Some background:
I think I may have goofed with this, because now the WSE Media Streaming Service on SERVER2 won’t start, claiming ‘bad password’ for the MediaAdmin$ MSA in the System Event Log—Event ID 7038 instead of 7041 as discussed here. (Note that the MSA was also present on SERVER3 before I started all this, the AD forest there having been replicated from an earlier Essentials server.)
I propose to start over and redo it all, this time joining SERVER2 to SERVER3’s domain and promoting to a DC before running the wizard. I believe this is the more correct way to do it. Perhaps you can confirm.
But in the meantime, before I begin, I’m hoping for some clarifications:
Thanks for all your help.
Best way to fix this is to wipe Server2. Remove the ServerAdmin$ and MediaAdmin$ from the AD assuming that Server3 does not have the Essentials Experience role installed or there is any other server with the Essentials Experience role installed.
After the above, install a clean installation of Windows Server 2016 on Server2 and follow the instructions in Migrate Windows Server 2012 R2 Essentials to Windows Server 2016 Essentials. If you have another scenario let me know and I will come up with a solution. A Windows Server Essentials SKU will always prompt with the Essentials Experience role after the OS part has been installed and therefor you need to cancel that wizard and join it first to the domain you already have. The wizard detects if the server has already been joined to a domain or not.
It depends on the media you have how the Essentials Experience role behaves. If it is not yet joined to a domain it will always create a new domain, so join it to your existing domain before you run the Essentials Experience installation role. If you have integrated media from Dell or any other OEM that ships the server with a preinstalled version of Windows Server 20xx Essentials SKU it will already have parts of the Essentials Role installed and that can cause other issues.
Thank you, Mariëtte. Thank you very much. This clears things up wonderfully.
Your assumption in your first paragraph is correct. One final detail, if I may...
After clean-installing SERVER2, I plan to join the domain, promote to DC, and then transfer the FSMO roles to it from SERVER3—all before running the WSE Configuration Wizard. Will the wizard be OK with that?
Where the FSMO roles are does not have any effect on running the WSE role. You can move the FSMO roles after the WSE role has been installed.
Very good, thank you. It helps to know that.
It seems like your answer to my question is "Yes," but I'd like to make absolutely sure so I don't make a mistake with this.
I'd like to transfer the FSMO roles from SERVER3 to SERVER2 manually, so I can see directly that all goes well with that, before I run the WSE Wizard on SERVER2.
I do know that the wizard creates a new forest and sets up FSMO when run on a standalone (non-member) WSE installation, but I'm still not completely sure of its behavior when run on a FSMO DC. I'd rather not trust the wizard to silently transfer the roles, if that's what it's going to want to do, just in case something goes wrong in the process. Manual FSMO transfer with full visibility is the ticket for me in this case.
You're saying that the wizard will be OK with being run on a FSMO DC, yes?
The WSE installation wizard does not create a new AD forest if the server it is installed on is already joined to a domain.
OK... sounds good, thank you.
I will proceed with caution.