This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 4%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Domain Name: ka.dn.com
All users can login using "ka\username"
Moved DC from Windows 2012 to 2019 | Demoted the 2012 to become a 2ndary DNS | Moved all FSMO roles to new DC |
Checked all settings from client side and everything points to the new server, DHCP, DNS etc
After restarting the client, we get a message the "trust relationship is broken......."
How can we correct this?
adding a device to the domain we could use the domain "KA" with admin account "KA\Administrator"
however after moving the DC we get "target account name is incorrect"
and we need to enter the FQDN "ka.dn.com\Administrator"
How can we correct this?
DC4 is the old DC (2012) it was the 2ndary DC. Primary DC was DC3. Yes it is operational.
Is there a way to rebuild the DNS zone and integrate with AD?
Rejoining all workstations to the domain, will the users lose their user profiles on their respective computers?
Instead can I import the ADUC from the DC01?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Please put up a new set of files to look at.
Just an update
created a user on new DC and it showed by on the old dc
joined a new computer to the domain and it showed up on both the DCs.
is this good? DNS needs to be sorted?
Update
Currently all workstation DNS points to DC01 and is receiving DHCP lease from DC01.
Created a user on DC01 - Replicated to DC04
Created a user on DC04 - "Did Not" Replicate to DC01
Joined a computer to the Domain, joined successfully, the computer shows in the directory of DC04 but not in DC01
However when we try to logon to the joined computer we get the message " Security database on the server does not have a computer account for this workstation trust relationship"
DNS on DC01 has msdcs.domain.local missing - it has just "msdcs" and the name servers in them are offline servers.
when we ping the "domain name" it returns the ip address of DC04
Name Servers on the Fwd Lookup Zones are
DC01 & DC04
Please find dcdiag files in shorturl.at/bkqr9
Update 2
We got the old DC to bootup.
Please put up for DC4
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
So from DC4 perspective there are four domain controllers DC3, DC4, kebsaAD, kebDC01 and none of them respond to any tests.
From DC1 perspective there are four domain controllers UsaDC3, UsaDC4, saAD, DC01 and none of them respond to any tests.
So in effect DC1 and DC4 appear to be unconnected. (maybe there's been some improper renaming?) In my opinion what you have is completely broken and nothing to work with. You can refer to my earlier replies about the possibility of abandoning this and restore the backup you mentioned.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Ok.
Just in case I recover the original PDC from the backup.
How can I restore the latest ADUC ?
If it comes to the worst situation how do I create a new domain controller and import the users and their respective password?
We have the AD syncing with O365
We have AD syncing with Azure AD
Do we have to redo all this again?
Just in case I recover the original PDC from the backup. How can I restore the latest ADUC ?
When you restore the PDC emulator the steps will be as follows; All others corrupt ones turned off. Restore the old PDC emulator from a known good backup, then perform cleanup to remove remnants of any others domain controllers from active directory.
Clean up Active Directory Domain Controller server metadata
Step-By-Step: Manually Removing A Domain Controller Server
Then check the prerequisites are met to introduce the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
Then confirm all is good by using dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can move on to next one.
--please don't forget to upvote and Accept as answer if the reply is helpful--
We have the AD syncing with O365 We have AD syncing with Azure AD Do we have to redo all this again?
It's possible that you would need to setup again.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
My concern is the backup is over 200 days old, how would this make an impact? Will I lose AD data that is current and will everything revert back to 200 days?
I have booted up the demoted DC but for some reason it cannot contact the domain. It keeps giving me a message domain cannot be contacted.
I can ping DC01 & DC04
I cannot ping domain name
If i can add it back to the domain and restore the DNS & DFSR from AD deleted items? does it give me a chance
Any ideas on how to add this to the domain?
worst situation, if i can make the existing DC01 (which has all the updated ADUC, DHCP etc to become the authorative DC and to make it work, I may just need to rejoin hte computers again? Maybe reconfigure the DNS & rebuild it. is that a way? I am thinking if I have to do it from scratch then why not on the DC01 which has all the data.
my concern is basically losing the AD USer details, adding computer to domain is a task we can handle.
Appreciate your advise on what to do if the backup nd DC3 does not work
Yes, it backs everything up timeline-wise to the date of backup. A demoted domain controller is of no use whatsoever. The existing DC01 is not operational as reported by dcdiag.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Please don't forget to close up the thread by marking helpful answers.
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--