restoring accounts and groups as they were before, then what you tried to do is a really BAD way. YOU MUST NOT restore accounts and groups by restoring a complete image of a DC and destroy any other DC !!
Active Directory content restore use a specific procedure. You must restore the system state (only that) on a DC that you have restarted in the "AD restore mode".
You then have to force the authoritative mode on this DC so that the restored objects will be considered as fresh changes  by other DCs.
Finally you just have to restart the DC in normal mode and AD replication will do the rest.

As you can see things are really different depending of what you're trying to do. So the best thing is to explain us what is your final goal.

Have a good day.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

kdonnelly81Author Commented:
Hi Neilsr,

It was 3 weeks old. Only the restored server was a GC. Yea i have had loads of problems but most solved now. To make thinks worse the domain controller that I restored is also our exchange server. I know its not recommended but we are currently moving over to office 365.

I have no problem trashing the domain controller with exchange when we do make the move. But I would like 2 keep the domain.
kdonnelly81Author Commented:
Hi PaciB,

I was restoring from 2 crashed disks in the RAID 5. Which took down the server until I replaced the 2 disks. Had 2 rebuild the array and restore the image. To make thinks worse the domain controller that I restored is also our exchange server. Thats why i had the server imaged. I know its not recommended but we are currently moving over to office 365.

All is working at the moment. But its a mess. I think the best thing to do is promote another server to AD then transfer the FSMO roles from the restored DC. then demote the restored DC and scrap it.
kdonnelly81Author Commented:
The restored DC is the master FSMO. If I transfer them to a new DC is it alright to scrap the old restored DC?

Lesson learned about backing up a DC (system state). Thanks guys for all the help!
Bruno PACIIT ConsultantCommented:

FSMO roles is something you have to keep in mind when demoting or reinstallin DCs but it's not the big part of the problem.
Even if you forget to transfer FSMO roles before scrap a DC it's always possible to seize the roles and give the mto another DC. So there's always a way to make these roles to work somewhere on a DC.
The only thing to remember is that if your seize the roles instead of transfer them (meaning if you're forced to seize them because the hosting DC is unavailable at this time) you MUST NOT restart the old DC or you'll have a role conflict.

As your crashed DC is an Exchange server, demoting this server is not supported and might cause the Exchange server to fail with no way to make it work.

If you really want to get rid of this server I'm afraid you'll have to install a new DC with a new Exchange server and move all mailboxes to it. After moving all mailboxes you'll have to uninstall the first Exchange Server and then demote the server.

Have a good day.
kdonnelly81Author Commented:
Thanks everyone!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.