PowerShell: Reset Active Directory Server

Step 0:

# Ensure that AD management module is available for PS Session
if (!(get-module -name "ActiveDirectory") ){
Add-WindowsFeature RSAT-AD-PowerShell | out-null;
import-module -name "ActiveDirectory" -DisableNameChecking | out-null;
}

# Add an Admin User account into Schema Admins group
$member="superman"
$groups="Schema Admins","Domain Admins"
$groups | %{$group=Get-ADGroup $_; Add-ADGroupMember -Identity $group -Members $member}
Get-ADPrincipalGroupMembership $member | select name


# Verify current site where targeted DC named AD02 resides
$dcName="AD02"
Import-Module ActiveDirectory
$site=(Get-ADDomainController -Identity $dcName).Site
$site

# Migrate all FSMO roles to PDC
$pdc="AD01"
Move-ADDirectoryServerOperationMasterRole -Identity $pdc –OperationMasterRole 0,1,2,3,4
#Similar command: Move-ADDirectoryServerOperationMasterRole -Identity $pdc –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster
netdom query fsmo

Step 1: Demote AD02 as DC

# Ensure that AD management module is available for PS Session
Import-Module ActiveDirectory

# Remove AD Role
Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "Password1" -asplaintext -force) -norebootoncompletion:$True

# Remove DNS
Dism.exe /online /disable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools # Windows versions ALL
# ServerManagerCmd.exe -remove dns -restart # Only available on Windows 2018R2 or older

Output

PS C:\Windows\system32> Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "letsrock" -asplaintext -force) -norebootoncompletion:$True
WARNING: DNS delegations could not be removed from the parent zone: "kimconnect.com". This could be because of one of
the following reasons: you do not have permission to do so, the zone is hosted by a server that does not run Windows,
no server hosting this zone can be contacted or the zone does not exist.

If the zone does exist, you should delete DNS delegations in the parent zone targeting this domain controller. To do
so, contact an administrator who is responsible for the DNS zone: "kimconnect.com".
The error was:


Message Context RebootRequired Status
------- ------- -------------- ------
You must restart this computer to complete the operation... DCPromo.General.4 True Success

PS C:\Windows\system32> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . : reddog.microsoft.com
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Tunnel adapter isatap.reddog.microsoft.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : reddog.microsoft.com

This error would occur if executed on a Windows 2016 Server

PS C:\Windows\system32> ServerManagerCmd.exe -remove dns -restart
ServerManagerCmd.exe : The term 'ServerManagerCmd.exe' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
+ ServerManagerCmd.exe -remove dns -restart
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ServerManagerCmd.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Step 2: Re-Promote AZ1AD02 as DC

Successful output of DNS removal:

PS C:\Windows\system32> Dism.exe /online /disable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tool
s

Deployment Image Servicing and Management tool
Version: 10.0.14393.0

Image Version: 10.0.14393.2457

Disabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
Restart Windows to complete this operation.
Do you want to restart the computer now? (Y/N)

Step 2: Re-Promote AD02 as DC

Fix Network

# Set Static IP & DNS
$ipV4Address="x.x.x.x"
$ipV4Prefix="24"
$gateway="x.x.x.x"
$dns1="x.x.x.x"
$dns2="127.0.0.1"
[array]$interfaces=(Get-NetAdapter -Name "*" -Physical).Name

function selectInterfaces{
if ($interfaces.length -gt 1){
$i=0
$interfaces | %{"$i`: $_";$i+=1;}
do {
$index=Read-Host -Prompt 'Input a number from the list above'
}until ($index -lt $interfaces.length)
$Global:interface=$interfaces[$index]
"Interface named '$interface' has been chosen"
}else{
$Global:interface=$interfaces
"There is 1 physical interface named '$interface', and it has been chosen"
}
}
selectInterfaces;
New-NetIPAddress –InterfaceAlias $interface –IPv4Address $ipV4Address –PrefixLength $ipV4Prefix -DefaultGateway $gateway
Set-DnsClientServerAddress -InterfaceAlias $interface -ServerAddresses $dns1,$dns2

