Restoring an out-of-date Win2K DC!

Hi to all!
I have the following situation:
I have a Win2K single-domain forest (e.g. contoso.com). There are 3
Win2K-SP4 DCs (e.g. DC1, DC2, DC3). The FSMO roles are all located on DC1.
All DCs are also GCs. There is also an active 2-way trust relationship
between contoso.com and a Win2K3 domain (e.g. nwtraders.com). On DC2 there is
a 3rd party application installed, which is AD-related and CANNOT be
re-installed, or supported! DC2 fails due to a hardware failure. The only
available “backup� is a ghost image of the server that is more than a year
old (long passed the tombstoned lifetime of 60 days)!
I want to recover the server along with the application on it. After
restoration the following must be preserved:
1. DC2 must be still a domain controller of contoso.com (the
application needs this, so I cannot demote and repromote).
2. The same name and configuration must exist for DC2.
3. I do NOT need to recover any elements/objects from the old
copy of AD that is inside DC2. All I need is the currently working replica of
AD from the other 2 DCs.
If I recover from the ghost image, when DC2 comes back online, lingering
objects are most likely to appear, thus messing up with the replication
between the 3 DCs. I have already enabled the setting for “Strict Replication
Consistency“ on all DCs. My questions are as follows:
A. Is there any possibility that my healthy AD (from the other 2
DCs) will be corrupted?
B. Is there any 3rd party or MSFT tools/utilities that can be
used to locate and cleanup all the lingering objects that may emerge?
(Repadmin/removelingeringobjects cannot be used on Win2K)
C. Is there any possibility that the trust relationship’s
functionality might be put into danger?

I apologise for the long list of Qs but one leads to the other….:-)…
P.S. This is a real case senario by the way…just in case you are wondering!

Thank you all in advance for any answers!

I would start by evaluating your backup procedures. They are bad and could
cost you your job if you don't protect the company assets, I have seen
people looking for work after such a scenario.

Here is what I would do:
Build up your failed server offline via the image. Don't bring it back
online yet!!!
Bring up a command prompt and do a dcpromo /forceremoval to get rid of the
current metadata residing on the server
Remove this server from the doamin by joining a temp work group
On the forest/domain side do a metadata clean up on the lost server/DC
Remove /delete the server object from the domain
Bring the server back online and join the domain
If you want this server to be a dc (Bad idea) you can repromote at this
point

++++++++++++++++++++++++++++++++++++++++
If you lost a dc you need to use ntdsutil and you may need to seize the 5
fsmo roles as well as clean up the metadata within AD.

Run the following on another dc's command prompt
netdom query fsmo

This will tell you if any of the roles was on the lost dc.


Metadata cleanup
http://support.microsoft.com/?id=216498

Seize roles
http://support.microsoft.com/default...b;en-us;255504

Starting with 2008, Active Directory cleans up the metadata for you. This
can be done from both ADUC and ADSS. The instructions to allow AD to do
this are listed below.


http://technet.microsoft.com/en-us/l...07(WS.10).aspx
++++++++++++++++++++++++++++++++++++++++


