Removing Windows 2012 DC

Discussion in 'Windows Server' started by climws, Jan 27, 2014.

  1. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    Hello everyone
    I am kinda new to Windows Server configuration and I hope you can give me some input.

    Currently we have 5 servers in our company, Windows 2003, Windows 2003r2, Windows 2008, Windows 2008r2, Windows 2012. Windows 2008r2 was our Primary DC 6 months ago, and when we purchased a new Windows 2012 server, we have allow this new server to take over the role of a DC.

    Now we encounter some hardware issue on the 2012 server and wanted to reconfigure the server.
    I have read books on Windows 2012 Installation and Configuration etc but I still have 3 confusions.

    1) Can I simply backup and then reformat my Windows 2012? After which I can do apply the AD? I will do it over the weekend.

    2) Since there are different versions of Windows Server OS, what is the forest level and domain level that I should select after reinstalling the 2012 server?

    3) After I had reformatted, and use back the same domain name, do I have to get all my colleagues PC to rejoin back the same name domain?
     
  2. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,682
    18,584
    340
    Off Topic

    Does the new Server 2012 come as OEM licensed??
     
  3. WinDev

    WinDev MDL Expert

    Jul 6, 2013
    1,226
    1,185
    60
    @climws

    Which Server do you have? Server 2012 or 2012 R2?
     
  4. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    #4 Erik B, Jan 27, 2014
    Last edited: Jan 27, 2014
    I don't know if the following is the recommended method (I guess you can read all about it at MS tech), but I've done it a couple of times.
    1) Create a Windows Server virtual machine
    2) Make it a secondary DC
    3) Remove the primary DC (this is the tricky part)
    4) Make your VM DC the primary DC
    5) Fix and reinstall the real server
    6) Reverse the domain controller transfer and make it the primary DC again.

    The advantage with the above is that it's safe and simple, but I guess there are many methods out there. No one else but you would probably see any difference if you can solve the temporary DC IP address change, i.e. the domain remains the same.
     
  5. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    #5 climws, Jan 28, 2014
    Last edited: Jan 28, 2014
    (OP)
    Yes it is just Windows Standard 2012, not R2, and it is not OEM.

    Oh the functional level for both domain and forest is still at Windows 2003.

    Thank you Jacker_Back for your suggestions. I supposed it will work. The concern is the 'tricky part'.
    Do you have any references for me to read up? I feel uneasy for a newbie.
     
  6. Arenared

    Arenared MDL Novice

    Dec 20, 2008
    20
    0
    0
    Do a bare metal backup first
     
  7. lattensepp

    lattensepp MDL Novice

    Jan 23, 2010
    46
    0
    0
  8. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    No worries, you can do as many VM server tests as you feel needed. Just don't remove the primary server until you feel satisfied. As mentioned, a complete system backup is pretty mandatory. There are several guides to remove the primary DC at MS tech, read the logs and correct any errors (there will be errors, I'm sure :p, read the guides howto correct them). Note: Your domain will be alive during the whole process, so accounts, policies etc will not be affected during the transfers. The "tricky thing" is usually DNS related.
     
  9. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    #9 climws, Jan 28, 2014
    Last edited: Jan 28, 2014
    (OP)
    We do not have any VMware and bare metal backup solutions.


    When i issue netdom query fsmo, it has pointed everything to the current Windows 2012. What I did the last round was that I had migrated Windows Standard 2008r2 (DC) to Windows Standard 2012 as the new PDC. Then i had the old DC demoted.


    This main DC server is mainly used for File Sharing, DHCP, DNS, AD, DC. The other servers are used for File Sharing and are joined to the same domain.


    We do not have any redundant DC yet. Only one running now. Of course, after we fixed this Windows 2012, we will make the Windows 2008r2 as the redundancy DC.


