Promote DC in same site as read-only DC

Question

Hi

We have multiple sites, each with their own Domain Controllers.

One of the sites has only one DC, which is read-only (2008R2). Looking to promote a new DC and then retire the old read-only DC.

Building a new DC in this site fails every time, seemingly as it's trying to replicate from the read-only DC. The promotion joins the server to the domain, the promotion is not successful. I then have to manually clean up DNS with the partly-added/failed DC.

This is not a problem in any other site, none of which contain read-only DCs.

Is anything special needed to get a server promoted to a DC when in the same site as a read-only DC?

Thanks

Answer 1

I'd check that domain health and sites connectivity is 100% before making any changes or additions. (dcdiag / repadmin tools)

The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hi,
Thanks for sharing here!
If you want to add the server 2019 as the new RWDC ,please make sure that DFSR is used for the sysvol replication.
You can confirm that by the command:dfsrmig.exe /getglobalstate
If the Result: 3 (ELIMINATED) the DFSR is used for the replication.

Then would you please tell can the new promoted DC connect to other RWDCs from other sites?
Before going further , please test that everything works well , command you can used :
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps * 
Repadmin /syncall /APeD

If all is good , check more details from the events and logs:
%systemroot%\debug\dcpromo.log
Event viewer\Windows logs\System
Event viewer\Windows logs\Application
Event viewer\Applications and services logs\Directory Service
Event viewer\Applications and services logs\DFS Replication

Best Regards,

Answer 3

Hi,

Thanks for the recommendations. The domain replication is healthy and there are no issues bringing up new DCs in other geographical sites on this domain.

The promotion fails half-way only for this one site which is the only site with a RODC. I'm left with server which is flagged as a DC in AD, but can still be signed in with the local admin account - which is the first sign of failutre. Then I get many replication failures repadmin and dcdiag. I then need to manually go through DNS and domain services to remove the failed DC as it cannot be demoted gracefully.

I can try the promotion again, but it's failed twice and takes a lot of time to undo, so just fishing for ideas as to why this one site could be failing and if it is due to the RODC, what to do about it (such as perhaps promoting to RWDC).

I'll next try using DNS1 and DNS2 on the new DC from two other geographical sites before attempting promotion again, as using the local RODC DNS does not help.

Ever come across something like this?

Answer 4

I'd check the required ports are flowing between sites.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

https://www.microsoft.com/en-us/download/details.aspx?id=24009

As to cleaning up from a failed domain controller you can follow along here.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

--please don't forget to Accept as answer if the reply is helpful--