MY BUSINESS DAY IS YOU!

Ntdsutil (metadata cleanup -> connections -> connect to server <targetDC> -> q -> select operation target -> list domain -> select domain x -> list sites -> select site x -> list server in site -> select site x -> q -> remove selected server -> q : after that, remove deleted DC from each zone DNS server  (right click -> properties -> name servers -> select deleted DC -> remove -> apply -> OK.

Using NTDSUTIL  (ntdsutil -> roles -> connections -> connect to server <target DC> ) run seize xxx on fsmo maintenance mode : fsmo maintenance: seize infrastructure master fsmo maintenance: seize rid master fsmo maintenance: seize schema master fsmo maintenance: seize naming master fsmo maintenance: seize pdc check status of fsmo master  (select operation target -> list roles for connected server): fsmo maintenance: select operation target select operation target: list roles for connected server then press q three times to exit. OR check status using netdom :

netdom query /domain:<domain_name>  FSMO

Once you added a new Domain Controller server,  you have to ensure it's been replicated to others to avoid data discrepancy happening.  Check "Replication Topology" & Run "Replicate Now " on each of Domain Controller server. I have two domain controllers: OSW2K19-DC01 and OSW2K19-DC03 that replicate each other, it depends on your Replication Topology anyway.   Open "Active Directory Site and Services" Tools from Server manager on Domain Controller server. I prefer GUI instead of command line to show you, easy & colourful :-D.  Right Click on NTDS Settings, All tasks --> Check Replication Topology on  OSW2K19-DC03 (Newly DC server) : Run "Replicate Now" : Right Click on NTDS Settings,  All Tasks --> Check Replication Topology on OSW2K19-DC01 (old DC server): Right Click on NTDS Settings, All Tasks --> Run "Replicate Now" : Check Replication Status (repadmin /replsummary ) from Powershell : show replication (repadmin ...

I assumed you had installed windows server 2019 with "Core" option instead of GUI, at least you have 1024 MB of RAM and 1 cpu. Step#1: Configure Hostname, IP static, timezone,  DNS server.  I was using command "sconfig" to do that, you can use manual configuration if you like. Step#2: install AD domain services binaries package using Powershell in new server : Step#3: Join a new Domain Controller server  into existing AD Domain services : Server will be rebooted after joined. you can validate service up and running after server rebooted : Step#5: Verify whether it's joined into existing AD Domain Services or not. Open "Active Directory Users and Computer" from existing Domain Controller Server that has GUI or  "Remote Server Administration Tools (RSAT)".  Newly Joined Domain Controller server name: OSW2K19-DC03. Step#6: Since it's been promoted as new Domain Controller server, you can change DNS server to itself and the alternate DNS serv...

sssd cache needed when linux server has lost contact with Active Directory server, people can still login without it but sometimes we need to clear Active Directory cache for security reason e.g you have to revoke sudo profile out of user as we speak.   Neither "sss_cache -E"   nor "systemctl stop sssd; rm -rf /var/lib/sss/db/*; systemctl restart sssd" would help us to immediate clear Active Directory cache in linux server when user still login.  The best way is force down the user session on linux server (kill -9 PID).