0

Here's the history:

SERVER2 was a 2016 Essentials Edition server, standalone with no other DCs. The OS became corrupted in a few areas, and so a decision was made to replace it. A standalone clean install wasn't an option, as applications running on member servers rely heavily on AD user SIDs.

So a second DC was introduced, SERVER3, and the domain/AD/DNS/PDC/fsmo were replicated from SERVER2 to SERVER3. Metadata cleanup was performed on SERVER3 to rid it of any old references to SERVER2. SERVER2 has now been taken permanently offline.

A brand new SERVER2 Essentials Edition has been configured, and it has its own domain/AD/DNS/PDC/fsmo. The display names of the two domains are the same, but the underlying ADs are of course different.

How do I make the new SERVER2 a BDC for SERVER3, replicate everything from SERVER3 to the new SERVER2, and then promote the new SERVER2 to be PDC?

I had some expert assistance to get this far, but unfortunately the tech has been called away. I'm now on my own, mid-project.

Please advise.

--EDIT--

I found this guidance, but it doesn't seem to take into account that I have two PDCs on separate existing domains.

InteXX
  • 753
  • 2
  • 15
  • 33
  • If Server 2 is now a member of the Server 3 domain, then you simply need to promote Server 2 to a Domain Controller once you've added the AD DS role (which I'm assuming is already installed). You can promote Server 2 to a Domain Controller from Server Manager. – joeqwerty Dec 15 '21 at 00:44
  • I've got SERVER2 promoted to a DC, and I think I've got everything moved from SERVER3 to SERVER2. I used the `Move-ADDirectoryServerOperationMasterRole` cmdlet as described [here](https://theitbros.com/transfer-fsmo-roles-using-powershell/). I did get a `directory service is unavailable` error for the `SchemaMaster` and `DomainNamingMaster` roles, though, which I got past by using the `-force` parameter. He describes deleting the DC whenever roles are seized, so I'm not sure where he's going with that, or even if it applies to me. Your opinion? – InteXX Dec 15 '21 at 01:00

1 Answers1

1

Windows Server Essentials requires being a Domain Controller, but it can be added as replica DC to an existing domain, as long as you are doing it for migration purposes (i.e., you as long as you are going to remove the existing DC):

https://docs.microsoft.com/en-us/windows-server-essentials/migrate/migrate-from-previous-versions-to-windows-server-essentials-or-windows-server-essentials-experience

I'm not really experienced with this heavily-locked-down edition of Windows, but if you go digging in the documentation, it should be possible to replace your existing server with a new Windows Server Essentials one.

However, you'll definitely have to rebuild your new server from scratch, because your current situation (each server hosting its own Active Directory domain) is a dead end and there is no way to "merge" them.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • I think I used the wrong word 'merged' there. I want to dump everything on SERVER2, join SERVER3's domain and replicate everything from SERVER3 to SERVER2. I'm halfway there, I believe, because I just demoted SERVER2 and joined SERVER3'S domain. So now I'm off to figure out the replication step. – InteXX Dec 14 '21 at 23:11
  • You just need to promote the server as an additional DC in the existing domain. AD replication in automatic. – Massimo Dec 15 '21 at 14:18
  • OK, I've got SERVER2 promoted to a DC, and I think I've got everything moved from SERVER3 to SERVER2. I used the `Move-ADDirectoryServerOperationMasterRole` cmdlet as described [here](https://theitbros.com/transfer-fsmo-roles-using-powershell/). I did get a `directory service is unavailable` error for the `SchemaMaster` and `DomainNamingMaster` roles, though, which I got past by using the `-force` parameter. He describes deleting the DC whenever roles are seized, so I'm not sure where he's going with that, or even if it applies to me. Your opinion? – InteXX Dec 15 '21 at 15:36
  • The proper way to get rid of a DC is to demote it. Forcibly deleting it should only be used as a last-resort option when the DC is no longer working and you can't perform a proper demotion. If you demote the DC, all references to it will be properly removed from AD and you will not need to cleanup anything. – Massimo Dec 15 '21 at 17:46
  • I'm getting confused by the terminology here. You say: "The proper way to get rid of a DC is to demote it." Is that what I did with this: `Move-ADDirectoryServerOperationMasterRole -Identity "SERVER2" SchemaMaster -Force`? (Note that when I ran it without `-Force` I got this error: `directory service is unavailable`) What exactly happened when I ran it with `-Force` to get it to work? – InteXX Dec 16 '21 at 03:44
  • https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200- – Massimo Dec 16 '21 at 12:35