1

There are many posts about re-establishing lost trust relationships, but I think this situation is different than what I've read.

I had 2 2012 R2 DC's in my network and when the primary DC failed, the secondary DC did not hold the domain up. I repaired the primary DC, but could never quite fix the issues with the secondary DC, and I couldn't get new secondary DC's to replicate properly.

So I started from scratch leaving the old primary DC alone while I created new primary and secondary DC's. That is accomplished. Dcdiag is clear on both DC's except for a few minor system log issues from the last 24 hours during the build, and repadmin /showrepl shows successful replication both ways.

So now I need to join all my clients to the 'new' domain, except it's not exactly new. The domain has the same name, but it is not the same set of DC's.

The Local Server Events list shows client PC's are trying to connect because they see DC's on a domain with the same name as before. The Events say to reestablish the trust relationship because their SIDs are incorrect, but it's actually more complicated than that. They can't connect because I haven't created their User Accounts yet in order for them to get a SID.

In order to proceed I want to ask for guidance to make sure I join the clients to the domain in a way that won't create problems. I only have 11 accounts to create, so it's not too burdensome. But I'm concerned if I don't do this correctly I'll create additional problems.

So my questions are:

How do I rejoin the clients to the new domain, which is actually the same domain name as before? Do I simply create their accounts and then have them perform a log on with the password I initially set when creating their accounts? Do I disconnect them from the domain and then rejoin? One of the clients is a TFS server which uses a series of account names. If I disconnect it from the domain, will that create a set of problems that keep it from connecting to the new DC's?

Finally, not that I need it this time, but was there a mechanism I could have used to save the DC data in some kind of export from the old primary DC that could have been imported into the new primary DC? Kind of a 'last ditch' attempt to salvage data. I get it that that's what the secondary DC's were supposed to do.

Alan
  • 1,003
  • 2
  • 20
  • 36

1 Answers1

1

First, Make sure your new secondary dc get a copy of the global catalogue too please. As your old dc should had worked to take the load.

For your question as its a small business I you recreate each user account, but I would unjoin each workstation from the domain to make them rejoin it after, to prevent sid issue with each computer account, and thats all (with user profile migration as their sid changed)

For the TFS server I cant tell. That link got good documentation; https://www.visualstudio.com/en-us/docs/setup-admin/tfs/admin/move-across-domains

Don't forget group membership and GPO too.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • 1
    My 2nd DC has GC, and I see it replicating all changes in 1st DC. I will move the client machines as you suggest by unjoin and rejoin. Thx for the TFS article - don't think I would have found that. It seems very involved so I will have to study it. I'll report back later. – Alan Aug 11 '17 at 22:47
  • As expected, unjoin/rejoin of a computer worked well. I also tested if the secondary DC would hold up the domain. I took the primary DC off the domain by disconnecting its LAN cable. I then successfully added a pc to the domain through the secondary DC, and when I reconnected the primary DC, after replication the primary DC showed the new pc in the Computers list that had been added by the secondary DC. So success in this area. Still working on the TFS join – that’s complicated. – Alan Aug 13 '17 at 21:28