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ganastas" <Ganastas@discussions.microsoft.com> wrote in message
news:81A08A2D-1D60-4CA4-AC0C-AEA51864C990@microsoft.com...
> Hi to all!
> I have the following situation:
> I have a Win2K single-domain forest (e.g. contoso.com). There are 3
> Win2K-SP4 DCs (e.g. DC1, DC2, DC3). The FSMO roles are all located on DC1.
> All DCs are also GCs. There is also an active 2-way trust relationship
> between contoso.com and a Win2K3 domain (e.g. nwtraders.com). On DC2 there
> is
> a 3rd party application installed, which is AD-related and CANNOT be
> re-installed, or supported! DC2 fails due to a hardware failure. The only
> available "backup" is a ghost image of the server that is more than a year
> old (long passed the tombstoned lifetime of 60 days)!
> I want to recover the server along with the application on it. After
> restoration the following must be preserved:
> 1. DC2 must be still a domain controller of contoso.com (the
> application needs this, so I cannot demote and repromote).
> 2. The same name and configuration must exist for DC2.
> 3. I do NOT need to recover any elements/objects from the old
> copy of AD that is inside DC2. All I need is the currently working replica
> of
> AD from the other 2 DCs.
> If I recover from the ghost image, when DC2 comes back online, lingering
> objects are most likely to appear, thus messing up with the replication
> between the 3 DCs. I have already enabled the setting for "Strict
> Replication
> Consistency" on all DCs. My questions are as follows:
> A. Is there any possibility that my healthy AD (from the other
> 2
> DCs) will be corrupted?
> B. Is there any 3rd party or MSFT tools/utilities that can be
> used to locate and cleanup all the lingering objects that may emerge?
> (Repadmin/removelingeringobjects cannot be used on Win2K)
> C. Is there any possibility that the trust relationship's
> functionality might be put into danger?
>
> I apologise for the long list of Qs but one leads to the other..:-).
> P.S. This is a real case senario by the way.just in case you are
> wondering!
>
> Thank you all in advance for any answers!
>

Hello Ganastas,

I agree with Paul, without demoting i see now way to bring this machine back
to work.

And using images for backup is the NOT supported way because it is not an
AD aware backup.
http://support.microsoft.com/kb/885875

Buying/installing an application that MUST run on a DC, well that vendor
of the application i would never choose again. There exist applications that
require a domain, Exchange for example, but this should also run on member
servers. DCs shouldn't run any additional applications, they should do there
basic job AD/DNS/GC and maybe DHCP, that's it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi to all!
> I have the following situation:
> I have a Win2K single-domain forest (e.g. contoso.com). There are 3
> Win2K-SP4 DCs (e.g. DC1, DC2, DC3). The FSMO roles are all located on
> DC1.
> All DCs are also GCs. There is also an active 2-way trust relationship
> between contoso.com and a Win2K3 domain (e.g. nwtraders.com). On DC2
> there is
> a 3rd party application installed, which is AD-related and CANNOT be
> re-installed, or supported! DC2 fails due to a hardware failure. The
> only
> available "backup" is a ghost image of the server that is more than a
> year
> old (long passed the tombstoned lifetime of 60 days)!
> I want to recover the server along with the application on it. After
> restoration the following must be preserved:
> 1. DC2 must be still a domain controller of contoso.com
> (the
> application needs this, so I cannot demote and repromote).
> 2. The same name and configuration must exist for DC2.
> 3. I do NOT need to recover any elements/objects from the
> old
> copy of AD that is inside DC2. All I need is the currently working
> replica of
> AD from the other 2 DCs.
> If I recover from the ghost image, when DC2 comes back online,
> lingering
> objects are most likely to appear, thus messing up with the
> replication
> between the 3 DCs. I have already enabled the setting for "Strict
> Replication
> Consistency" on all DCs. My questions are as follows:
> A. Is there any possibility that my healthy AD (from the
> other 2
> DCs) will be corrupted?
> B. Is there any 3rd party or MSFT tools/utilities that can
> be
> used to locate and cleanup all the lingering objects that may emerge?
> (Repadmin/removelingeringobjects cannot be used on Win2K)
> C. Is there any possibility that the trust relationship's
> functionality might be put into danger?
> I apologise for the long list of Qs but one leads to the other..:-).
> P.S. This is a real case senario by the way.just in case you are
> wondering!
>
> Thank you all in advance for any answers!
>

