Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

Introducing restored Domain Controller into environment

We need to reintroduce a Server 2012 DC to our environment that has been restored from a backup over two weeks old.

FSMO roles have subsequently been seized by another DC.

I am wondering what steps I need to take to bring this back into the network without causing mayhem.

Any pointers would be much appreciated.

I currently have offline access to the restored domain and so can do any preparation on it that is necessary to smooth the process.

Please advise!


Jon
0
FriendlyIT
Asked:
FriendlyIT
  • 15
  • 5
  • 5
7 Solutions
 
tolinromeCommented:
Why reintroduce it as a domain controller? Can't you just reintroduce it as a member server then promote it to a DC? Does the DC have data that other DC's are missing?
0
 
FriendlyITAuthor Commented:
No - I don't think so.  OK - how do I demote it to a member server?
0
 
FriendlyITAuthor Commented:
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Seth SimmonsSr. Systems AdministratorCommented:
if that down domain controller had FSMO roles which were seized by another system then you bring this one online - likely do more harm than good because now the other system thinks it has the roles when it doesn't

i would do a metadata cleanup first to remove traces of that server

Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx

then rebuild the box from scratch and promote it again
0
 
tolinromeCommented:
Just basically remove it from the domain and it will be a plain old Windows server. Reinstalling Windows is good too (as Seth said).
0
 
FriendlyITAuthor Commented:
Hi,

I think the metadata thing is OK as I did the FSMO seize when another incarnation of this server was still available.

The one problem I have is that when I have done the demote I get this error:-

An error occurred when demoting the Active Directory Domain Controller

Certificate Server is installed


Anything I need to be concerned about?


Jon
0
 
tolinromeCommented:
you can remove that role\service.

In any case, why dont you just wipe it and start fresh?
0
 
Seth SimmonsSr. Systems AdministratorCommented:
ok that is another issue
are you using domain certificates for anything (IIS, EFS, etc.)?
if you look in the cert auth console do you see certs being issue?

there are procedures available to move cert database to another system but need to know if it is even being used.  also, is this the only cert server or are there subordinates?  is this cert server enterprise root?
0
 
FriendlyITAuthor Commented:
We have other functionality on that server that we don't wish to lose or rebuild.

It is a RADIUS server amongst other things.  We are hoping to retain that functionality.
0
 
FriendlyITAuthor Commented:
Hi Seth, yes it is issuing certificates.
0
 
FriendlyITAuthor Commented:
I would suggest that it is the root.  I didn't set this up - which is why I am keen to avoid a rebuild.  There is no way to migrate this as the server is isolated.
0
 
FriendlyITAuthor Commented:
Hi tolinrome.  I don't think you are reading my answers.  I don't want to remove it.  I want to preserve it.
0
 
tolinromeCommented:
I though you wanted to retain Radius, sorry.
0
 
FriendlyITAuthor Commented:
I think this is related to Radius (or our Radius at least).

Is there a way to export it to itself?

So export to a file, remove, demote, promote and then import again?
0
 
FriendlyITAuthor Commented:
OK - this looks interesting.  I'm going to follow this through and see if it helps.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27052731.html
0
 
Seth SimmonsSr. Systems AdministratorCommented:
that's pretty much the same steps i did when i migrated a 2008 R2 CA to 2012 R2 except i changed the computer name which you can do with a couple additional steps
0
 
FriendlyITAuthor Commented:
Is that adequate to backup and keep AD Certificates Services?

I also found this - http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx seems like a lot more to do though.

Can you confirm which I should do?  I plan to migrate it to itself so won't need to change names or anything.


Jon
0
 
Seth SimmonsSr. Systems AdministratorCommented:
those technet articles is more verbose and is what i used; the steps are the same
i did try in a test environment first a couple times and worked well
0
 
FriendlyITAuthor Commented:
OK (hopefully) the final problem.

When I demoted the DC and then rebooted it - it then asked me for an admin password but wouldn't accept any known passwords or let me switch to a different user.

I know that DC accounts don't normally have a local admin, so I am a little confused.  Have done another restore - any ideas how to avoid this same situation again?


Jon
0
 
FriendlyITAuthor Commented:
OK - The last was my mistake.  I put in a password during demotion and then forgot I had done it.  Figured it out now.  Local admin account doesn't exist on DC so when you demote, it asks you to assign a password which is then the local admin account.

Next I had to remove metadata which I did using this resource:-

http://support.microsoft.com/kb/216498

**EDIT - There was a link further up which is much better than the one I used **
0
 
FriendlyITAuthor Commented:
I am now getting an error during the set-up of CA.

Screenshot of RPC error
0
 
Seth SimmonsSr. Systems AdministratorCommented:
at what point does that error show?
0
 
FriendlyITAuthor Commented:
OK - got past that error.  Basically it was detecting the old server as a CA.  I had to create this new one as a CA and then I could restore as per the above articles.  We believe we have an up and running DC now and things are working as they were before!

WOO HOO!!!!!

Thanks so much for your help!


Jon
0
 
FriendlyITAuthor Commented:
Some of the findings that were helpful that I discovered on my own were marked as part of the solution.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 15
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now