I demoted a domain controller and it broke some IIS (running on same machine) permissions in a way I couldn't fix and futzing with things has just made it worse. The idea was to separate stuff and make things more robust and I'd like to try to eventually do that, but right now I need that site back up and running.
If I restore this machine from a backup from back when it was a domain controller, will I have an Active Directory Disaster? I'm pretty sure the backup was done before I transferred the FSMO roles. 🙁
Best Answer
You can't do a non-authoritative restore it if it's been demoted. The other domain controllers now no-longer think that it is a DC. If you did an authoritative restore, then all of your AD info will be rolled back to the time of the backup, but your site should work again, but you'd have to demote and re-promote your other DCs (I believe).
This happened because there is no local user database on a Domain Controller. All of the accounts, including the IIS service accounts, become domain accounts when a DC is promoted. When you demote it, you remove this authentication database and replace it with the default one.
Basically, you're kind of screwed. I'd consider taking this time to get the site working on a member server instead of wasting (probably) the same amount of time trying to get everything the way it was the second before you demoted the DC.