"Ganastas" <Ganastas@discussions.microsoft.com> wrote in message
news:81A08A2D-1D60-4CA4-AC0C-AEA51864C990@microsoft.com...
> Hi to all!
> I have the following situation:
> I have a Win2K single-domain forest (e.g. contoso.com). There are 3
> Win2K-SP4 DCs (e.g. DC1, DC2, DC3). The FSMO roles are all located on DC1.
> All DCs are also GCs. There is also an active 2-way trust relationship
> between contoso.com and a Win2K3 domain (e.g. nwtraders.com). On DC2 there
> is
> a 3rd party application installed, which is AD-related and CANNOT be
> re-installed, or supported! DC2 fails due to a hardware failure. The only
> available “backup� is a ghost image of the server that is more than a
> year
> old (long passed the tombstoned lifetime of 60 days)!
> I want to recover the server along with the application on it. After
> restoration the following must be preserved:
> 1. DC2 must be still a domain controller of contoso.com (the
> application needs this, so I cannot demote and repromote).
> 2. The same name and configuration must exist for DC2.
> 3. I do NOT need to recover any elements/objects from the old
> copy of AD that is inside DC2. All I need is the currently working replica
> of
> AD from the other 2 DCs.
> If I recover from the ghost image, when DC2 comes back online, lingering
> objects are most likely to appear, thus messing up with the replication
> between the 3 DCs. I have already enabled the setting for “Strict
> Replication
> Consistency“ on all DCs. My questions are as follows:
> A. Is there any possibility that my healthy AD (from the other
> 2
> DCs) will be corrupted?
> B. Is there any 3rd party or MSFT tools/utilities that can be
> used to locate and cleanup all the lingering objects that may emerge?
> (Repadmin/removelingeringobjects cannot be used on Win2K)
> C. Is there any possibility that the trust relationship’s
> functionality might be put into danger?
>
> I apologise for the long list of Qs but one leads to the other….:-)…
> P.S. This is a real case senario by the way…just in case you are
> wondering!
>
> Thank you all in advance for any answers!
>


I agree with Paul and Meinolf. The DC is pretty much hosed and must be
removed.

If you feel energetic, read the following and give it a shot. If it doesn't
work, demote it, period.

=======
Procedure to clean up lingering objects

Follow this procedure to first cleanup lingering objects as these might
exist.

One each DC:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Create a REG_DWORD value called:
"Allow Replication With Divergent and Corrupt Partner"
Enter value of 1.

Restart the Netlogon service.

Perform this task on all DCs and after waiting a little bit, try to force
replication in AD Sites and Services. If there

are multiple Sites, you'll have to wait for your configured schedule for
this to propagate to all DCs.

Once completed and you've insured replication is occuring, return the value
in Allow Replication With Divergent and

Corrupt Partner to 0 to not allow it to replicate outdated data.

Event IDs possibily associated with Lingering Objects:
2042
2023
1398
1988
1864
13568
NTFRS
NTDS
Or similar replication related errors.

Event ID 1388 or 1988 A lingering object is detected Active Directory:
http://www.microsoft.com/technet/pro...265-4d64-bdac-

605ecbf1035f.mspx

Event ID 2042: It has been too long since this machine replicated:
http://www.microsoft.com/technet/pro...47f-4d51-8e4a-

c14527060f90.mspx


======
You maybe are able to get replication running again, see here about with
event id 2042:

Event ID 2042: It has been too long since this machine replicated
http://technet.microsoft.com/en-us/l...10(WS.10).aspx

The "Allow Replication With Divergent and Corrupt Partner" setting has to be
set on all DCs.
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
http://technet.microsoft.com/en-us/l...24(WS.10).aspx

Event ID 1388 or 1988: A lingering object is detected
http://technet.microsoft.com/en-us/l...62(WS.10).aspx


======
If you don't get replication running again, you have to remove the outdated
DC from the domain. If the original DC has other services installed, such as
Exchange, this will complicate matters.


======
EventID 13568 in the event logs

Bascially, it's saying you'll need to go through the process of edting the
reg to force Journal Wrap restore, let it run, then turn it off. Both links
supply the steps, with the second one right on the first page.

For your convenience, the steps are:

1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If
the DWORD Value does not exist, create a new one with the exact spelling as
above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
• 13553 – The DC is performing the recovery process
• 13554 – The DC is ready to pull the replica from another DC.
• 13516 - At this point go to step 6. (the problem is resolved if you
receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and
Sysvol Shares to appear. The Journal Wrap error is only fixed after the
Domain Controller receives the new SYSVOL replica from a peer Domain
Controller. This may take a period of time depending on where your peer DC
is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0.

