2

I'm new to administering Windows Servers and have just been attempting to migrate AD, DHCP, DNS, roles from an old server to a new Windows Server 2016 box, and then retire the old server.

All seems to have gone ok in the end, although I may have made some mistakes along the way including not transferring the FSMO roles at the right point - I seized them at the end.

If I use NetDOM /query FSMO to see the roles, they are all assigned to the new server. So why does the Server Health Monitor screen show the warning below?

Why does it still think BS-2012 is the designated DC? (The old server has now been physically destroyed)

enter image description here

userSteve
  • 1,503
  • 4
  • 20
  • 32

3 Answers3

1

What did you do to "retire" the old server? Since you said you seized the roles, I'm assuming you didn't properly replicate then move the roles over and then eventually DCPROMO the old DC to remove it as a DC.

In that situation, AD still thinks the old DC is "around".

The good thing is that as of Windows Server 2008 and above, the process for cleaning up a "failed" DC (in your case already physically destroyed) is much easier than back in the 2003 days.

https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/

Follow the above article, that states:

Step 1: Cleaning up metadata via Active Directory Users and Computers Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers Expand the Domain > Domain Controllers

Right click on the DC server that need to remove manually and click delete In next dialog box, click yes to confirm In next dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) and click Delete If the domain controller is global catalog server, in next window click yes to continue with deletion If the domain controller holds any FSMO roles in next window, click ok to move them to the domain controller which is available

Step 2: Cleaning up the DC server instance from the Active Directory Sites and Services

Go to Server manager > Tools > Active Directory Sites and Services
Expand the Sites and go to the server which need to remove Right click and click Delete In next window click yes to confirm

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Thanks, but I think I already did that before (deleting the old server, can't remember if I said OK to move to the new DC as well, probably did). The old server name does not appear in any of those places, only on the warning screen – userSteve Apr 18 '17 at 15:24
  • Did you reboot the new server yet? Something seems to still reference it. Did you look for any metadata using adsiedit for that old DC? Also, is the alert just an old alert you can clear (and see if it returns)? – TheCleaner Apr 18 '17 at 15:26
  • Hi. Didn't find anything with adsiedit. Removed the warning, rebooted, it's still there. I'm thinking I might just ignore it – userSteve Apr 18 '17 at 15:34
  • Aha, I've just searched the entire registry and found some matches to the old server. Any advice on if I should remove/edit these keys? : `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext\ConnectedDc` `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv` `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv` `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv` – userSteve Apr 18 '17 at 15:41
  • If that's there it should mean there are still SRV records in DNS for the old DC, so you may not have followed the dcpromo demotion properly. – TheCleaner Apr 18 '17 at 16:46
  • I guess I'm stuck then. I think Windows 2016 doesnt use dcpromo, it uses a wizard which can only be used once at the time of adding the role – userSteve Apr 18 '17 at 19:09
  • 1
    no, I meant running dcpromo on the old box before it was gone is the right way to go. If the SRV records are still in DNS, just go in and manually remove them. see here: https://serverfault.com/questions/595419/how-to-remove-orphaned-domain-controllers-dns-records – TheCleaner Apr 18 '17 at 19:35
  • 1
    There wasn't any records in DNS. However I have now solved it by changing the registry (see my own answer). Thanks anyway, it was all great advice and help – userSteve Apr 19 '17 at 14:50
1

After some good help from the other replies and some more googling, I solved the problem by editing the registry...

Edit this key to point to the correct DC Server (as per this post) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext\ConnectedDc

Delete these keys (as per this, this and this) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Srv objectGuid HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Srv objectGuid HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Srv objectGuid

userSteve
  • 1,503
  • 4
  • 20
  • 32
0

In your situation you can treat your old server as a primary DC that has failed. Luckily this wasn't your only DC as you had the new server as a backup DC! (Please keep it that way!)

It is possible to transfer or seize FSMO roles to another domain controller with ntdsutil.exe.

As you should be really careful when doing this, I suggest taking time to read and learn:

Those without disaster recovery plans or running all roles from one DC, while not recommended, is sometimes unavoidable in some smaller sized businesses. The major concern with running all roles off one DC is that the roles cannot be migrated to another server should said server crash. The only way to migrate these roles is by seizing the operation master roles should no disaster recovery plan exist.

The steps for seizing the operation master roles after a crash (or a destroyed by BOFH event):

  1. Log in as domain administrator.
  2. Start elevated command prompt.
  3. ntdsutil
  4. roles
  5. connections
  6. connect to server <FQDN of role holder>
  7. quit

  8. seize schema master, yes (to a popup that appears)

    seize naming master, yes

    seize RID master, yes

    seize PDC, yes

    seize infrastructure master, yes

  9. Type quit to exit from ntdsutil once the last command has been entered.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122