Workstations lost its trust relationship with AD domain after the only DC/GC in the AD Site is demoted but still have multiple other DC/GC in Data Center ?


At the moment I'm currently in a emergency break after doing simple AD Domain Controller demotion that has gone beyond my understanding ?

Data Center AD Site;
2x Win 2008 R2 DC/GC

Head Office AD Site:
1x Win 2012 R2 DC/GC

Problem Site Office AD Site:
1x Win 2012 R2 DC/GC which is also running as AD-Integrated DNS & DHCP

What I did today this morning is to do completely harmless task of force demoting Windows Server 2012 R2 that is now cannot replicate into any other AD Sites.

Steps taken:
1.      Change the DHCP scope DNS to point to  Primary: Data Center DC/GC IP, Secondary: Itself where it is no longer functioning as DNS integrated since no Forward lookup zones
2.      Reduce the DHCP scope into 6 hours, wait until today since yesterday morning.
3.      Force Demote AD role
4.      Reboot
5.      Manually go to AD Users & Computers console to perform metadata clanup (right click delete), followed by manually search the DNS containers  any name of the current DC server that has been demoted.
6.      Wait until 30 minutes, then... the problem starts to happens one by one.

The next steps is to be taken next week Because I cannot do it myself due to the large amount of user complaints bombdarding myself:
1.      Promote as AD domain controller
2.      Configure AD-Integrated (is it necessary ?)
3.      Change the DHCP scope back to 8 days
4.      Change the DHCP scope DNS into itself and one DNS server in Data Center AD Site.

Now the problem is:
One by one Workstations in the Problem Site office lost its trust relationship with the AD Domain ? Therefore the fix was to:
1. Exit the domain, Reboot
2. Rename the computer, Reboot
3. Join to the AD domain, Reboot
4. Change the name back to the previous name, Reboot
5. User can now login to their previous desktop.

There are 89 workstations in the problem site office and now I'm stuck having to manually perform 4 steps above one by one for the entire office.

What could have gone wrong in my steps above ?
I can make sure that all of the computer that have DHCP assigned IP and also the static can ping the DNS server in the Data center, but somehow this problem arised.

Any help would be greatly appreciated.

Thanks very muchly.
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Note: one thing that I always keep it the same is the name & IP of the server before and after the demotion.

Now the computer is just a member server running DHCP, File Server and Print Server.
Try the following while your site DC is no longer there
nslookup -q=srv _ldap._tcp..DC._msdcs.yourdomain.priv

Disconnect a workstation from the network.
Log into the workstation with admin rights, reconnect the workstation to the network, rejoin the workstation to the domain without removing it from the network first.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so what else do I need to do tomorrow when I promote this server as the same Domain Controller ?
is there any caveats or special steps that I need to be aware of ?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!


If you followed this process, and you have connectivity to the home office data center, and the PDC emulator role exists on the 1st domain controller in the forest, you should be able to promote, and become part of the forest with your Re-promote.
If all goes well, replication should be fine, though to avoid the current issues in the future, you would want to monitor every thirty days or so to make sure the replication is functioning as intended.
Make sure your repromoted DC can reach all the other DCs.
If the remote office was child domain, and the only one, you may be in trouble.   If you are Trusting, and the effected DC was the only one available, then you need to restore from backup, back to where you started.  If you do not have a backup, then you are stuck with step 4.  My advice is to never demote a broken DC until you have exhausted every possible means of TS.  

You might be aware of this while you are working on this problem

If you had DFS issues, then look here for clues to help you resolve

Just in case.  At this point, if you get here, and nothing is working correctly, and you can't go back my advice is to get on the phone with MS Support and get help.  If you are by yourself, this is my advice to you.  Have a good day
Senior IT System EngineerIT ProfessionalAuthor Commented:
Guys, this is just a normal single forest domain, so no other child domain in this setup.
Your system was out of sync with replication.  Periodically the workstation/DC adjust the key they use. This is why when the local DC to which the local workstations were synchronizing/querying are now reflected as lacking a trust relationship is the DC to which they are now trying to connect does not have the current key nor the one prior. Those two are the only way a system would validate. There is ofcourse a duration on how long the prior key will be valid, I think it might be 5-10 days.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.