Now if it continues after these steps, then you would need to run an
Authoratative Restore. Do you have a backup? If not, and nothing else is
running on it, and you have other DCs, I would force demote it, then
re-promote it back into a DC.

EventID 13568
http://eventid.net/display.asp?event...=NtFrs&phase=1

EventID 13568 and Journal Wrap Error
http://www.petri.co.il/forums/showthread.php?t=7122

Using the BurFlags registry key to reinitialize File Replication
http://support.microsoft.com/kb/290762

How to rebuild the SYSVOL tree and its content in a domainIf you set
Burflags to D4 on a single domain controller and set

Burflags to D2 on all other domain controllers in that domain, you can
rebuild the SYSVOL ...
http://support.microsoft.com/kb/315457

How to Troubleshoot the File Replication Service
Check FRS event logs on both computers.
If Event ID 13508 is present, there may be a problem with the RPC service on
either computer
http://support.microsoft.com/kb/272279

Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
http://support.microsoft.com/?id=292438


======
Related Additional Links

Active Directory Inside Out (5 of 10): DNS Features and Configuration (First
Question):
http://www.microsoft.com/technet/com...et_111204.mspx

Things to consider when a Windows Server 2003-based domain controller or a
Windows 2000-based domain controller runs in a

virtual environment (VPC or VMWare):
http://support.microsoft.com/?id=888794

What happens when the disconnection of a DC exceeds the Tombstone Lifetime?
http://blogs.dirteam.com/blogs/jorge...11/24/153.aspx

Lingering objects
http://blogs.dirteam.com/blogs/jorge...g-objects.aspx

Troubleshooting Active Directory Replication Problems
http://technet.microsoft.com/en-us/l.../cc738415.aspx

Outdated Active Directory objects generate event ID 1988 in Windows Server
2003
http://support.microsoft.com/kb/870695

Event ID 1388 or 1988: A lingering object is detected
http://technet.microsoft.com/en-us/l...62(WS.10).aspx

Lingering objects may remain after you bring an out-of-date global catalog
server back online
http://support.microsoft.com/default.aspx/kb/314282
==================================================================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello Ace Fekay [MCT],

With an one year old image i would not even recommend to TRY the rebuild.
If something fails during all the steps and the database goes one year back
instead or you maybe crash the current one, what will help then a recovered
crappy application that must be installed on a DC only?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Ganastas" <Ganastas@discussions.microsoft.com> wrote in message
> news:81A08A2D-1D60-4CA4-AC0C-AEA51864C990@microsoft.com...
>
>> Hi to all!
>> I have the following situation:
>> I have a Win2K single-domain forest (e.g. contoso.com). There are 3
>> Win2K-SP4 DCs (e.g. DC1, DC2, DC3). The FSMO roles are all located on
>> DC1.
>> All DCs are also GCs. There is also an active 2-way trust
>> relationship
>> between contoso.com and a Win2K3 domain (e.g. nwtraders.com). On DC2
>> there
>> is
>> a 3rd party application installed, which is AD-related and CANNOT be
>> re-installed, or supported! DC2 fails due to a hardware failure. The
>> only
>> available “backup� is a ghost image of the server that is more
>> than a
>> year
>> old (long passed the tombstoned lifetime of 60 days)!
>> I want to recover the server along with the application on it. After
>> restoration the following must be preserved:
>> 1. DC2 must be still a domain controller of contoso.com (the
>> application needs this, so I cannot demote and repromote).
>> 2. The same name and configuration must exist for DC2.
>> 3. I do NOT need to recover any elements/objects from the old
>> copy of AD that is inside DC2. All I need is the currently working
>> replica
>> of
>> AD from the other 2 DCs.
>> If I recover from the ghost image, when DC2 comes back online,
>> lingering
>> objects are most likely to appear, thus messing up with the
>> replication
>> between the 3 DCs. I have already enabled the setting for “Strict
>> Replication
>> Consistency“ on all DCs. My questions are as follows:
>> A. Is there any possibility that my healthy AD (from the other
>> 2
>> DCs) will be corrupted?
>> B. Is there any 3rd party or MSFT tools/utilities that can be
>> used to locate and cleanup all the lingering objects that may emerge?
>> (Repadmin/removelingeringobjects cannot be used on Win2K)
>> C. Is there any possibility that the trust relationship’s
>> functionality might be put into danger?
>> I apologise for the long list of Qs but one leads to the
>> other….:-)… P.S. This is a real case senario by the way…just in
>> case you are wondering!
>>
>> Thank you all in advance for any answers!
>>
> I agree with Paul and Meinolf. The DC is pretty much hosed and must be
> removed.
>
> If you feel energetic, read the following and give it a shot. If it
> doesn't work, demote it, period.
>
> =======
> Procedure to clean up lingering objects
> Follow this procedure to first cleanup lingering objects as these
> might exist.
>
> One each DC:
>
> HKLM\System\CurrentControlSet\Services\NTDS\Parameters
> Create a REG_DWORD value called:
> "Allow Replication With Divergent and Corrupt Partner"
> Enter value of 1.
> Restart the Netlogon service.
>
> Perform this task on all DCs and after waiting a little bit, try to
> force replication in AD Sites and Services. If there
>
> are multiple Sites, you'll have to wait for your configured schedule
> for this to propagate to all DCs.
>
> Once completed and you've insured replication is occuring, return the
> value in Allow Replication With Divergent and
>
> Corrupt Partner to 0 to not allow it to replicate outdated data.
>
> Event IDs possibily associated with Lingering Objects:
> 2042
> 2023
> 1398
> 1988
> 1864
> 13568
> NTFRS
> NTDS
> Or similar replication related errors.
> Event ID 1388 or 1988 A lingering object is detected Active Directory:
>
> http://www.microsoft.com/technet/pro...er2003/library
> /Operations/77dbd146-f265-4d64-bdac-
>
> 605ecbf1035f.mspx
>
> Event ID 2042: It has been too long since this machine replicated:
>
> http://www.microsoft.com/technet/pro...er2003/library
> /Operations/34c15446-b47f-4d51-8e4a-
>
> c14527060f90.mspx
>
> ======
> You maybe are able to get replication running again, see here about
> with
> event id 2042:
> Event ID 2042: It has been too long since this machine replicated
> http://technet.microsoft.com/en-us/l...10(WS.10).aspx
>
> The "Allow Replication With Divergent and Corrupt Partner" setting has
> to be
> set on all DCs.
> Fixing Replication Lingering Object Problems (Event IDs 1388, 1988,
> 2042)
> http://technet.microsoft.com/en-us/l...24(WS.10).aspx
