Join Log in
Score:0
avatar Server

Two PDCs, two ADs, two domains - how to replicate one domain/AD to the other?

jo flag
InteXX

Here's the history:

SERVER2 was a 2016 Essentials Edition server, standalone with no other DCs. The OS became corrupted in a few areas, and so a decision was made to replace it. A standalone clean install wasn't an option, as applications running on member servers rely heavily on AD user SIDs.

So a second DC was introduced, SERVER3, and the domain/AD/DNS/PDC/fsmo were replicated from SERVER2 to SERVER3. Metadata cleanup was performed on SERVER3 to rid it of any old references to SERVER2. SERVER2 has now been taken permanently offline.

A brand new SERVER2 Essentials Edition has been configured, and it has its own domain/AD/DNS/PDC/fsmo. The display names of the two domains are the same, but the underlying ADs are of course different.

How do I make the new SERVER2 a BDC for SERVER3, replicate everything from SERVER3 to the new SERVER2, and then promote the new SERVER2 to be PDC?

I had some expert assistance to get this far, but unfortunately the tech has been called away. I'm now on my own, mid-project.

Please advise.

--EDIT--

I found this guidance, but it doesn't seem to take into account that I have two PDCs on separate existing domains.

48
0 + 0
joeqwerty avatar
cv flag
joeqwerty
If Server 2 is now a member of the Server 3 domain, then you simply need to promote Server 2 to a Domain Controller once you've added the AD DS role (which I'm assuming is already installed). You can promote Server 2 to a Domain Controller from Server Manager.
0
Reply
jo flag
InteXX
I've got SERVER2 promoted to a DC, and I think I've got everything moved from SERVER3 to SERVER2. I used the `Move-ADDirectoryServerOperationMasterRole` cmdlet as described [here](https://theitbros.com/transfer-fsmo-roles-using-powershell/). I did get a `directory service is unavailable` error for the `SchemaMaster` and `DomainNamingMaster` roles, though, which I got past by using the `-force` parameter. He describes deleting the DC whenever roles are seized, so I'm not sure where he's going with that, or even if it applies to me. Your opinion?
0
Reply
Score:1
Massimo avatar Server
ng flag
Massimo

Windows Server Essentials requires being a Domain Controller, but it can be added as replica DC to an existing domain, as long as you are doing it for migration purposes (i.e., you as long as you are going to remove the existing DC):

https://docs.microsoft.com/en-us/windows-server-essentials/migrate/migrate-from-previous-versions-to-windows-server-essentials-or-windows-server-essentials-experience

I'm not really experienced with this heavily-locked-down edition of Windows, but if you go digging in the documentation, it should be possible to replace your existing server with a new Windows Server Essentials one.

However, you'll definitely have to rebuild your new server from scratch, because your current situation (each server hosting its own Active Directory domain) is a dead end and there is no way to "merge" them.

0 + 0
jo flag
InteXX
I think I used the wrong word 'merged' there. I want to dump everything on SERVER2, join SERVER3's domain and replicate everything from SERVER3 to SERVER2. I'm halfway there, I believe, because I just demoted SERVER2 and joined SERVER3'S domain. So now I'm off to figure out the replication step.
0
Reply
Massimo avatar
ng flag
Massimo
You just need to promote the server as an additional DC in the existing domain. AD replication in automatic.
0
Reply
jo flag
InteXX
OK, I've got SERVER2 promoted to a DC, and I think I've got everything moved from SERVER3 to SERVER2. I used the `Move-ADDirectoryServerOperationMasterRole` cmdlet as described [here](https://theitbros.com/transfer-fsmo-roles-using-powershell/). I did get a `directory service is unavailable` error for the `SchemaMaster` and `DomainNamingMaster` roles, though, which I got past by using the `-force` parameter. He describes deleting the DC whenever roles are seized, so I'm not sure where he's going with that, or even if it applies to me. Your opinion?
0
Reply
Massimo avatar
ng flag
Massimo
The proper way to get rid of a DC is to demote it. Forcibly deleting it should only be used as a last-resort option when the DC is no longer working and you can't perform a proper demotion. If you demote the DC, all references to it will be properly removed from AD and you will not need to cleanup anything.
0
Reply
jo flag
InteXX
I'm getting confused by the terminology here. You say: "The proper way to get rid of a DC is to demote it." Is that what I did with this: `Move-ADDirectoryServerOperationMasterRole -Identity "SERVER2" SchemaMaster -Force`? (Note that when I ran it without `-Force` I got this error: `directory service is unavailable`) What exactly happened when I ran it with `-Force` to get it to work?
0
Reply
Massimo avatar
ng flag
Massimo
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200-
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.