1

What would be the best way to rejoin my machines to the AD02 and AD01.

Background: Previously we have 3 domain controllers(AD01,AD02,AD03), running in redundancy all machines are connected to the same network(192.168.1.0/24) and domain (DDF.SDT.NET) Refer to the top diagram.

Currently 2 domain controllers(AD01,AD02) and Clients(1-12) are together, and Domain Controller(AD03) and Clients(13-18) have been relocated to another area. Now Clients 1-12 uses AD01 & AD02, and Clients 13-18 uses AD03. Note: there are no communication between (AD01|02) and AD03 for they have been isolated. Refer to the middle diagram

Now after a few years, we would like reconnect Clients 13-18 to AD01 and AD02, and also decommission AD03.Refer to the bottom diagram.

The question is what would be the best way to connect Clients 13-18 back to AD01 and AD02? Assuming no additional users has been created on AD03.

Click Here for Diagram

Community
  • 1
ServerGalore
  • 13
  • 3

2 Answers2

1

The proper approach is to treat your 3rd domain controller like it's radioactive. Get rid of it. Do a metadata cleanup to clear it out of your domain, and then rejoin the client PCs to your domain. They likely think they're domain members, so this will probably involve going through the client-side steps to unjoin them from your domain, and then join them back.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Okay, so let me just clarify. I will no longer connect my AD03 into the domain. Do a force removal of AD03 then proceed with the server metadata clean up of AD03 on AD01|AD02. Reconnect my 12-18 clients into the network and proceed with an unjoin & join assuming the trust relationship between AD01|02 and 12-18 clients has already expired. is my understanding correct? – ServerGalore Oct 18 '16 at 22:46
  • @ServerGalore Yup. – HopelessN00b Oct 18 '16 at 22:54
-1

If one of the domain controllers has been isolated for such a long time, you will probably need to rejoin machines 13-18 to the domain again. But how do you specify which client machines talk to which controller? AFAIK you can assign AD sites to IP subnets, but no to single addresses. Try and revive the connectivity between AD01&02 and AD03 and see if they're able to replicate from each other. If yes - you can safely demote AD03 and just leave the clients 13-18 be. If no - you need to rejoin machines 13-18.

DominikP
  • 84
  • 1
  • 4
  • DC03 has been isolated for a few years so I assume it has already exceeded the tombstone period. I didn't specify which DC the clients talk to. Since Client 13-18 has been shipped with AD03 they are communicating with AD03. And since client 1-12 ha been shipped with AD01 & AD02 they communicate with AD01 and AD02. – ServerGalore Oct 18 '16 at 07:22
  • My concern is what if I revive the connection between AD01&02 and AD03. There might be a chance that AD03 will overwrite myAD01&02 with it's current configuration for I no longer have track of the changes. – ServerGalore Oct 18 '16 at 07:23
  • In a case where AD03 can no longer communicate to AD01&02 due to exceeding the tombstone period I might need to force demote it and unjoin my 13-18 clients and join them back to AD01&02. correct? – ServerGalore Oct 18 '16 at 07:24
  • It *shouldn't* overwrite anything not related to clients 13-18 becasue in AD replication the last writer always wins. If you're not sure about this, how about you move AD02 temporarily to the site with AD03? In case everything falls apart, you'll still have AD running on AD01... – DominikP Oct 18 '16 at 09:17
  • The thing is I am no longer sure who was the last writer, someone might have modified AD03 without my knowledge since it was in the remote site. So maybe I will just forceremove the AD03 and then rejoin the remaining machines. But that's a good suggestion maybe I can do that also let me consider the possibilities. :) – ServerGalore Oct 18 '16 at 23:10