Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Server 2008 R2 Active Directory

Posted on 2015-01-16
Medium Priority
Last Modified: 2015-01-20
we have main office and 6 sites We have a DC on each site
One site moved to a new building.During move,movers pulled power cable and DC never came back - blue screen
Our IT director said that in this case we should build a new DC with name reflecting new place location and new site
What steps should I take and what sequence of those steps should be
This is the first time I will do it from beginning to the end
Question by:Vadim Mikhal
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 40553455
Make sure you have a full backup. Especially of AD.

A few things you probably need to keep in mind:

1. Create the site or make sure that the site has been created in AD Sites and Services
2. Check the replication health of your AD
3. Ensure that your FSMO roles are on your working DCs
4. Clear out any references to your failed DC from DNS, etc. Especially on  the DHCP server settings and on any statically configured domain members or DCs.
5. Clean up the metadata http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Author Comment

by:Vadim Mikhal
ID: 40553735
No Backup
LVL 53

Accepted Solution

Will Szymkowski earned 2000 total points
ID: 40553784
You do not need a backup in the case because you have multiple DC's in your environment at other sites. Your new DC will get all of the changes via replication.

You do however need to find out was this DC that failed holding any of the FSMO roles. Run the below command to check.
netdom query fsmo
If this DC does not have any FSMO roles assigned to it then it should be less work.

In server 2008 and up if you have a DC that has failed and it does not hold and FSMO roles then all you should need to do is deleted the computer account in Active Directory Users and Computers / and Sites-and-Services. Typically I still like to go back and check all of the places especially the SRV records in DNS integrated AD Zone (old school).

So that being said the link below will illustrate how to completely cleanup your Active Directory failed domain controller.

In the meantime what i would do for your clients is have them point to another DC in a different site. Depending on the latency it might take a bit longer to authenticate but once they have got their token from a different DC other services should be faster. This will at least get them up and running so that they can continue to work while you build another DC.

Once all of the metadata has been successfully removed, you can start the process of introducing the domain controller. Just remember that depending on the FFL and DFL of your current Active Directory you need to promote the appropriate OS version of domain controller.

So if your AD FFL/DFL is 2008R2 you cannot promote any DC's that are a prior OS version of Windows Server 2008 R2. Keep that in mind.

Metadata Cleanup (technet)

LVL 10

Expert Comment

by:Muhammad Mulla
ID: 40553835
Always make a backup before making potentially dangerous changes, such as ADSI Edits.
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40554149
I'm likely agreeing with much of what has already been said, so at a minimum, consider this agreement with the others in those areas:

1. Perform a backup on your existing DCs.
2. Run DCDIAG /C /E /V on your DCs (especially if you haven't lately).  In theory, you only need to run it on one, I'll be extra cautious and run it on all and then examine the output for any unexplained (there are a few that, under some circumstances, can be expected and left alone).  Correct any errors.  This includes a metadata cleanup of the failed DC (although, in 2008 R2, that should be automated, you can just delete the DC from the Domain Controller's OU.  I would still carefully examine DNS and run DCDIAG again to make sure it's all clean and stable.
3. Install the new DC as a member server and join it to the domain.
4. Define/rename the site on another DC.
5. Promote it to a DC.
6. Run DCDIAG AGAIN and verify it's all working well with the new DC.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question