How do you script remotely promoting a windows server to a domain controller from a windows server that is not a member of that same domain?

Keith Davis
Keith Davis used Ask the Experts™
on
Hi, I am trying to promote a Windows 2016 server (SERVER2) to a domain controller in MYDOMAIN from a windows server that is not part of that same domain. Then clean up the metadata left over from SERVER1 that is never coming back online. Then run dcdiag health checks against SERVER2 (now a domain controller in MYDOMAIN) and other already exsisting domain controllers in that same domain. I am not looking to build a script that needs no input. Someone will be providing account names and password for the admin account (member of enterprise administrators) used to authenticate to MYDOMAIN.

And thank you for any and all help from anyone offering, regardless if your suggestion is used or not. I appreciate it very much.

I can use powershell to load ADDS and promote the server I am logged onto to a domain controller, I am just hung up on how to do it remotely. There aren't any issues with running ntdsutil from a standalone server against domain controllers in MYDOAMIN, is there?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Did you check if its possible with Powershell Remoting?
I think its a bit more difficult when the machines are on different domains but it can be done.
AlexA lack of information provides a lack of a decent solution.

Commented:
This is massively confusing,

  • why don't you just remote onto the 2016 box and promote it correctly?
  • Why are you using NTDSUTIL to clean up metadata?
  • Why aren't you demoting "SERVER1" cleanly?
  • Have you looked into where your FSMO roles are?
  • What is the whole reason for all this?

Can you please break it down into what you're actually doing, why you're doing it and what your end goal is.

Thanks
Alex
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Author

Commented:
Thanks guys.

Michael.
I will read the article.

Alex.
why don't you just remote onto the 2016 box and promote it correctly?
We need to ensure an engineer at the lowest levels can execute the script and bring up the DC

Why are you using NTDSUTIL to clean up metadata?
I guess because it can? If you have a better solution, I am all ears.

Why aren't you demoting "SERVER1" cleanly?
It seizes the operations master roles while contained in network isolation.

Have you looked into where your FSMO roles are?
yes. We are good there.

What is the whole reason for all this?
Its for a DR process. It will happen across many, individually separate domains.

Thanks again!
AlexA lack of information provides a lack of a decent solution.

Commented:
why don't you just remote onto the 2016 box and promote it correctly?
We need to ensure an engineer at the lowest levels can execute the script and bring up the DC

Installing ADDS is a feature now and requires little to no interaction, a 4 year old with some half decent documentation could do it.

Why are you using NTDSUTIL to clean up metadata?
I guess because it can? If you have a better solution, I am all ears
.

No, just no, NTDSutil is primarily used for fixing issues, not forceably demoting your domain controllers, it's a terrible idea, just demote it using microsoft best practice. Which is using windows to demote it. NTDSUTIL is more than capable of completely crippling your AD. I certainly wouldn't give it to "An engineer at the lowest level".


Why aren't you demoting "SERVER1" cleanly?
It seizes the operations master roles while contained in network isolation.

I still don't understand why you're doing this.


What is the whole reason for all this?
Its for a DR process. It will happen across many, individually separate domains.

So let me get this right, you're planning for a complete AD failure and as such, you're trying to write a script that you can implement to rebuild the entire AD structure and/or promote all new DC's into an environment and you're actually going to try to script it so it works on any domain. Entirely not possible, there are too many factors when promoting, demoting, trying to even fix a domain controller when it goes wrong that your best option is to pull that DC out I.E Demote it and if you absolutely, positively must, NTDSUtil it out of your domain. It's a filthy way to do it and you will end up in a really bad way trying to script this solution. You wouldn't get any support from microsoft if/when they found out you were doing it in this fashion.

Author

Commented:
Alex,
This is for DR not in case of some one off failure of AD. I do this process now manually for DR tests. People forcibly eject DCs. Microsoft has documentation on it. Why would NTUTIL have switches to handle such an issue. I am trying to write these posts with some things as a given, I do realize the script would need to be changed for each domain that we have set up. I am trying to write a script for a manual process that we do now and have done for years manually without issue and without Microsoft refusing us support. Again, we do this now and have never had issues. This is for DR testing. Cloning the DC is not possible as the current platform where these servers reside does not allow it. Thanks for your efforts. I do appreciate you.

Author

Commented:
All I really need help with All I really need help with is scripting the best way to promote a server to a DC remotely from a machine that is not a member of that domain. This would be ran from a jump server and the person would be able to provide credential information.  Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial