Restoring active directory

In my environment, I have a local network running on segment 10.1.1.xxx, and a datacenter, connected via router to router vpn, running on 192.168.1.xxx.  I have a active directory server in the datacenter, and one locally.  The local server crashed, and I am unable to recover it.  This server was my local DNS server, and AD server.  I created a new AD server locally, but when I attempt to "Promote to Domain Controller" in Server Manager, it gets an error saying that "an active directory controller for the domain xxx.com could not be contacted".

I have manually created the DNS entries on the new server for machines on both network segments.  I don't know how AD looks up the domain, so a dns entry may be missing.  Not sure.

Can someone assist please in getting the new server promoted.  Or, it there a file that I can restore from the datacenter AD server to get the local server working?

Both servers running W2012R2.
No1CoderAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You need to point DNS on the server you are promoting to the DNS server in the datacenter site.

Do not manually create the DNS zone data. This will be replicated once you promote that server to a DC.

Also does this DC that crashed hold. Any fsmo roles?

Netdom query fsmo

If it does you will need to seize the roles to another DC. If it did not you can just perform a metadata cleanup.

Also once the DC has been fully replicated point DNS to itself and secondary to the Datacenter site, unless you. Plan to add another DC in this same site. Then point it to that one for secondary.

W.
No1CoderAuthor Commented:
I tried this but still get the same error.  Is it okay that the DNS is on different network segment?
No1CoderAuthor Commented:
I made some progress. I get by the first step, but now I get the following error:

Verification of prerequisites for Domain Controller promotion failed. You cannot install an additional domain controller at this time because the RID master HERITAGE.isc.com is offline.

  Heritage is the machine that crashed.  I told it to replicate from the datacenter server, not Heritage.

Before that, I received the following:

A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found....  if you are integrating with an existing DNS structure, manually create a delegation to this DNS server....

I don't understand what this is telling me to do.  I am not an expert in this area.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Will SzymkowskiSenior Solution ArchitectCommented:
domain controller at this time because the RID master HERITAGE.isc.com is offline.

The DC that crashed, holds the RID master role and possibly other roles. You will need to Seize these roles to another DC that is currently online (so that would be your data center DC).

See the link below for full steps on how to Seize the roles to another domain controller. You will also need to perform a metadata cleanup as well. If this DC also held the PDC role you will also need to Seize the PDC role to another DC and setup the authoritative external time source as well.

Seize FSMO Roles
https://support.microsoft.com/en-us/kb/255504

Configure External Time Source
https://support.microsoft.com/en-us/kb/816042
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
No1CoderAuthor Commented:
Capture.PNG
Made progress.  I created a read only DC and that worked. Now trying to Seize roles per article, but none work.  See screenshot.  Don't know how to fix.  Tries to seize all 5 roles.  None worked.  All give similar error message.
Lee W, MVPTechnology and Business Process AdvisorCommented:
What failed?  That screen shot you posted is normal when seizing.  Did you read it?

It sais it's Attempting safe transfer of infrastructure FSMO before seizure.
Read through the following lines and the SAFE transfer failed - as you should expect - the holder is offline.
Then it said Transfer of infrastructure FSMO failed, proceeding with seizure ... - as you wanted.  It's now seizing.  According to the final output, the only role not yet transferred is the Naming Master.  

Why would you create a read only DC?

By the way, based on the error and your screen shot, I assume the new server is named "DELUXE" and the old server is "HERITAGE"?
Will SzymkowskiSenior Solution ArchitectCommented:
I created a read only DC and that worked
You do not want to create a RODC.

You need to login to a DC that does not hold the FSMO roles and seize them using NTDSUtil. You need to run the command prompt as administrator as well. Make sure that your account has the proper permissions. Read the directions carefully because you cannot miss any steps or it will not work.

Will.
No1CoderAuthor Commented:
I think I got this to work.  I created a read only dc because it wouldn't create one otherwise. Was getting errors until I made it read only.  At least my new server is alive now and working.

Event though is displayed errors when seizing, it appears to have worked.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.