Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Server 2008 R2 Active Directory

Posted on 2015-01-16
Medium Priority
Last Modified: 2015-01-20
we have main office and 6 sites We have a DC on each site
One site moved to a new building.During move,movers pulled power cable and DC never came back - blue screen
Our IT director said that in this case we should build a new DC with name reflecting new place location and new site
What steps should I take and what sequence of those steps should be
This is the first time I will do it from beginning to the end
Question by:Vadim Mikhal
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 40553455
Make sure you have a full backup. Especially of AD.

A few things you probably need to keep in mind:

1. Create the site or make sure that the site has been created in AD Sites and Services
2. Check the replication health of your AD
3. Ensure that your FSMO roles are on your working DCs
4. Clear out any references to your failed DC from DNS, etc. Especially on  the DHCP server settings and on any statically configured domain members or DCs.
5. Clean up the metadata http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Author Comment

by:Vadim Mikhal
ID: 40553735
No Backup
LVL 53

Accepted Solution

Will Szymkowski earned 2000 total points
ID: 40553784
You do not need a backup in the case because you have multiple DC's in your environment at other sites. Your new DC will get all of the changes via replication.

You do however need to find out was this DC that failed holding any of the FSMO roles. Run the below command to check.
netdom query fsmo
If this DC does not have any FSMO roles assigned to it then it should be less work.

In server 2008 and up if you have a DC that has failed and it does not hold and FSMO roles then all you should need to do is deleted the computer account in Active Directory Users and Computers / and Sites-and-Services. Typically I still like to go back and check all of the places especially the SRV records in DNS integrated AD Zone (old school).

So that being said the link below will illustrate how to completely cleanup your Active Directory failed domain controller.

In the meantime what i would do for your clients is have them point to another DC in a different site. Depending on the latency it might take a bit longer to authenticate but once they have got their token from a different DC other services should be faster. This will at least get them up and running so that they can continue to work while you build another DC.

Once all of the metadata has been successfully removed, you can start the process of introducing the domain controller. Just remember that depending on the FFL and DFL of your current Active Directory you need to promote the appropriate OS version of domain controller.

So if your AD FFL/DFL is 2008R2 you cannot promote any DC's that are a prior OS version of Windows Server 2008 R2. Keep that in mind.

Metadata Cleanup (technet)

LVL 10

Expert Comment

by:Muhammad Mulla
ID: 40553835
Always make a backup before making potentially dangerous changes, such as ADSI Edits.
LVL 97

Expert Comment

by:Lee W, MVP
ID: 40554149
I'm likely agreeing with much of what has already been said, so at a minimum, consider this agreement with the others in those areas:

1. Perform a backup on your existing DCs.
2. Run DCDIAG /C /E /V on your DCs (especially if you haven't lately).  In theory, you only need to run it on one, I'll be extra cautious and run it on all and then examine the output for any unexplained (there are a few that, under some circumstances, can be expected and left alone).  Correct any errors.  This includes a metadata cleanup of the failed DC (although, in 2008 R2, that should be automated, you can just delete the DC from the Domain Controller's OU.  I would still carefully examine DNS and run DCDIAG again to make sure it's all clean and stable.
3. Install the new DC as a member server and join it to the domain.
4. Define/rename the site on another DC.
5. Promote it to a DC.
6. Run DCDIAG AGAIN and verify it's all working well with the new DC.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question