Cannot Convert DC to single DC

Windows 2016 Server environment with 3 DCs, single domain. All DCs are also GCs. Server 1 holds all 5 FSMO roles.

Now I want to export the VM of server 1 and put onto a different environment on a separate virtual host server, network completely separated from the actual domain. Shutdown VM, export, then re-import on the other host.

The VM works. Can ping it from a PC connected to the new separate network.

What I would expect is that AD should work just as usual, with this DC now being a lonely DC. Of course replications won't work, but since that server is a GC and holds all FSMO roles, it should have all it needs, right?

However, what happens is following:

• Cannot connect to Active Directory, not even locally from server 1
• dcdiag passes connectivity test but fails advertising test with error 1355 (the locator cannot find the server).
• another error in dcdiag is unable to connect to NetLogon share.
• nslookup query for _ldap._tcp.dc._msdcs.domain.com yields the proper reply, just as it did in the original domain network. This is supposed to be the query to locate a DC, so why does it not find it although DNS can locate it?
• On the DC itself, in the new domain environment, the sysvol folder no longer contains "Policy" and "Scripts" folder, but instead there is a folder called something like "Ntfrs_Previous_SeeEventLog".

I am at a loss to understand why this happens.

Is that expected to happen, or did I do something wrong? What could it be?

Microsoft explicitly says to not do what you're doing (1). "replication won't work" will definitely (eventually) lead to "my AD broke". A DC with badly-broken replication will indeed stop acting like a DC, stop servicing logins, etc.

They even left you a breadcrumb that you found! Ntfrs_Previous_SeeEventLog - That's NT File Replication Service. It broke (expected), the DC removed its shares (expected), thus breaking logins, and left you a message to look up the event logs. Go do that.

If you insist on going down this path, you'll need to fix replication, cleanup this machine's view of AD now that you've cut it off from other DCs, and then you might have a working isolated test domain.

Update per your comment - yes, of course you can have a domain with a single DC. But you took a (copy of) a DC that was NOT solo, and cut it off from the replication partners that it knows about, so it thinks it's broken. You have to fix it. End of story.

(1) - There used to be a TechNet KB article stating this. Microsoft memory-holed a lot of that, so I don't have an easy source. It was about unsupported scenarios for AD migrations during corporate splits and divestitures; a "please don't do this" scenario was simply partitioning the network and then cleaning up each half's AD. Obviously, on paper there's no reason it shouldn't work, but if you miss something or do it wrong or cleanup the wrong stuff, you've made a HELL of a headache and MS didn't want to support it.