Output

PS C:\Windows\system32> selectInterfaces
0: Wi-Fi
1: Ethernet 2
Input a number from the list above: 5
Input a number from the list above: 0
Interface named 'Wi-Fi' has been chosen

DC Promo

# Set variables
$domain="intranet.kimconnect.com"
$domainAdminMember="superman"
$cred=(Get-Credential "$domain\$domainAdminMember")

# Install DFS
Install-WindowsFeature FS-DFS-Namespace, FS-DFS-Replication, RSAT-DFS-Mgmt-Con

# DCPromo & Install DNS Server
Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role
Install-ADDSDomainController -InstallDns -Credential $cred -DomainName $domain -Force

Defer fixing this error

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"intranet.kimconnect.com". Otherwise, no action is required.
# Move DC to correct site
$dcName="AD02"
$site="Default-First-Site" #change to to match actual site
Move-ADDirectoryServer -Identity $dcName -Site $site

# Verify that AD has been moved to correct site
(Get-ADDomainController -Identity $dcName).Site

Step 3: Test replication

# Create test GPO
Import-Module GroupPolicy
New-GPO -Name "Test-Replication" -Comment "This is a test GPO to validate replication between DCs."

# Push Replication to new DC
$newDC="DC02"
repadmin /syncall $newDC /AeD
repadmin /showrepl

This error may occur

DsBindWithCred to AZ1DC02 failed with status 1722 (0x6ba):
The RPC server is unavailable.
# Check for existence of GPO folder
Either use PowerShell or Explorer to verify that policy folders would exist

Exceptions:

---------------------------
DNS Options
---------------------------
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "intranet.kimconnect.com". Otherwise, no action is required.
---------------------------
OK
---------------------------

Read: 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753508(v=ws.10)

… and set DNS delegation after dcpromo.

# Test DNS
DCDIAG /TEST:DNS /V /E

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: intranet.kimconnect.com
AD01 PASS WARN PASS PASS PASS PASS n/a
AD02 PASS PASS PASS PASS PASS PASS n/a

......................... intranet.kimconnect.com passed test DNS
# These errors would occur if the demotion is on a PDC and its the last DC of the domain.
PS C:\Windows\system32> Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "cowboy" -asplaintext -force) -norebootoncompletion:$False
Uninstall-ADDSDomainController : Verification of prerequisites for Domain Controller promotion failed. You indicated
that this Active Directory domain controller is not the last domain controller for the domain
"intranet.kimconnect.com". However, no other domain controller for that domain can be contacted. Proceeding will
cause any Active Directory Domain Services changes that have been made on this domain controller to be lost. To
proceed anyway, specify the 'IgnoreLastDCInDomainMismatch' option.
At line:1 char:1
+ Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (co ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Uninstall-ADDSDomainController], TestFailedException
+ FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.50,Microsoft.DirectoryServices.Deployment.PowerSh
ell.Commands.UninstallADDSDomainCommand

Message
-------
Verification of prerequisites for Domain Controller promotion failed. You indicated that this Active Directory domai...

# Retried again with extra switch
Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "nihao" -asplaintext -force) -norebootoncompletion:$False -IgnoreLastDCInDomainMismatch

PS C:\Windows\system32> Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "nihao" -asplaintext -force) -norebootoncompletion:$False -IgnoreLastDCInDomainMismatch
Uninstall-ADDSDomainController : The operation failed because:
A domain controller could not be contacted for the domain datacenter.shopgoodwill.com that contained an account for this computer. Make the computer a member of a workgroup then
rejoin the domain before retrying the promotion.
"The specified domain either does not exist or could not be contacted."
At line:1 char:1
+ Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (co ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Uninstall-ADDSDomainController], DCPromoExecutionException
+ FullyQualifiedErrorId : DCPromo.General.54,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.UninstallADDSDomainCommand

Message
-------
The operation failed because:...

Leave a Reply

Your email address will not be published. Required fields are marked *