0

I'm running WSE 2016, which must be the only DC in the domain. According to the documentation, it is incompatible with a PDC/BDC construct.

For some unknown reason, Windows Updates have been failing for some time now. I've been working with Microsoft Support on the issue and I'm told that at this point the only fix—barring a clean install—is to run a Repair from the Recovery Environment. I've tried the standard recommendation of deleting/renaming the update store, to no avail.

I'm also told that the PDC must be demoted prior to running the Repair.

Oddly enough, I'm unable to get a clear and reliable answer on whether a PDC can be demoted without a BDC (Microsoft Support is not what it used to be). Also, upon reviewing this documentation, it seems to me that a demotion/promotion task will end up with the creation of new SIDs for my users and computers. This would be a problem for me, as my on-premises installation of Azure DevOps Server 2019 on a 2016 Standard member server relies on those SIDs to do its magic. If I'm going to have to deal with new SIDs anyway, I might as well do a clean install, bump up to WSE 2019 and deal with the pain of reconfiguring ADS.

So my main question, then, is this: Will it be possible to demote this PDC, even though it has no BDC (and cannot have one)?

Sub-question: If yes, will I lose my user and computer SIDs by doing so?

Hopefully my two-question construct here doesn't run too far afoul of the community's Q&A standards. If so, however, please say so and I'll edit my question to move the sub-question into a new topic. I'm just hoping to consolidate things since the two are so closely related.

InteXX
  • 713
  • 13
  • 31
  • You're unable to find documentation on BDCs under AD because they don't exist. There's a PDC "emulator" role in the FSMO role holders, but that's for NT 4.0 and previous clients to talk to. That's why you can't find any docs, you're using ancient terminology. – mfinni Feb 11 '21 at 03:41
  • And yes, demoting your sole DC will make your domain disappear and you'll need to make new user accounts in a new domain, and join your workstations to the new domain, if that's what you choose to do. – mfinni Feb 11 '21 at 03:42
  • Thank you for the info. Would you make it into an answer; I'd like to accept it. – InteXX Feb 11 '21 at 03:43
  • *"you're using ancient terminology"* That's interesting. What would the newer terminology/concepts be? (Developers tend to make lousy SysAdmins, I'm afraid.) – InteXX Feb 11 '21 at 03:46
  • "domain controller" - primary and backup (PDC and BDC) literally went away with the introduction of Active Directory. – mfinni Feb 11 '21 at 03:54
  • I see. So multiple DCs under Active Directory act as peers? – InteXX Feb 11 '21 at 04:00
  • Yes. Each will contain an entire copy of the domain and be authoritative. It's multi-master replication. In a multi-domain forest it gets more complex but that's not your issue. – mfinni Feb 11 '21 at 04:14
  • 1
    *"In an Active Directory domain there are no longer PDCs or BDCs and all DCs are considered peers."* Reference [here](https://docs.microsoft.com/en-us/archive/blogs/sbs/debunking-myths-about-additional-domain-controllers-in-sbs-domains). Thank you very much for helping get me straightened out on this. – InteXX Feb 11 '21 at 04:15
  • 1
    That's a great link, very informative, and you'll note that it's almost 14 years old :-) – mfinni Feb 11 '21 at 04:21
  • It is, isn't it! It's almost as old as me ;-) – InteXX Feb 11 '21 at 04:26

1 Answers1

2

Yes, demoting your sole DC is allowable, and it will make your domain disappear and you'll need to make new users and groups in a new domain, and join your workstations to the new domain, if that's what you choose to do.

Anything that had a security principal assigned to it will also need to be assigned to the new security principals - eg if you have a fileshare right now with limited access, those user or group SIDs that have access will be gone, so you'll need to reassign to the new groups/users that you'll be creating.

You may want to see if you can temporarily add a second DC to your domain so that you don't lose the domain itself. I think that WSE will allow this, but I'm not that experienced with it. Search for that terminology (or work with your MS support staff on your ticket), stop searching for PDC and BDC unless you're hand-to-god working with NT 4.0 or older.

Edit - Aha - yes, you're incorrect about not allowing additional DCs in a WSE domain. You're restricted by licensing to not having more than one WSE in a domain (for longer than the 21-day grace period for a data migration) but you can certainly add a second DC on a non-WSE SKU of Windows server. And you should.

https://social.technet.microsoft.com/Forums/office/en-US/710863c6-e3ca-4526-9a65-569b5374f47d/windows-server-2016-essentials-domain-controller-replica?forum=ws16essentials

mfinni
  • 35,711
  • 3
  • 50
  • 86