Ran sysprep on DC

J_Bradway 0 Reputation points
2023-12-07T15:27:29.82+00:00

In short, I ran sysprep on a Domain Controller... yeah, an atrocity has been committed. Good thing is it was the very beginning of setting it up so there wasn't any configuration I am worried about losing.

Background: I have 2 fresh out the box servers. One of which I have created a local file share that has been in operation for some time. It is an offline network but I wanted to bolster security through centralized authentication and create a DC out of both of the servers and have them replicate. I set the first DC up on the server that did not house any data to ensure that it implemented successfully before applying it to our production server and it went well. I was able to join computers to the domain and centrally control access. The second, when attempting to install I received the matching SID error. In an attempt to fix this issue I ran sysprep on the active DC (again to avoid creating any issues with the production server) Yeah I know now, bad idea.

My questions: Is it as simple as re-baselining the downed server with fresh installation media?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Anonymous
    2023-12-07T15:38:03.9666667+00:00

    You can seize FSMO roles in Active Directory Domain Services

    (if necessary) to healthy one. then perform cleanup to remove remnants of failed one from active directory.

    Clean up Active Directory Domain Controller server metadata

    Step-By-Step: Manually Removing A Domain Controller Server

    Then rebuild the failed one from scratch. I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Anonymous
    2023-12-11T02:58:26.9866667+00:00

    Hi Help_I'm_noob,

    Thank you for posting in Q&A forum.

    Please remove the FSMO role to the health DC first.

    You can choose FSMO role seize, please run below command on health DC to seize FSMO role:

    Move-ADDirectoryServerOperationMasterRole -Identity "Health DC" -OperationMasterRole 0,1,2,3,4 -Force

    May I ask did the AD information synced to another health DC? Please check if it is possible for you to demote DC.

    Below is the step to demote DC and do metadata cleanup:

    Demoting Domain Controllers and Domains (Level 200) | Microsoft Learn

    Clean up AD DS server metadata | Microsoft Learn

    Then you can re-promote the DC.

    Please collect dcdiag /v on DC to check if the DC is health after promotion.

    Hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.