Windows – Move FSMO from ofline DC to new Secondary

Last updated on November 3rd, 2019 at 12:24 pm

Step 1: Primary Domain Controller (DC1) online?

a. Yes
Proceed to step 2
b. No
Skip to step 5

Step 2: Uninstall Active Directory From DC1

dcpromo

or

dcpromo /forceremove

Step 3: Remove DNS From DC1

Using “Manage Your Server Utility” from the start menu, click Add/Remove Roles then Remove DNS

Step 4: Move DC1 to a work group

1. WIN + Pause/Break or start menu, right click my computer and select properties
2. Click computer name tab
3. Click change
4. Select workgroup
5. Enter Workgroup name
*YOU MUST RENAME THE COMPUTER AS WELL*
6. Shutdown machine

Step 5: Remove Orphaned Domain Controller (DC1)

1. Log on to the Secondary Domain Controller (DC2)
2.Click Start, point to Run then type “CMD”, then press ENTER.
3. Run the following commands:

ntdsutil
metadata cleanup

Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur.

connections

This menu is used to connect to the specific server where the changes occur.

connect to server DC2
quit
select operation target
list domains
select domain number

*Where “number” is, the number associated with the domain the server you are removing is a member of.

list sites
select site number

*Where “number” is, the number associated with the site the server you are removing is a member of. *It will not prompt you stating that it is connected.*

list servers in site
select server number

*Where “number” is, the number associated with the server you want to remove. It will not prompt you stating that it is connected.

quit
remove selected server
quit

*Quit the Ntdsutil utility.

18. Remove the cname record in the _msdcs.root domain of forest zone in DNS.
19. In the DNS console, use the DNS MMC to delete the A record in DNS.

*Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete.

*In the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

Step 6: Remove Old Domain Controller From Active Directory

1. Remove old computer account by using “Active Directory Sites and Services” tool.
2. Remove old DNS and WINS records of the orphaned Domain Controller.
3. Use “ADSIEdit” to remove old computer records from the Active Directory.

*OU=Domain Controllers,DC=domain,DC=local
*CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
*CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local

4. Search through all directories in DNS management console and delete any and all reference to DC1.

*Check properties of all records

Step 7: See if domain controller is a global catalog server

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller’s folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

Step 8: Reinstall OS on DC1

This is per Microsoft and pretty much all articles I have read. <— This can be avoided. If you rename the server, change the IP and disable networking while you do everything else. You can give the old IP to the new backup DC (with a different name) and bring the old DC back into the domain as a computer (with a different name).

Edit: You can bring it back into the Domain with the same computer name as long as you remove all trace of it being a domain controller within DNS. In fact if you remove AD without using the /forceremove it will even ask if you want to add it to the domain. like this:

Resoultion:
-Stop the KDC service on the DC experiencing the issue.
-Run the following command with elevated rights:

netdom resetpwd /server: /userd: /passwordd:*

-It will prompt for the password of the Domain Admin account that you used, enter that.
-Once the command executes, reboot the server.
-DNS zones should load now.
-Exchange services should be started.