?
Solved

Introducing restored Domain Controller into environment

Posted on 2014-10-17
25
Medium Priority
?
173 Views
Last Modified: 2014-10-25
We need to reintroduce a Server 2012 DC to our environment that has been restored from a backup over two weeks old.

FSMO roles have subsequently been seized by another DC.

I am wondering what steps I need to take to bring this back into the network without causing mayhem.

Any pointers would be much appreciated.

I currently have offline access to the restored domain and so can do any preparation on it that is necessary to smooth the process.

Please advise!


Jon
0
Comment
Question by:FriendlyIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 5
  • 5
25 Comments
 
LVL 7

Assisted Solution

by:tolinrome
tolinrome earned 400 total points
ID: 40386571
Why reintroduce it as a domain controller? Can't you just reintroduce it as a member server then promote it to a DC? Does the DC have data that other DC's are missing?
0
 

Author Comment

by:FriendlyIT
ID: 40386584
No - I don't think so.  OK - how do I demote it to a member server?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386601
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 35

Accepted Solution

by:
Seth Simmons earned 1600 total points
ID: 40386660
if that down domain controller had FSMO roles which were seized by another system then you bring this one online - likely do more harm than good because now the other system thinks it has the roles when it doesn't

i would do a metadata cleanup first to remove traces of that server

Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx

then rebuild the box from scratch and promote it again
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386669
Just basically remove it from the domain and it will be a plain old Windows server. Reinstalling Windows is good too (as Seth said).
0
 

Author Comment

by:FriendlyIT
ID: 40386724
Hi,

I think the metadata thing is OK as I did the FSMO seize when another incarnation of this server was still available.

The one problem I have is that when I have done the demote I get this error:-

An error occurred when demoting the Active Directory Domain Controller

Certificate Server is installed


Anything I need to be concerned about?


Jon
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386731
you can remove that role\service.

In any case, why dont you just wipe it and start fresh?
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 1600 total points
ID: 40386733
ok that is another issue
are you using domain certificates for anything (IIS, EFS, etc.)?
if you look in the cert auth console do you see certs being issue?

there are procedures available to move cert database to another system but need to know if it is even being used.  also, is this the only cert server or are there subordinates?  is this cert server enterprise root?
0
 

Author Comment

by:FriendlyIT
ID: 40386741
We have other functionality on that server that we don't wish to lose or rebuild.

It is a RADIUS server amongst other things.  We are hoping to retain that functionality.
0
 

Author Comment

by:FriendlyIT
ID: 40386744
Hi Seth, yes it is issuing certificates.
0
 

Author Comment

by:FriendlyIT
ID: 40386747
I would suggest that it is the root.  I didn't set this up - which is why I am keen to avoid a rebuild.  There is no way to migrate this as the server is isolated.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386748
0
 

Author Comment

by:FriendlyIT
ID: 40386755
Hi tolinrome.  I don't think you are reading my answers.  I don't want to remove it.  I want to preserve it.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40386774
I though you wanted to retain Radius, sorry.
0
 

Author Comment

by:FriendlyIT
ID: 40386786
I think this is related to Radius (or our Radius at least).

Is there a way to export it to itself?

So export to a file, remove, demote, promote and then import again?
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386804
OK - this looks interesting.  I'm going to follow this through and see if it helps.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27052731.html
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40386870
that's pretty much the same steps i did when i migrated a 2008 R2 CA to 2012 R2 except i changed the computer name which you can do with a couple additional steps
0
 

Assisted Solution

by:FriendlyIT
FriendlyIT earned 0 total points
ID: 40386886
Is that adequate to backup and keep AD Certificates Services?

I also found this - http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx seems like a lot more to do though.

Can you confirm which I should do?  I plan to migrate it to itself so won't need to change names or anything.


Jon
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 1600 total points
ID: 40386906
those technet articles is more verbose and is what i used; the steps are the same
i did try in a test environment first a couple times and worked well
0
 

Author Comment

by:FriendlyIT
ID: 40391676
OK (hopefully) the final problem.

When I demoted the DC and then rebooted it - it then asked me for an admin password but wouldn't accept any known passwords or let me switch to a different user.

I know that DC accounts don't normally have a local admin, so I am a little confused.  Have done another restore - any ideas how to avoid this same situation again?


Jon
0
 

Author Comment

by:FriendlyIT
ID: 40392061
OK - The last was my mistake.  I put in a password during demotion and then forgot I had done it.  Figured it out now.  Local admin account doesn't exist on DC so when you demote, it asks you to assign a password which is then the local admin account.

Next I had to remove metadata which I did using this resource:-

http://support.microsoft.com/kb/216498

**EDIT - There was a link further up which is much better than the one I used **
0
 

Author Comment

by:FriendlyIT
ID: 40392400
I am now getting an error during the set-up of CA.

Screenshot of RPC error
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40392411
at what point does that error show?
0
 

Author Comment

by:FriendlyIT
ID: 40392489
OK - got past that error.  Basically it was detecting the old server as a CA.  I had to create this new one as a CA and then I could restore as per the above articles.  We believe we have an up and running DC now and things are working as they were before!

WOO HOO!!!!!

Thanks so much for your help!


Jon
0
 

Author Closing Comment

by:FriendlyIT
ID: 40403685
Some of the findings that were helpful that I discovered on my own were marked as part of the solution.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question