Introducing restored Domain Controller into environment

We need to reintroduce a Server 2012 DC to our environment that has been restored from a backup over two weeks old.

FSMO roles have subsequently been seized by another DC.

I am wondering what steps I need to take to bring this back into the network without causing mayhem.

Any pointers would be much appreciated.

I currently have offline access to the restored domain and so can do any preparation on it that is necessary to smooth the process.

Please advise!

FriendlyITInfrastructure TeamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why reintroduce it as a domain controller? Can't you just reintroduce it as a member server then promote it to a DC? Does the DC have data that other DC's are missing?
FriendlyITInfrastructure TeamAuthor Commented:
No - I don't think so.  OK - how do I demote it to a member server?
FriendlyITInfrastructure TeamAuthor Commented:
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Seth SimmonsSr. Systems AdministratorCommented:
if that down domain controller had FSMO roles which were seized by another system then you bring this one online - likely do more harm than good because now the other system thinks it has the roles when it doesn't

i would do a metadata cleanup first to remove traces of that server

Clean Up Server Metadata

then rebuild the box from scratch and promote it again

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Just basically remove it from the domain and it will be a plain old Windows server. Reinstalling Windows is good too (as Seth said).
FriendlyITInfrastructure TeamAuthor Commented:

I think the metadata thing is OK as I did the FSMO seize when another incarnation of this server was still available.

The one problem I have is that when I have done the demote I get this error:-

An error occurred when demoting the Active Directory Domain Controller

Certificate Server is installed

Anything I need to be concerned about?

you can remove that role\service.

In any case, why dont you just wipe it and start fresh?
Seth SimmonsSr. Systems AdministratorCommented:
ok that is another issue
are you using domain certificates for anything (IIS, EFS, etc.)?
if you look in the cert auth console do you see certs being issue?

there are procedures available to move cert database to another system but need to know if it is even being used.  also, is this the only cert server or are there subordinates?  is this cert server enterprise root?
FriendlyITInfrastructure TeamAuthor Commented:
We have other functionality on that server that we don't wish to lose or rebuild.

It is a RADIUS server amongst other things.  We are hoping to retain that functionality.
FriendlyITInfrastructure TeamAuthor Commented:
Hi Seth, yes it is issuing certificates.
FriendlyITInfrastructure TeamAuthor Commented:
I would suggest that it is the root.  I didn't set this up - which is why I am keen to avoid a rebuild.  There is no way to migrate this as the server is isolated.
FriendlyITInfrastructure TeamAuthor Commented:
Hi tolinrome.  I don't think you are reading my answers.  I don't want to remove it.  I want to preserve it.
I though you wanted to retain Radius, sorry.
FriendlyITInfrastructure TeamAuthor Commented:
I think this is related to Radius (or our Radius at least).

Is there a way to export it to itself?

So export to a file, remove, demote, promote and then import again?
FriendlyITInfrastructure TeamAuthor Commented:
OK - this looks interesting.  I'm going to follow this through and see if it helps.
Seth SimmonsSr. Systems AdministratorCommented:
that's pretty much the same steps i did when i migrated a 2008 R2 CA to 2012 R2 except i changed the computer name which you can do with a couple additional steps
FriendlyITInfrastructure TeamAuthor Commented:
Is that adequate to backup and keep AD Certificates Services?

I also found this - seems like a lot more to do though.

Can you confirm which I should do?  I plan to migrate it to itself so won't need to change names or anything.

Seth SimmonsSr. Systems AdministratorCommented:
those technet articles is more verbose and is what i used; the steps are the same
i did try in a test environment first a couple times and worked well
FriendlyITInfrastructure TeamAuthor Commented:
OK (hopefully) the final problem.

When I demoted the DC and then rebooted it - it then asked me for an admin password but wouldn't accept any known passwords or let me switch to a different user.

I know that DC accounts don't normally have a local admin, so I am a little confused.  Have done another restore - any ideas how to avoid this same situation again?

FriendlyITInfrastructure TeamAuthor Commented:
OK - The last was my mistake.  I put in a password during demotion and then forgot I had done it.  Figured it out now.  Local admin account doesn't exist on DC so when you demote, it asks you to assign a password which is then the local admin account.

Next I had to remove metadata which I did using this resource:-

**EDIT - There was a link further up which is much better than the one I used **
FriendlyITInfrastructure TeamAuthor Commented:
I am now getting an error during the set-up of CA.

Screenshot of RPC error
Seth SimmonsSr. Systems AdministratorCommented:
at what point does that error show?
FriendlyITInfrastructure TeamAuthor Commented:
OK - got past that error.  Basically it was detecting the old server as a CA.  I had to create this new one as a CA and then I could restore as per the above articles.  We believe we have an up and running DC now and things are working as they were before!

WOO HOO!!!!!

Thanks so much for your help!

FriendlyITInfrastructure TeamAuthor Commented:
Some of the findings that were helpful that I discovered on my own were marked as part of the solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.