0

Can anyone please help me out.

Our primary Server 2008 (i know) DC died from i believe bad hard drive. Secondary 2012 R2 DC will not take on responsibility until it "syncs" so other than SEIZE the role of FSMO do i have any other options to allow users to authenticate to shares etc??

I cannot even currently run a : netdom query fsmo on secondary as it fails says domain does not exists

FWIW: I don't think the Primary will be coming back to life at all and I am scared to lose the system state of AD .... I could build a new server (or host one on Azure ) but how can i make sure I don't have to start AD back from scratch?

Ike12
  • 1
  • 1
  • The DNS server is waiting for (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer – Ike12 Jun 28 '20 at 16:06
  • Make sure that the second DC is using itself for Primary DNS and is using 127.0.0.1 for Secondary DNS in the TCP/IPv4 properties of the NIC. – joeqwerty Jun 28 '20 at 16:43
  • `other than SEIZE the role of FSMO do i have any other options`. Why? If you only have one DC you have to seize the roles. – Greg Askew Jun 28 '20 at 16:45

1 Answers1

2

If your "primary" domain controller can't be repaired, you must seize the FSMO roles and then do a metadata cleanup. If your domain was fine until that point, then you won't have to fear losing data. Only if your domain has sync and replication issues before your domain controller went down, you may lose the data that was not synced to your working DC. But in that case you were running a split-brain domain and you will lose data either way. So seizing the roles is not a bad choice.

There is an extensive Microsoft Knowledge Base article about that here: https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

Once you did that, do not turn the broken domain controller back on as this will cause damage to your Active Directory. Then deploy a second domain controller, but do not give it the same name as the deprovisioned one! It must be a unique hostname!

Daniel
  • 6,940
  • 6
  • 33
  • 64