Let me preface this by saying I'm not a AD admin and our AD expert is on vacation -perfect timing- so pardon my ignorance.
I have a primary domain controller ADServer (has FSMO roles) that was two way replicated to a secondary domain controller TWDC. The domain/dhcp/dns got trashed on both servers and the only valid restore point I had was for the secondary controller (about 20 days back). I tried to do DSRM authoritative restore on the restored server but couldn't connect to domain services on primary. I have the network up and running on the secondary domain controller however the primary seems pretty trashed netlogon service won't start there are multiple error's in the log: DFS namespace service could not initialize the trusted domain controller, The procession of Group Policy failed, Active Directory Web Services could not change its advertising state, This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it, The DFS Replication service encountered an error communicating with partner TWDC for replication group Domain System Volume, Active Directory Domain Services was unable to establish a connection with the global catalog., This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
I'm looking for some guidance as to how to resolve this, my first initial instinct is to transfer the FSMO roles from the ADServer (primary) to the TWDC (Secondary), demote the primary controller, remove AD services, and repromo it back to the secondary.
Any advice is greatly appreciated, and sorely needed. Thanks
Best Answer
I'm not exactly clear on the the current state of your Active Directory, but the basics of restoring Active Directory to a good state are:
Get a valid, functional domain controller, if you don't have one already. If necessary, do so by doing a DSRM restore.
Transfer or seize FSMO roles to your functional domain controller.
Clean up Active Directory by removing references to all broken domain controllers. This is commonly referred to as a metadata cleanup, and is done from the good domain controller. Get rid of the actual broken servers while you're at it.
Replace broken domain controller(s) with new, working one(s). It's usually easiest to do this with a clean OS image that you join to the domain and promote to a domain controller.
Shift FSMO roles back to where you want them to be, if desired.