Solved

Server 2008 R2 Active Directory

Posted on 2015-01-16
5
80 Views
Last Modified: 2015-01-20
we have main office and 6 sites We have a DC on each site
One site moved to a new building.During move,movers pulled power cable and DC never came back - blue screen
Our IT director said that in this case we should build a new DC with name reflecting new place location and new site
What steps should I take and what sequence of those steps should be
This is the first time I will do it from beginning to the end
0
Comment
Question by:Vadim Mikhal
5 Comments
 
LVL 9

Expert Comment

by:Muhammad Mulla
ID: 40553455
Make sure you have a full backup. Especially of AD.

A few things you probably need to keep in mind:

1. Create the site or make sure that the site has been created in AD Sites and Services
2. Check the replication health of your AD
3. Ensure that your FSMO roles are on your working DCs
4. Clear out any references to your failed DC from DNS, etc. Especially on  the DHCP server settings and on any statically configured domain members or DCs.
5. Clean up the metadata http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx
0
 

Author Comment

by:Vadim Mikhal
ID: 40553735
No Backup
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40553784
You do not need a backup in the case because you have multiple DC's in your environment at other sites. Your new DC will get all of the changes via replication.

You do however need to find out was this DC that failed holding any of the FSMO roles. Run the below command to check.
netdom query fsmo
If this DC does not have any FSMO roles assigned to it then it should be less work.

In server 2008 and up if you have a DC that has failed and it does not hold and FSMO roles then all you should need to do is deleted the computer account in Active Directory Users and Computers / and Sites-and-Services. Typically I still like to go back and check all of the places especially the SRV records in DNS integrated AD Zone (old school).

So that being said the link below will illustrate how to completely cleanup your Active Directory failed domain controller.

In the meantime what i would do for your clients is have them point to another DC in a different site. Depending on the latency it might take a bit longer to authenticate but once they have got their token from a different DC other services should be faster. This will at least get them up and running so that they can continue to work while you build another DC.

Once all of the metadata has been successfully removed, you can start the process of introducing the domain controller. Just remember that depending on the FFL and DFL of your current Active Directory you need to promote the appropriate OS version of domain controller.

So if your AD FFL/DFL is 2008R2 you cannot promote any DC's that are a prior OS version of Windows Server 2008 R2. Keep that in mind.

Metadata Cleanup (technet)

Will.
0
 
LVL 9

Expert Comment

by:Muhammad Mulla
ID: 40553835
Always make a backup before making potentially dangerous changes, such as ADSI Edits.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40554149
I'm likely agreeing with much of what has already been said, so at a minimum, consider this agreement with the others in those areas:

1. Perform a backup on your existing DCs.
2. Run DCDIAG /C /E /V on your DCs (especially if you haven't lately).  In theory, you only need to run it on one, I'll be extra cautious and run it on all and then examine the output for any unexplained (there are a few that, under some circumstances, can be expected and left alone).  Correct any errors.  This includes a metadata cleanup of the failed DC (although, in 2008 R2, that should be automated, you can just delete the DC from the Domain Controller's OU.  I would still carefully examine DNS and run DCDIAG again to make sure it's all clean and stable.
3. Install the new DC as a member server and join it to the domain.
4. Define/rename the site on another DC.
5. Promote it to a DC.
6. Run DCDIAG AGAIN and verify it's all working well with the new DC.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now