Replacing Primary (and Secondary) Domain controller (due to hardware issue) by performing Seizing FSMO roles and metadata cleanup
Yesterday one of our primary domain controller went down due to a hardware issue. These are the steps we need to follow to install a new Domain controller as a replacement.
- First steps is to seize FSMO roles and assign it to secondary or additional domain controller. This will make the secondary Domain controller as Primary Domain controller. Usually FSMO roles such as Schema master, Domain naming master, PDC emulator, Infrastructure master and RID master are allocated to the primary domain controller. You can check which DC has the FSMO roles by issuing the command netdom query fsmo
- Note: To seize ‘Schema master’ FSMO role , you need to be a member of Schema admin AD group. For all other seizure, you just need to be a member of Domain admins AD group.
- Once this is done, cleanup the metadata. This is to ensure the old primary Domain controller server details are fully removed from Active Directory. We need to remove it from AD user and computers and from AD Sites and Services.
- Create a new VM to setup primary DC or setup a physical server and (in case of Windows 2008 R2), From server manager, add AD DS (Active Directory Domain Services) role and then from command prompt type dcpromo. After some time, the AD database will be replicated to the secondary server. This new Secondary server will be Global Catalog server (which you can check it in AD Sites and Services).
Now the above is the theory. Let see the steps.
You need to be a member of Schema admins and as well as Domain Admins to perform this.
You can check whether you have Schema Admins privilege or not by checking the users in Schema Admins group or your AD member of options. In case if you don’t have privilege, add your account into Schema Admins members list.
Similarly make sure you are a member of Domain admins group.
That is all about prerequisites.
A. SEIZE FSMO ROLES
Now RDP into the Secondary Domain controller DC1 (assume primary is DC and secondary as DC1),
Open command prompt and issue the following commands as shown in the picture below.
connect to server dc1 dc1 is secondary domain controller where you are in (RDP)
You are now in fsmo maintenance here we can seize FSMO roles from primary DC and put them into secondary DC.
To Seize Domain naming master role
Command: Seize naming master
and click Yes
similarly issue the following commands to seize the following FSMO roles
Seize infrastructure master
Seize RID master
Seize schema master
Note: Seizing Schema master requires you to be a member of Schema admin as mentioned in prerequisites. If you dont have membership in this group and only adding it now, then please give some time or the best thing is to restart the additional domain controller after this change. Initially I was unable to seize schema master role, I got access denied error even though I was in Schema admin (which I added some couple of hours before the FSMO role seizure). After the domain controller reboot, I was able to seize this role.
After the seizure, now run the below command to check all the FSMO roles are transferred to secondary domain controller. This makes the Secondary DC as Primary DC (Server DC1 is now primary Domain controller)
netdom query fsmo
B. METADATA CLEANUP
Metadata cleanup is about removing the old Primary domain controller entries from Active Directory user and computers and from Active directory Sites and Services. In our case we need to remove domain controller named DC from the AD.
On Domain controller DC1, open AD user and computers -> Expand Domain -> Domain Controllers -> Delete old domain controller ‘DC’
Check the empty box “This Domain controller is permanently offline and………….”
Now Open AD Sites and Services on DC1
C. INSTALL AD ON A NEW SERVER AND MAKE IT AS SECONDARY DC
On the new Server -> Server roles -> Install Active Directory Domain Services -> Run -> Dcpromo and install AD as Additional Domain controller to the Domain. Remember this is for Windows 2008 R2 OS.
That is all.