Trust relationship between workstation primary domain failed after moving dc/gc to 2019 from 2012

Question

Domain Name: ka.dn.com

All users can login using "ka\username"

Moved DC from Windows 2012 to 2019 | Demoted the 2012 to become a 2ndary DNS | Moved all FSMO roles to new DC | 

Checked all settings from client side and everything points to the new server, DHCP, DNS etc

After restarting the client, we get a message the "trust relationship is broken......."

How can we correct this?

adding a device to the domain we could use the domain "KA" with admin account "KA\Administrator"

however after moving the DC we get "target account name is incorrect"

and we need to enter the FQDN "ka.dn.com\Administrator"

How can we correct this?

Answer 1

Unfortunately, the new DC is not operational for the reasons I mentioned above.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

I have an old backup of the old DC....however the ADUC has a lot of updates. I can restore it to a physical machine. However how can i ensure it doesnt change the existing ADUC.

Can I restore the existing ADUC (2019) to the old DC (2012)

Answer 3

I have an old backup of the old DC....however the ADUC has a lot of updates. I can restore it to a physical machine. However how can i ensure it doesnt change the existing ADUC.

Not sure what is meant. There isn't an existing since none of what you posted about are operational. When you restore the PDC emulator the steps will be as follows; All others corrupt ones turned off. Restore the old PDC emulator from a known good backup, then perform cleanup to remove remnants of any others domain controllers from active directory.

Clean up Active Directory Domain Controller server metadata

Step-By-Step: Manually Removing A Domain Controller Server

Then check the prerequisites are met to introduce the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR

Then confirm all is good by using dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can move on to next one.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 4

Dave,

We have managed to bring the DC4 online. However, the DNS shows the same as DC01, the ADUC is fully updated.

will this be good enough to rebuild the DNS or DNS Zone?

What my question meant is, the backup of the old PDC is about 300 days old. If we restore this and activate it, will it effect the existing ADUC etc or can I just import or restore the existing ADUC to the old DC, i do not want to lose the updated data.

last shot will be for us to rebuild the AD from scratch using the same domain name etc. what impact will this have, we just have 40 users in our AD. However, we need to ensure their usernames and passwords can be restored.

I am all for restoring the old DC but i just need to be sure about the ADUC being the updated one.

I created a new users on the new DC DC01 and the user replicated to DC4

Answer 5

Not sure what is meant? Is DC4 a newly created one? Is it operational? Rebuilding from scratch means joining the existing workstations to the new domain and creating new user accounts. Even with the new domain name same as old it is in fact a new domain because underlying SID is different.

--please don't forget to upvote and Accept as answer if the reply is helpful--