Best solution for USN Rollback?

S

Sergei Shevchenko2021-04-13 11:13:48

System administration

Sergei Shevchenko, 2021-04-13 11:13:48

Good afternoon everyone!

There was a following situation:
There are 3 CD: DC, DC2, DC3.
DC - former main CD. It is in the UNS Rollback state.
DC2 - main CD. FSMO Role Owner.
DC3 - is normally replicated and works.

A potential solution to the problem is to lower/raise the DC and move on (recommended by Microsoft), but there is a caveat. A single AD CS is deployed on the DC. It is not possible to lower the CD without removing the service. As far as I understand, deleting the service threatens the inability to verify the issued certificates (based on the self-signed Root). It is highly undesirable, since there are a lot of clients on terminal access.

The idea crept in to try to restore the DC using the regular Backup / Restore (to change the value of the Invocation ID). After to include replication and to delete value - DSA not writeable.

The next question is - is this the best solution in this situation or have I missed some nuance?
Can you make it easier?
Will restoring the DC damage AD CS?

PS There is no practical experience of migrating the AD CS service to another server. Online sources are conflicting. There is no possibility to make a cname DC on another CD, since a DC is required on the network with the same name.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Dmitriev, 2021-04-13
@Irish_Blood

"As far as I understand, removing the service threatens the inability to verify issued certificates (based on self-signed Root)."
Why do you think so?
A CA does not need to have ADDS on the same machine in order to function.
Plus, it is backed up and restored quite simply. So backups, DC force removal, install new OS, promote new DC, restore CA.
The last point even sounds more correct - build new VM, restore CA.