Issues adding new DC to network after main DC broke down

Question

What I try to do should be something simple but I made in ended up bad.

We have a virtual network and virtual machine set up on Azure East Asia region datacenter originally. Then, we decided to move all the resources to Southeast Asia region which datacenter is located at Singapore. Our offices are located in Malaysia, so, we think that data transfer will be faster to Singapore.

First, I prepared main DC, PYRUS, which sit on the Azure East Asia datacenter for custom virtual image capture by following this guide. Then, I generalized the vhd and captured the image by following this guide. I thought I can still start the generalized VM but later I found it is not possible, no turn back for me. Lastly, I tried to create the virtual machine followed this guide but it returned some general errors without useful debug information. After a day spent on fixing this, I had no luck and decided to give up this.

I came out with the idea to make one of the branch DC as main DC and add a new DC, LOTUS, on cloud and take over the main DC role later. I followed the steps here to seize the FSMO roles on IRIS and let LOTUS replicate everything from IRIS later. I followed the steps exactly, I seized infrastructure master, PDC, RIC master and naming master. I also deleted all DNS records on IRIS' DNS. When I tried to promote LOTUS as a new DC in the domain, I got these errors:

I spent half day looking for solution or possible clue on the error logs/event viewer of AD DC but couldn't find anything helpful to solve my problem.

I have limited knowledge on this screwed up everything. I have no clue on what to do now. Can anyone tell me the best solution for this or way to fix one of the issue above ?

I appreciate your help a lot. Thank you so so so much.

Have you check Active Directory sites and Services for Pyrus? Take a look at the following for cleanup of old DC https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx — Drifter104, Jun 13 '16 at 14:13
@Drifter104 I did this. PYRUS was deleted from Active Directory Sites and Services. — CK Tan, Jun 13 '16 at 14:19
@joeqwerty Thanks for reminding me. I just added the hyperlink. Do you have any idea what should I do to fix my issues ? — CK Tan, Jun 13 '16 at 14:20
The error message would imply PYRUS is still in there somewhere. Perhaps it hasn't replicated all changes if you completely followed that guide — Drifter104, Jun 13 '16 at 14:23
@RyanRies , thanks for your comment. May I know how to run these commands ? Is it on Powershell ? — CK Tan, Jun 13 '16 at 14:57
Hi, @Drifter104. I just checked again and PYRUS doesn't exist on IRIS Active Directory Sites and Services. I didn't delete the records on FLORA. Is it possible the issue is caused by data not replicated between IRIS and FLORA ? — CK Tan, Jun 13 '16 at 15:02
@RyanRies I saw PYRUS exists in the output after running the command with Active Directory Module for Windows Powershell. Here is the link to the print screen : http://i.imgur.com/C9XKEdb.png . Mind to give me some idea what to do to correct them ? — CK Tan, Jun 13 '16 at 15:11

Ryan Ries · Accepted Answer · 2016-06-13T18:06:36.980

2

Moving comments to answer so as to avoid extended discussion via comments.

Run these two commands:

Foreach ($NC In (Get-ADRootDSE).namingContexts) { Get-ADObject "CN=Infrastructure,$NC" -Properties fSMORoleOwner }

And

Foreach ($NC In (Get-ADRootDSE).namingContexts) { Get-ADObject $NC -Properties fSMORoleOwner }

You need the Active Directory module for Powershell, which is installed on new domain controllers by default.

You might see a couple of errors, but ignore those. Look at the fSMORoleOwner attribute of any objects returned. Do any of them reference the old DC? If so, correct them.

(Stealing your screenshot)

Use AD Sites and Services and go find the distinguished name of the NTDS Settings object under the extant (the new DC) domain controller. It will be something like this:

CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

DC01 in your case will be IRIS.

In AD Sites and Services, right-click on the NTDS Settings object and go to Properties, and then to the Attribute Editor tab. Find and copy the distinguishedName.

Take this string and put it into the fsmoRoleOwner attribute of the objects that you found with the Powershell commands earlier. You will probably need to use ADSIEdit to locate them all.

Note: The procedure that I have described here should only be done after you have followed the normal metadata cleanup procedures. This is not a replacement for metadata cleanup, but rather a supplement to it.

edited Jun 13 '16 at 18:06

answered Jun 13 '16 at 15:25

Ryan Ries

55,481
10
142
199

Is this really safe way to take over FSMO role? – Nikita Kipriyanov Jun 13 '16 at 16:26
@NikitaKipriyanov The FSMO roles have already been seized, according to OP. This is just house cleaning. – Ryan Ries Jun 13 '16 at 16:33
@RyanRies Finally, all data related to PYRUS has been removed. I got Lotus joined to the domain too. Now, should I remove the data related to PYRUS on FLORA manually too ? Just like what I had done to IRIS so that it won't cause replication error. – CK Tan Jun 13 '16 at 17:06
@C.k. Yes, you should continue removing references to the decommissioned domain controller. However, the procedure that I have described here should *only* be done *after* you have followed the normal metadata cleanup procedures like this: https://technet.microsoft.com/en-us/library/cc728068(WS.10).aspx – Ryan Ries Jun 13 '16 at 17:59
@RyanRies , I did a normal metadata cleanup on FLORA. However, FLORA just won't replicate anything from LOTUS. How can I manually make FLORA to recognize LOTUS and replicate the data ? Thanks. – CK Tan Jun 14 '16 at 07:16
@C.k. I would start a new question with this problem, and supply the output of `repadmin /showrepl /v` in the question that shows the replication errors. – Ryan Ries Jun 14 '16 at 12:47

Issues adding new DC to network after main DC broke down

1 Answers1

Linked