    Yes, I also believe the tricky part is DNS related. The last time, DNS is not propagated to the whole domain after installing and running for 3 days. I have to add in the DNS IP address manually to each PC in the domain. Very troublesome. Is there a way out for me to prevent the same thing from happening again?
     
  10. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    Oh OK, I don't think you need to care so much about server configurations and layouts. You just want to transfer the domain and fix the server, right? You can do:
    Install Windows Server 2012 at any (good) workstation on your net.
    Activate Hyper-V and install your temporary Windows DC virtual machine(s).
    The domain will be alive and copied to your VM DCs and be functional while you fix the server. I suggest you do a clean install after fixing the real server and not using a backup restore.

    Since you already have done a migration, I think everything will be clearer when you're at it. After all, it is a rather simple (but safe) method and you will probably be able to go through the whole thing with the default server guides. AFAIK adding a secondary DC is perfectly safe.
     
  11. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    #11 climws, Jan 30, 2014
    Last edited: Jan 30, 2014
    (OP)
    Thank you all for the information provided for me.


    I have already


    1) Promote the Windows 2008 to a DC with DHCP, DNS set. I didn't promote Windows 2008r2 because it is running some critical application and I cannot touch it for a week.


    2) Transfer the FSMO from 2012 to 2008.


    3) Leave the forest and domain level at 2003.


    4) Also have made a backup of the files and folders of 2012.


    Come tomorrow, the 2 last things to do were to,


    5) Demote 2012 DC


    6) Fix, Reformat 2012 and promote it back to PDC.


    I have another concern.

    Actually the 2nd reason to redo the 2012 server was, the domain users complaint that there are permissions issue on some folder and files. When I checked the ownership, it is listed as unknown. When I checked the permission, it is set to 'Domain Admins' and 'Administrators'. Even though I had logged in as domain administrators, i cannot open the folder or copy the files (permission denied).
    Now my question is, since I have backup the files and folders to a Synology NAS, if i were to copy them back to the re-done Windows 2012, will this issue get fixed?

    I have backed up using the FreeFileSync opensource software.
     
  12. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    Permission errors :tasty:

    If you copy with the robocopy utility on a store that can handle NTFS ACLs, you can keep the applied permissions. Otherwise I think the default permissions will be applied and any applied permissions will be lost. By googling I see Synology have guides related to NTFS permissions.
     
  13. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    Okay the files are not affected. Thank you jerker_back.

    But I have a bigger problem.

    After following the suggestion, everything seem smooth, but I guess we might have some old replication issue.

    Now my domain PCs cannot get DHCP IP and the DNS is also unable to get. What do I need to provide you guys to help me with this issue?
     
  14. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    Well, that's why it's so handy to make the transfer in a virtual machine. If something goes wrong and seems complicated to fix, it's just to delete the instance and try again. This is especially true for the DNS server because the work is done as part of the DC copy guide. I'm sure there are workarounds and manual options, but it will easily become messy unless you know exactly what you are doing. I think your best option is to remove the DC role and try again. Read the error logs and follow the advices. Remove the DHCP role until you get DNS properly function. Note: I'm not a Network technician, so there may be some professional ways out of your dilemma. Worth considering. Maybe also remove some of the physical servers and go virtual instead?
     
  15. climws

    climws MDL Novice

    Jan 27, 2014
    6
    0
    0
    Well I did not try the virtual server method since I am not familiar with it.

    I have resolved the DHCP and DNS by setting them with the 2012 server.

    However when i try to promo 2012 to DC, i have an error: Verification of replica failed.

    What information do i need to provide to you all for further troubleshooting/diagnosis?
     
  16. Erik B

    Erik B MDL Member

    Oct 10, 2008
    105
    26
    10
    Looks like your only option is to get down and dirty at the DNS server :biggrin:

    Look for example here:
    h**p://social.technet.microsoft.com/Forums/en-US/25c0cc64-1b59-46e0-bfc6-62aade153411/verfication-of-the-replica-failed-error?forum=winserverDS