> Event ID 1388 or 1988: A lingering object is detected
> http://technet.microsoft.com/en-us/l...62(WS.10).aspx
>
> ======
> If you don't get replication running again, you have to remove the
> outdated
> DC from the domain. If the original DC has other services installed,
> such as
> Exchange, this will complicate matters.
> ======
> EventID 13568 in the event logs
> Bascially, it's saying you'll need to go through the process of edting
> the reg to force Journal Wrap restore, let it run, then turn it off.
> Both links supply the steps, with the second one right on the first
> page.
>
> For your convenience, the steps are:
>
> 1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
> 2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to
> 1. If
> the DWORD Value does not exist, create a new one with the exact
> spelling as
> above, including spaces but without the quotes.
> 3. Stop the NTFRS Service (open a command prompt and type "net stop
> ntfrs")
> 4. Start the NTFRS Service (net start ntfrs)
> 5. Monitor the File Replication Service Event Logs for events:
> • 13553 – The DC is performing the recovery process
> • 13554 – The DC is ready to pull the replica from another DC.
> • 13516 - At this point go to step 6. (the problem is resolved if you
> receive this event)
> 6. Using a command prompt type: "net share" and look for the Netlogon
> and
> Sysvol Shares to appear. The Journal Wrap error is only fixed after
> the
> Domain Controller receives the new SYSVOL replica from a peer Domain
> Controller. This may take a period of time depending on where your
> peer DC
> is located and on bandwidth.
> 7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to
> 0.
> Now if it continues after these steps, then you would need to run an
> Authoratative Restore. Do you have a backup? If not, and nothing else
> is running on it, and you have other DCs, I would force demote it,
> then re-promote it back into a DC.
>
> EventID 13568
> http://eventid.net/display.asp?event...3&source=NtFrs
> &phase=1
> EventID 13568 and Journal Wrap Error
> http://www.petri.co.il/forums/showthread.php?t=7122
> Using the BurFlags registry key to reinitialize File Replication
> http://support.microsoft.com/kb/290762
>
> How to rebuild the SYSVOL tree and its content in a domainIf you set
> Burflags to D4 on a single domain controller and set
>
> Burflags to D2 on all other domain controllers in that domain, you can
> rebuild the SYSVOL ...
> http://support.microsoft.com/kb/315457
> How to Troubleshoot the File Replication Service
> Check FRS event logs on both computers.
> If Event ID 13508 is present, there may be a problem with the RPC
> service on
> either computer
> http://support.microsoft.com/kb/272279
> Troubleshooting journal_wrap errors on Sysvol and DFS replica sets
> http://support.microsoft.com/?id=292438
>
> ======
> Related Additional Links
> Active Directory Inside Out (5 of 10): DNS Features and Configuration
> (First Question):
> http://www.microsoft.com/technet/com...indowsnet/wnet
> _111204.mspx
>
> Things to consider when a Windows Server 2003-based domain controller
> or a Windows 2000-based domain controller runs in a
>
> virtual environment (VPC or VMWare):
> http://support.microsoft.com/?id=888794
> What happens when the disconnection of a DC exceeds the Tombstone
> Lifetime?
> http://blogs.dirteam.com/blogs/jorge...11/24/153.aspx
>
> Lingering objects
> http://blogs.dirteam.com/blogs/jorge...Lingering-obje
> cts.aspx
> Troubleshooting Active Directory Replication Problems
> http://technet.microsoft.com/en-us/l.../cc738415.aspx
>
> Outdated Active Directory objects generate event ID 1988 in Windows
> Server
> 2003
> http://support.microsoft.com/kb/870695
> Event ID 1388 or 1988: A lingering object is detected
> http://technet.microsoft.com/en-us/l...62(WS.10).aspx
>
> Lingering objects may remain after you bring an out-of-date global
> catalog
> server back online
> http://support.microsoft.com/default.aspx/kb/314282
> ==================================================================
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d8e058cc2872f2eaae70@msnews.microsoft.com...
> Hello Ace Fekay [MCT],
>
> With an one year old image i would not even recommend to TRY the rebuild.
> If something fails during all the steps and the database goes one year
> back instead or you maybe crash the current one, what will help then a
> recovered crappy application that must be installed on a DC only?
>

