Trust Relationship on the workstations lost after demoting the only DC/GC in the AD site but there is another DC/GC in other AD Sites ?

Hi All,

I need your help urgently because my simple AD Domain Controller demotion has gone beyond my understanding ?

AD Sites & Service Setup is full mesh no IPSEC VPN tunnel:
Data Center AD Site;
2x Win 2008 R2 DC/GC

Head Office AD Site:
1x Win 2012 R2 DC/GC

Problem Site Office AD Site:
1x Win 2012 R2 DC/GC which is also running as AD-Integrated DNS & DHCP

Problem root cause:
What I did today this morning before people working is to do completely harmless task of force demoting Windows Server 2012 R2 that was unable to replicate into any other AD Sites, only accept incoming AD objects update.

Steps taken:
1.      Change the DHCP scope DNS to point to  Primary: Data Center DC/GC IP, Secondary: Itself where it is no longer functioning as DNS integrated since no Forward lookup zones Domain.com
2.      Reduce the DHCP scope into 6 hours, wait until today since yesterday morning.
3.      Force Demote AD role
4.      Reboot
5.      Manually go to AD Users & Computers console to perform metadata clan-up (right click delete), followed by manually search the DNS containers  any name of the current DC server that has been demoted.
6.      Wait until 30 minutes, then... the problem starts to happens one by one.

7.      I have joined the same server back with the same name & IP address just to run DHCP, File Server and Print Server but still one by one workstations complained the trust relationship issue.

The next steps is to be taken next week Because I cannot do it myself due to the large amount of user complaints bombarding myself constantly until now in the afternoon I cannot have a quiet lunch:
1.      Promote as AD domain controller
2.      Configure AD-Integrated (is it necessary ?)
3.      Change the DHCP scope back to 8 days
4.      Change the DHCP scope DNS into itself and one DNS server in Data Center AD Site.


Now the new problem is:
One by one Workstations in the Problem Site office lost its trust relationship with the AD Domain ? Therefore the fix was to:
1. Exit the domain, Reboot
2. Rename the computer, Reboot
3. Join to the AD domain, Reboot
4. Change the name back to the previous name, Reboot
5. User can now login to their previous desktop.

There are 90+ workstations in the problem site office and now I'm stuck having to manually perform 5 steps above one by one for the entire office.

What could have gone wrong in my steps above ?
I have make sure that all of the computers using DHCP assigned IP and also the static IP can ping the DNS server in the Data center as I have changed the DCHP scope priority the day before, but somehow this problem occurs today after 30 minutes of the demotion.

Any help would be greatly appreciated.

Thanks very mu

September 3rd, 2015 12:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics