Forum Discussion

rvntech's avatar
rvntech
Copper Contributor
Apr 09, 2024

Corrupt AD PDC breaks trust - How to gracefully recover

Hi,   I have a small network of Windows Server 2016 based VMs in Azure, with single forest and AD via a PDC & BDC.    FMSO roles are handled by the PDC, both DCs host DNS - PDC pointing to itself...
Active Directory
windows server
rvntech's avatar
rvntech
Copper Contributor
Apr 16, 2024

rvntech For anyone interested - I attempted to transfer the roles from DC1 to DC2 and then Demote DC1 gracefully however various errors prevented either of those from working.

 

I needed to seize the roles from DC1 in powershell (ntdsutil errored), Remove the DNS role from DC1 and then Delete DC1 from Domain Users & Computers on DC2.

 

I ended up having to delete a lot of references from DNS on DC1 & DC3 (new dc to replace dc1) and it took a while for dcdiag to stop reporting various warnings. 

 

I seem to have one issue remaining which is the member servers all still receive DC1 as the primary DNS server via DHCP. However, because these are VMs in an Azure vNET i believe this is currently out of our control (unless we manually set the DNS hosts on the NICs) and I hope will update at some point of the "DNS Lifecycle":
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#azure-provided-name-resolution