Very true. I was hesitant about posting that procedure, and now since you
mentioned that, I am probably sorry I did.

I'm sure just demoting it will be fine to save the app.

And good point about the app. If the DC hasn't been online for a year, what
about the app? That would be out of date, too.

Ace

Hi,

I'd recommed to make a support case at Microsoft. I reviewed the suggestions
from the MVP's and I would do it that way too, but ask Microsoft PSS for
assistance.

Regards,

Patrick Mandemaker
--
This posting is provided "AS IS" with no warranties, and confers no rights.



"Ace Fekay [MCT]" wrote:

> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d8e058cc2872f2eaae70@msnews.microsoft.com...
> > Hello Ace Fekay [MCT],
> >
> > With an one year old image i would not even recommend to TRY the rebuild.
> > If something fails during all the steps and the database goes one year
> > back instead or you maybe crash the current one, what will help then a
> > recovered crappy application that must be installed on a DC only?
> >
>
> Very true. I was hesitant about posting that procedure, and now since you
> mentioned that, I am probably sorry I did.
>
> I'm sure just demoting it will be fine to save the app.
>
> And good point about the app. If the DC hasn't been online for a year, what
> about the app? That would be out of date, too.
>
> Ace
>
>
>
> .
>

There is nothing PSS can do other than chrage them $259.00 and recommend
what we have posted. I guarantee it.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Patrick Mandemaker" <PatrickMandemaker@discussions.microsoft.com> wrote in
message news:5ACF6548-DEE0-46C2-BC95-665F45109933@microsoft.com...
> Hi,
>
> I'd recommed to make a support case at Microsoft. I reviewed the
> suggestions
> from the MVP's and I would do it that way too, but ask Microsoft PSS for
> assistance.
>
> Regards,
>
> Patrick Mandemaker
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> "Ace Fekay [MCT]" wrote:
>
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911d8e058cc2872f2eaae70@msnews.microsoft.com...
>> > Hello Ace Fekay [MCT],
>> >
>> > With an one year old image i would not even recommend to TRY the
>> > rebuild.
>> > If something fails during all the steps and the database goes one year
>> > back instead or you maybe crash the current one, what will help then a
>> > recovered crappy application that must be installed on a DC only?
>> >
>>
>> Very true. I was hesitant about posting that procedure, and now since you
>> mentioned that, I am probably sorry I did.
>>
>> I'm sure just demoting it will be fine to save the app.
>>
>> And good point about the app. If the DC hasn't been online for a year,
>> what
>> about the app? That would be out of date, too.
>>
>> Ace
>>
>>
>>
>> .
>>

Hi All,
So finally there is a doubt to perform the recovery steps as mentioned here
by all MVPs.
I really had a hard time to fix my Active Directory Database when someone
brought the DC from an old ghost image.
Believe its going to give you hard time too so never ever try to restore DC
from image like ghost.
There are certain old applicatons which need to be installed on domain
controller (schema master at least) such as token based authentication
application PROTOCOM (name has changed), not sure about newer applications.

1. What are the roles and functions of the application you are running?
2. Does this application need to be installed on Schema Master or any DC?
(if any DC then it does not make sense that this application must be
installed on DC)

I would highly recommend you to perform in Test Lab. (never mind, sometime
vendors are not sure about their application in respect to Active Directory
so you do your testing)

1. Demote the machine and remove from Domain. Clean up metadata, make sure
no trace of this machine remains in AD.
2. Install OS and promoto to DC on new machine with same hostname and IP
address. Let it sync with other DCs.
3. Remove the newly created DC from the network and install the application
(if you dont need schema master), configure it if needed.
4. Perform the test

thanks
Rahisuddin Shah


"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:OoRki37WKHA.4816@TK2MSFTNGP06.phx.gbl...
> There is nothing PSS can do other than chrage them $259.00 and recommend
> what we have posted. I guarantee it.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Patrick Mandemaker" <PatrickMandemaker@discussions.microsoft.com> wrote
> in message news:5ACF6548-DEE0-46C2-BC95-665F45109933@microsoft.com...
>> Hi,
>>
>> I'd recommed to make a support case at Microsoft. I reviewed the
>> suggestions
>> from the MVP's and I would do it that way too, but ask Microsoft PSS for
>> assistance.
>>
>> Regards,
>>
>> Patrick Mandemaker
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>> "Ace Fekay [MCT]" wrote:
>>
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:6cb2911d8e058cc2872f2eaae70@msnews.microsoft.com...
>>> > Hello Ace Fekay [MCT],
>>> >
>>> > With an one year old image i would not even recommend to TRY the
>>> > rebuild.
>>> > If something fails during all the steps and the database goes one year
>>> > back instead or you maybe crash the current one, what will help then a
>>> > recovered crappy application that must be installed on a DC only?
>>> >
>>>
>>> Very true. I was hesitant about posting that procedure, and now since
>>> you
>>> mentioned that, I am probably sorry I did.
>>>
>>> I'm sure just demoting it will be fine to save the app.
>>>
>>> And good point about the app. If the DC hasn't been online for a year,
>>> what
>>> about the app? That would be out of date, too.
>>>
>>> Ace
>>>
>>>
>>>
>>> .
>>>
>
>