Solved

Introducing restored Domain Controller into environment

Posted on 2014-10-17
25
166 Views
Last Modified: 2014-10-25
We need to reintroduce a Server 2012 DC to our environment that has been restored from a backup over two weeks old.

FSMO roles have subsequently been seized by another DC.

I am wondering what steps I need to take to bring this back into the network without causing mayhem.

Any pointers would be much appreciated.

I currently have offline access to the restored domain and so can do any preparation on it that is necessary to smooth the process.

Please advise!


Jon
0
Comment
Question by:FriendlyIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 5
  • 5
25 Comments
 
LVL 7

Assisted Solution

by:tolinrome
tolinrome earned 100 total points
ID: 40386571
Why reintroduce it as a domain controller? Can't you just reintroduce it as a member server then promote it to a DC? Does the DC have data that other DC's are missing?
0
 

Author Comment

by:FriendlyIT
ID: 40386584
No - I don't think so.  OK - how do I demote it to a member server?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386601
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 34

Accepted Solution

by:
Seth Simmons earned 400 total points
ID: 40386660
if that down domain controller had FSMO roles which were seized by another system then you bring this one online - likely do more harm than good because now the other system thinks it has the roles when it doesn't

i would do a metadata cleanup first to remove traces of that server

Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx

then rebuild the box from scratch and promote it again
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386669
Just basically remove it from the domain and it will be a plain old Windows server. Reinstalling Windows is good too (as Seth said).
0
 

Author Comment

by:FriendlyIT
ID: 40386724
Hi,

I think the metadata thing is OK as I did the FSMO seize when another incarnation of this server was still available.

The one problem I have is that when I have done the demote I get this error:-

An error occurred when demoting the Active Directory Domain Controller

Certificate Server is installed


Anything I need to be concerned about?


Jon
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386731
you can remove that role\service.

In any case, why dont you just wipe it and start fresh?
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 400 total points
ID: 40386733
ok that is another issue
are you using domain certificates for anything (IIS, EFS, etc.)?
if you look in the cert auth console do you see certs being issue?

there are procedures available to move cert database to another system but need to know if it is even being used.  also, is this the only cert server or are there subordinates?  is this cert server enterprise root?
0
 

Author Comment

by:FriendlyIT
ID: 40386741
We have other functionality on that server that we don't wish to lose or rebuild.

It is a RADIUS server amongst other things.  We are hoping to retain that functionality.
0
 

Author Comment

by:FriendlyIT
ID: 40386744
Hi Seth, yes it is issuing certificates.
0
 

Author Comment

by:FriendlyIT
ID: 40386747
I would suggest that it is the root.  I didn't set this up - which is why I am keen to avoid a rebuild.  There is no way to migrate this as the server is isolated.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386748
0
 

Author Comment

by:FriendlyIT
ID: 40386755
Hi tolinrome.  I don't think you are reading my answers.  I don't want to remove it.  I want to preserve it.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386774
I though you wanted to retain Radius, sorry.
0
 

Author Comment

by:FriendlyIT
ID: 40386786
I think this is related to Radius (or our Radius at least).

Is there a way to export it to itself?

So export to a file, remove, demote, promote and then import again?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386804
OK - this looks interesting.  I'm going to follow this through and see if it helps.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27052731.html
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40386870
that's pretty much the same steps i did when i migrated a 2008 R2 CA to 2012 R2 except i changed the computer name which you can do with a couple additional steps
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386886
Is that adequate to backup and keep AD Certificates Services?

I also found this - http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx seems like a lot more to do though.

Can you confirm which I should do?  I plan to migrate it to itself so won't need to change names or anything.


Jon
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 400 total points
ID: 40386906
those technet articles is more verbose and is what i used; the steps are the same
i did try in a test environment first a couple times and worked well
0
 

Author Comment

by:FriendlyIT
ID: 40391676
OK (hopefully) the final problem.

When I demoted the DC and then rebooted it - it then asked me for an admin password but wouldn't accept any known passwords or let me switch to a different user.

I know that DC accounts don't normally have a local admin, so I am a little confused.  Have done another restore - any ideas how to avoid this same situation again?


Jon
0
 

Author Comment

by:FriendlyIT
ID: 40392061
OK - The last was my mistake.  I put in a password during demotion and then forgot I had done it.  Figured it out now.  Local admin account doesn't exist on DC so when you demote, it asks you to assign a password which is then the local admin account.

Next I had to remove metadata which I did using this resource:-

http://support.microsoft.com/kb/216498

**EDIT - There was a link further up which is much better than the one I used **
0
 

Author Comment

by:FriendlyIT
ID: 40392400
I am now getting an error during the set-up of CA.

Screenshot of RPC error
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40392411
at what point does that error show?
0
 

Author Comment

by:FriendlyIT
ID: 40392489
OK - got past that error.  Basically it was detecting the old server as a CA.  I had to create this new one as a CA and then I could restore as per the above articles.  We believe we have an up and running DC now and things are working as they were before!

WOO HOO!!!!!

Thanks so much for your help!


Jon
0
 

Author Closing Comment

by:FriendlyIT
ID: 40403685
Some of the findings that were helpful that I discovered on my own were marked as part of the solution.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question