Win2k AD server rejoining domain.. easiest way to do this?

asuh

Golden Member
Sep 7, 2002
1,059
2
91
About 6-12 months ago, we decided to bring down a server from our domain because there were connectivity and network issues with this server, but we never disjoined the network. Thus, it still exists as a DC on the current network. Since that time, the network has been running pretty well. This network consists of 2 Win2k Active Directory PCs (including this one), about 5 other servers, and about 35-40 clients. So, for the past 6-12 months, we've only had 1 Active Directory server.

The time has come that we want to try to connect the inactive server to the domain after many months of inactivity. Since that time, as well, there have been many new users and computers added through Active Directory.

I would love some advice on the best way to bring this server up such that it would cause the least headaches on our part. The preference would be to just turn the computer on and log in as usual, but knowing that there were problems previously, and the long inactivity since we last used it on the network, what would be the best way of doing this?

I checked all of the FSMO roles and they point to the correct server. The main activity that must occur is the sync of new info from the active AD to the inactive AD. Is it as easy as I'm making it sound like?

Thank you for any info!
 

Diaonic

Senior member
May 3, 2002
305
0
0
I would remove any domain information from the old DC. Make it part of workgroup if you have to.

Reboot, connect it back to the network and run dcpromo. Depending on the situation of the other server you may need to run forest and domain prep. But it will prompt you if you have to.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
Even if I removed all visible domain info, wouldn't there still be a lot of files and keys in the registry?

Actually, could you explain your thinking about removing domain info from the old server?
 

Diaonic

Senior member
May 3, 2002
305
0
0
Well I guess I should have asked a few more questions and here is my logic behind them.

Heres a short story and a painful lesson I learned. Last year I added a DC to my network, with the intent to install ISA server. Well later that year we found a better solution that met a few more of our needs and we didn't need the server. So I just removed it from the network. Disregarding any of the roles because it was a member server in the domain. Well I'm sure you can see where this is going, the DC root server freaked out and would barely boot. I tried a few restores and nothing would work. So I called microsoft and paid the $250 tech support fee and they connect to my server for 8 hours and fixed everything, all the registry settings, a few dns issues and got every working smoothly again. I could have avoided that entire phone call if I removed the ISA DC properly by running dcpromo.

lesson learned.

So my next question is, when you say you ran into all those problem before, was it because the DC was not properly removed?

Rejoining the server to the domain via dcpromo will restore the active directory structure to the current state of your production server. So aslong as the new DC doesn't think it's a DC yet you should be fine.

This is my opinion from my own experiences, I'm sure some of the more experienced guys here can chime in on this.



 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
I guess I was not very clear in my original post. We did shut the server off, but did not actually disjoin the network. As far the current network is concerned, it's still a server on the network, but is just never found or used. So, theoretically, turning the PC back on would be just like relogging into the network. However, there were those problems. As far as I can remember, having the server on always meant the network was slower. That's why we just shut it down out of the blue.
 

lansalot

Senior member
Jan 25, 2005
298
0
0
I would say 6 months is too long to have left it. What about a clean install followed by a dcpromo, is that an option?
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
That server is way past the default tombstone lifetime. Bringing it up would risk introducing lingering objects to the directory.

You need to do a metadata cleanup of that server to remove all of its information from AD (KB216498). If you need to get data off the server, boot it up unconnected to the network and get the data off (USB drives, etc). Then wipe it and reload, and run dcpromo. I would not recommend connecting this server back to the network in its current state. And if you do rebuild it, make absolutely sure you do the metadata cleanup before you make it a DC again with dcpromo.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
Okay, I realize that I'm getting the same exact opinions from multiple people, thus I hear your messages loud and clear. This being said, I now need to take the next steps.

I will not bring the server back into the network, as many people have stated. What I need to figure out is two things:

1. How important is it that I metadata cleanup? There is no critical data on the server and it could easily be reloaded now

2. Since this server is still registered in the current domain's server AD and I don't plan to bring it back online to the existing domain, do I need to clean up all of the previous entries of this downed server from the DNS, DHCP, etc or just leave it be? Here's what we were thinking. I'm not sure that bringing back a reloaded version of Win2k Server with the same exact hardware is going to be allowed since this computer was previously already joined to the domain and currently is listed in the DNS and AD. It can't really join the domain twice, can it?

Thanks for your answers!
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
1. Metadata cleanup is essential. Your AD will not function correctly until you clean up the removed server.
2. You need to clean it up. Metadata cleanup removes information from AD and DNS. DHCP doesn't really matter.

See http://support.microsoft.com/kb/216498

You can reload the server at any time, but you cannot make it a domain controller in the existing domain until you do a metadata cleanup. Even if you do not plan on making it a DC in the existing domain, you need to do the cleanup. Otherwise the remaining DC will still attempt to replicate to it, and clients will try to authenticate to it.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
I have gone through all of the steps and now have one problem. After cleaning up the metadata using ntdsutil and then deleting all of the DNS objects, I then went into AD Users and Computers to delete the Domain Controller. When I tried to delete it, it gave me the following message:
The DSA Object Cannot Be Deleted
This is a problem. If I can't delete it out of Active Directory, I believe this means I cannot repromote it as a domain controller. Any ideas?
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
You need to delete it with adsiedit (take a look at the info in the article after step 17). In adsiedit, right click the container in the domain controllers OU that represents your DC and click delete. You may get an error the first time, but if you right click and delete again, it should be gone.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
ah, ok. i'll need to go find the server disk (i misplaced it and have been looking for it all day!) thanks.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
You can also download adsiedit as part of the support tools from the Microsoft website. Just go to microsoft.com/downloads and type in support tools.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
Thanks for the suggestions. Looks like everything has been taken care of. Now the true test is promoting the server to a Domain Controller!
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
I now have one further questions about our new DC that I promoted.

Active Directory Users and Computers has the following categories in the domain:

Builtin
Computers
Domain Controllers
ForeignSecurityPrincipals
LostAndFound
System
Users

When I take a look at the new DC, I only find the following:

Builtin
Computers
Domain Controllers
ForeignSecurityPrincipals
Users

Maybe I'm just not realizing why, but wouldn't the replication and synchronization actually make the two AD the same so that I get all the same information from one onto the other? Any info would be greatly appreciated.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Go to the view menu and click on Advanced Features to show the other containers.
 

asuh

Golden Member
Sep 7, 2002
1,059
2
91
Ah, duh. I must have forgotten that I had done that! Thanks. Hopefully everything else is replicated over because looks like we might have to promote this new server to Schema Master soon! d'oh!
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
You can use the repadmin tool to find out if replication is working. Repadmin is part of the support tools that are on the 2003 Server CD. However, as a general rule of thumb, if there are no replication errors in the directory service log in event viewer, replication is working.

To check with repadmin, just run 'repadmin /showreps' from a DC. Check the last replication times for each partition (schema, config and domain).