Replace DC

apavlik64
apavlik64 used Ask the Experts™
on
I had a domain controller fail and am in the process of replacing it. The old machine was running Windows Server 2008. Rather than try to migrate AD from this old version to the new (Server 2019), I'm just going to create user and computer accounts fresh. Can I just name the server the same as before and give it the same IP address and domain name to have the clients authenticate properly? If not, what's the best practice to replace this failed DC?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
It's probably better to give it a new name. That will make any lingering problems with links to the old DC easier to spot. In fact, if it also did your DHCP as well, I'd recommend a new subnet.

Also, you might look at a second DC and a regular backup to make your job easier when things like this happen.

Author

Commented:
New Domain Name or new DC Name? Or both? The firewall is doing DHCP, so I don't think the new subnet is necessary.
kevinhsiehNetwork Engineer

Commented:
No, you cannot just give a new DC the same name have have things be okay. Unless you join a new server to an existing domain and then promote it to a DC, you will be creating a new domain in a new forest. Each domain and forest have a GUID (globally unique ID), so existing domain members will not be fooled by an imposter DC.

If you create a new domain, you need to join all existing computers to the new domain. All user profiles will get recreated fresh. You are creating a new environment from scratch. How big is the environment? This can be a very large undertaking. It might be easier to restore or recover the old DC first.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
There are 2 sites (subnets) with 55 computers/users.
kevinhsiehNetwork Engineer

Commented:
Ever built a new domain from scratch before?

How feasible to recover existing DC? Any other DCs?

All security groups and file permissions need to be recovered as well.

Where is data? On server, PCs, both?

Any backups?

Author

Commented:
Yes, I've built domains from scratch before. That's basically my plan for this if there's no easier way. I don't want to restore the windows server 2008 to a new server. I have backups. No data is lost. Just AD, scripts, shares, etc. I was hoping to recreate the same domain name so that I wouldn't have to mess with 55 user profiles (moving data between them) after creating a new domain.
Fridolin MansmannMaster of Business Engineering Management

Commented:
You could demote the "old" ADDC (clean uninstall DC role), then uninstall, remove also the computer account from AD.
Install new server with the "old" computer name, then promote to DC
Users etc. will be replicated correctly from the second (or existing) DC
Q: if the DC to be replaced was a primary role => move the role(s) (schema master, .....) first to the DC that is untouched.
You also have to check DHCP and DNS in order to have this running, especially also for AD-integrated DNS entries, service names etc.
Give the new DC some time to settle (DNS replication etc.)
At the end you could transfer all roles to the new one.
Use some AD checking tools or scripts to verify replication or errors.
Check eventlogs carefully, then do cleansing of the errors.
Direct links to shares (on old DC) etc. must be checked, you would need to create the shares with same names and permissions on the new ADDC.
Be aware, for such procedure you have no simple way back, so you should know what you are planning to do.

Overall it is easier to install a new DC with a new name and integrate in AD, then transfer roles (if required)

Author

Commented:
Thanks, Fridolin, but the old DC isn't operational. Rather than try to repair that I think I'll just start from scratch.
kevinhsiehNetwork Engineer

Commented:
Personally, I would restore old DC to a VM, then join a new VM to be the new DC and do a proper migration.

If you want to start from scratch,  that's your choice.

There is a paid utility to help manage profile migration.
https://forensit.com/domain-migration.html
Fridolin MansmannMaster of Business Engineering Management

Commented:
In this case I would recommend a different computername.
There is information also from Microsoft how you can cleanse the AD from a DC (entry for server, etc) if this was just crashed and never demoted and uninstalled properly. But this cleansing exercise means also using NTDSUtil (or maybe even using ADSIEdit, .....)
DNS cleansing also might be worth to consider, depending whether scavenging is enabled or not.

If the AD has some more ADDCs usually the orphaned ADDC mostly is not an issue. (it is just not available and the wrong /remaining information is not hurting very much)
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
@Fridolin, I believe the Author has said the original DC is gone and there is no backup of it.
I'm starting a DC from scratch.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
I believe that is what Kevin explained above, so he should have been awarded the solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial