Domain – Need to start over with a new Active Directory domain. How far do I tear down the DC

active-directorydomaindomain-controllerwindows-server-2012-r2

I built a Windows Server 2012 R2 PDC for a new domain. It's still in its infancy with only one DC and one member computer. Now I need to remove all traces of that domain and start fresh because:

It needs to be renamed
We're having trouble with an interforest AD migration (SID history won't migrate) and the AD admin at the source domain, who's been at this job a lot longer than me, says all he can think of is to start over with the new domain.

How far do I need to go with the existing DC? Can I just use Server Manager to remove the AD Directory Services and DNS roles, then rebuild them, or do I need to wipe and rebuild the server? I'm afraid of Windows hiding settings in the registry and not getting rid of them, like it does all the time elsewhere.

Best Answer

The easiest, cleanest thing to do would be to wipe the server and start from scratch.

Related Solutions

Seizing FSMO roles from dead Windows Domain Controller

Are the roles listed from netdom query fsmo the same ones I've seen listed elsewhere? For example, is Domain role owner the same as Domain Naming Master? Is RID Pool Manager the same as the RID role?

Yes, exactly. Not sure why they've got the names slightly different in that particular display.

What are the bad things that could happen if I seize one of these roles?

The seizure itself? Not a lot. Most of the potential issues that are warned about are about turning the old DC back on after it's had its role seized - and even then, there's a lot of hysteria out there for not a lot of risk; it takes some pretty strange scenarios to break anything with a seizure instead of a transfer of a role. To go on a tangent for a moment, let's go over the roles and the potential risks:

Schema Master: This one gets everyone pretty twitchy, but breaking it is not a terribly likely scenario. The documentation says that you should never ever ever turn the old Schema Master back on after seizing the role, which I call alarmist. The old server will be informed of the role change, and as soon as it is, it'll relinquish the role. The potential risk here is if changes are made to the new schema master, then the old schema master is brought online, then before it replicates from the other DCs, different, conflicting, schema changes are made on the old server. This situation is unlikely, but would destroy your domain.
Naming Master: Same deal as with the Schema master, you'd need to make changes (in this case, create a new domain in the forest) on the old DC, after seizing its role but before it gets knowledge of the seizure.
PDC Emulator: No risk, it's not responsible for anything where you risk divergence.
RID Master: You'd need a messed up replication structure to break this one - imagine that you've got 2 DCs; an old RID master that doesn't know its role has been seized, and a new RID master. In this situation, you'd need to create enough objects to exhaust the RID pool on both (they're handed out in 500s), and have them both assign themselves overlapping pools. Create objects with identical RIDs, reconnect the domain controllers, and watch the apocalypse unfold.
Infrastructure Master: Honestly, probably 50% of domains in the world don't even have a working Infrastructure Master at all, since it doesn't work when it's on a GC. In any case, you can't break it with seizure.

Will users notice?

They should not.

This set up has been going for a long time and people have been functioning more or less normally; is seizing the PDC role going to change this?

No. With a single DC, none of the functions of the PDC are missed at all, except maybe your non-PDC DC being unable to sync time with the source that it wants to (the missing PDC).

Moreso:

You'll only miss the Schema Master when you try to update the schema
You'll only miss the Naming Master when you try to create a new domain in the forest
You'll only miss the RID Master when you create too many objects and exhaust your DC's RID pool (this is probably the most likely for you to run into if you just keep running as is)
You'll only miss the Infrastructure Master for global catalog group updates in a multi-domain forest

Some of these documents predict dire consequences to having all roles on one DC. With a client base of no more than 20 - and perhaps less than 10 most days - is having all roles on one DC a real problem?

No - but get a second DC. You don't want to have your only DC fail.

Are there any caveats to performing the cleanup process recommended by Microsoft to remove the old DC from Active Directory?

Yeah - be careful. But sharpen your ntdsutil knives and tear the old data out - extra junk in there isn't helping the maintainability of the domain.

New Primary Domain Controller won’t start Active Directory unless Old DC is booted

Active Directory replication isn't ready yet, and your new domain controller isn't a domain controller unless 13516 is logged and sysvol and netlogon will be shared (sysvol replication has finished). Here are a few steps to take:

With NSLookup, check if your new DC can resolve the domain name, itself, and the old DC. Check both forward and reverse lookup
Run repadmin /kcc
Wait a few minutes
Run repadmin /syncall
Wait a few minutes
If event id 13516 is not logged, run dcdiag and post the output. Also post any error messages that occur performing these steps.

Best Answer

Related Solutions

Seizing FSMO roles from dead Windows Domain Controller

New Primary Domain Controller won’t start Active Directory unless Old DC is booted

Related Topic