Solved

Introducing restored Domain Controller into environment

Posted on 2014-10-17
25
155 Views
Last Modified: 2014-10-25
We need to reintroduce a Server 2012 DC to our environment that has been restored from a backup over two weeks old.

FSMO roles have subsequently been seized by another DC.

I am wondering what steps I need to take to bring this back into the network without causing mayhem.

Any pointers would be much appreciated.

I currently have offline access to the restored domain and so can do any preparation on it that is necessary to smooth the process.

Please advise!


Jon
0
Comment
Question by:FriendlyIT
  • 15
  • 5
  • 5
25 Comments
 
LVL 7

Assisted Solution

by:tolinrome
tolinrome earned 100 total points
ID: 40386571
Why reintroduce it as a domain controller? Can't you just reintroduce it as a member server then promote it to a DC? Does the DC have data that other DC's are missing?
0
 

Author Comment

by:FriendlyIT
ID: 40386584
No - I don't think so.  OK - how do I demote it to a member server?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386601
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 400 total points
ID: 40386660
if that down domain controller had FSMO roles which were seized by another system then you bring this one online - likely do more harm than good because now the other system thinks it has the roles when it doesn't

i would do a metadata cleanup first to remove traces of that server

Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx

then rebuild the box from scratch and promote it again
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386669
Just basically remove it from the domain and it will be a plain old Windows server. Reinstalling Windows is good too (as Seth said).
0
 

Author Comment

by:FriendlyIT
ID: 40386724
Hi,

I think the metadata thing is OK as I did the FSMO seize when another incarnation of this server was still available.

The one problem I have is that when I have done the demote I get this error:-

An error occurred when demoting the Active Directory Domain Controller

Certificate Server is installed


Anything I need to be concerned about?


Jon
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386731
you can remove that role\service.

In any case, why dont you just wipe it and start fresh?
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 400 total points
ID: 40386733
ok that is another issue
are you using domain certificates for anything (IIS, EFS, etc.)?
if you look in the cert auth console do you see certs being issue?

there are procedures available to move cert database to another system but need to know if it is even being used.  also, is this the only cert server or are there subordinates?  is this cert server enterprise root?
0
 

Author Comment

by:FriendlyIT
ID: 40386741
We have other functionality on that server that we don't wish to lose or rebuild.

It is a RADIUS server amongst other things.  We are hoping to retain that functionality.
0
 

Author Comment

by:FriendlyIT
ID: 40386744
Hi Seth, yes it is issuing certificates.
0
 

Author Comment

by:FriendlyIT
ID: 40386747
I would suggest that it is the root.  I didn't set this up - which is why I am keen to avoid a rebuild.  There is no way to migrate this as the server is isolated.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386748
0
 

Author Comment

by:FriendlyIT
ID: 40386755
Hi tolinrome.  I don't think you are reading my answers.  I don't want to remove it.  I want to preserve it.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386774
I though you wanted to retain Radius, sorry.
0
 

Author Comment

by:FriendlyIT
ID: 40386786
I think this is related to Radius (or our Radius at least).

Is there a way to export it to itself?

So export to a file, remove, demote, promote and then import again?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386804
OK - this looks interesting.  I'm going to follow this through and see if it helps.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27052731.html
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40386870
that's pretty much the same steps i did when i migrated a 2008 R2 CA to 2012 R2 except i changed the computer name which you can do with a couple additional steps
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386886
Is that adequate to backup and keep AD Certificates Services?

I also found this - http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx seems like a lot more to do though.

Can you confirm which I should do?  I plan to migrate it to itself so won't need to change names or anything.


Jon
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 400 total points
ID: 40386906
those technet articles is more verbose and is what i used; the steps are the same
i did try in a test environment first a couple times and worked well
0
 

Author Comment

by:FriendlyIT
ID: 40391676
OK (hopefully) the final problem.

When I demoted the DC and then rebooted it - it then asked me for an admin password but wouldn't accept any known passwords or let me switch to a different user.

I know that DC accounts don't normally have a local admin, so I am a little confused.  Have done another restore - any ideas how to avoid this same situation again?


Jon
0
 

Author Comment

by:FriendlyIT
ID: 40392061
OK - The last was my mistake.  I put in a password during demotion and then forgot I had done it.  Figured it out now.  Local admin account doesn't exist on DC so when you demote, it asks you to assign a password which is then the local admin account.

Next I had to remove metadata which I did using this resource:-

http://support.microsoft.com/kb/216498

**EDIT - There was a link further up which is much better than the one I used **
0
 

Author Comment

by:FriendlyIT
ID: 40392400
I am now getting an error during the set-up of CA.

Screenshot of RPC error
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40392411
at what point does that error show?
0
 

Author Comment

by:FriendlyIT
ID: 40392489
OK - got past that error.  Basically it was detecting the old server as a CA.  I had to create this new one as a CA and then I could restore as per the above articles.  We believe we have an up and running DC now and things are working as they were before!

WOO HOO!!!!!

Thanks so much for your help!


Jon
0
 

Author Closing Comment

by:FriendlyIT
ID: 40403685
Some of the findings that were helpful that I discovered on my own were marked as part of the solution.
0

Join & Write a Comment

Suggested Solutions

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now