How To Recover Domain Controller

Hello,

We just lost a domain controller. I have found what looks like some pretty
good documentation on recovery, and I'm about to give it a shot. However, I
know there are often times when real-world experience is often more helpful
than a KB article, so I thought I'd solicit any advice anyone might have.

We lost DC1, one of three DCs in our domain. All DCs are Windows 2003 SP2.
DC1 was on very old hardware that probably cannot be replaced.

DC1 was our primary DNS, Schema Master, and Domain Naming Master. It was
not a Global Catalog server.

DC2 is our secondary DNS, and a Global Catalog server.

DC3 is RID and PDC emulator, as well as a Global Catalog.

I don't know who holds the Infrastructure Manager role. I'm wondering if
because it is a single domain with multiple DCs, if that role is somehow not
present?

Anyway, does anyone have any general recommendation on how to go about
this? One question I have: I'm not sure if I should try to transfer Schema
Master and Domain Naming Master roles to another DC, or if I should try to
rebuild DC1 from scratch and restore system state info from tape backup.

What if I just transfer roles to DC2 and DC3, and then create a new DC
called DC4, and just forget about rebuilding DC1?

Any other advice is appreciated --

Thanks

Oh, one other thing! When we lost DC1, it seems like a lot of our users
lost access to network resources. I'm guessing because they were still
authenticated to DC1. Once we shut DC1 down for good and had users reboot,
they seemed to have better luck accessing network shares and resources. Is
this how it's supposed to work? Ideally, it seems like users would just be
transferred to a different DC transparently and would not notice any
problems.

You should be able to see all 5 FSMO role by using the following command:

Netdom query FSMO

You will see at least 5 FSMO roles (2+3) regardless of the forest/domain
structure.

In my opinion, seize FSMO role to a working DC and install a brand new DC.
Here is the procedure for transferring FSMO roles:

http://support.microsoft.com/kb/324801
http://support.microsoft.com/default.aspx/kb/255504

Uses will lose access if their "logon server" was DC1. Ask them to reboot
the workstation and it will find a new DC in the same site.

--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/

This posting is provided "AS IS" with no warranties, and confers no rights.


"Mark C" <markc@askfordomain.ok> wrote in message
news:_KqdnYYsd7yh3xDWnZ2dnUVZ_rKdnZ2d@posted.internetamerica...
> Hello,
>
> We just lost a domain controller. I have found what looks like some
> pretty
> good documentation on recovery, and I'm about to give it a shot. However,
> I
> know there are often times when real-world experience is often more
> helpful
> than a KB article, so I thought I'd solicit any advice anyone might have.
>
> We lost DC1, one of three DCs in our domain. All DCs are Windows 2003
> SP2. DC1 was on very old hardware that probably cannot be replaced.
>
> DC1 was our primary DNS, Schema Master, and Domain Naming Master. It was
> not a Global Catalog server.
>
> DC2 is our secondary DNS, and a Global Catalog server.
>
> DC3 is RID and PDC emulator, as well as a Global Catalog.
>
> I don't know who holds the Infrastructure Manager role. I'm wondering if
> because it is a single domain with multiple DCs, if that role is somehow
> not
> present?
>
> Anyway, does anyone have any general recommendation on how to go about
> this? One question I have: I'm not sure if I should try to transfer
> Schema Master and Domain Naming Master roles to another DC, or if I should
> try to rebuild DC1 from scratch and restore system state info from tape
> backup.
>
> What if I just transfer roles to DC2 and DC3, and then create a new DC
> called DC4, and just forget about rebuilding DC1?
>
> Any other advice is appreciated --
>
> Thanks
>
> Oh, one other thing! When we lost DC1, it seems like a lot of our users
> lost access to network resources. I'm guessing because they were still
> authenticated to DC1. Once we shut DC1 down for good and had users
> reboot, they seemed to have better luck accessing network shares and
> resources. Is this how it's supposed to work? Ideally, it seems like
> users would just be transferred to a different DC transparently and would
> not notice any problems.
>

Thank you for your reply.

Yes, NETDOM QUERY FSMO shows all 5 roles. Schema, Domain, and PDC are all
on the failed server.

I will try to seize.

Seizing roles seems to have worked. I kept getting an "access denied" error
when trying to seize the schema master role, but after adding myself to
schema admins it succeeded. Should I do any dcdiag or repladmin stuff to
see if everything is working?

Left the infrastructure role on DC2, which is NOT a global catalog server.
I understand this is a Microsoft recommendation. All other roles are now on
DC3.

I will start building a new server and will run dcpromo to make it a new DC.

Then I will see if I need to do anything to clean up the old DC1 machine. I
think I ran across some recommendations to clean up metadata or something
like that.

Thanks again.

Hello Mark,

In a single forest domain make all DCs Global catalog server, in this kind
of domain the IM has nothing to do. See here for more details:
http://msmvps.com/blogs/ulfbsimonwei.../08/37975.aspx

Also if you have seized the FSMO roles to another DC bring NOT back the crashed
machine from backup, as this also has the FSMO roles you run into trouble.
Remove the DC from AD database, DNS etc., according to:
http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Seizing roles seems to have worked. I kept getting an "access denied"
> error when trying to seize the schema master role, but after adding
> myself to schema admins it succeeded. Should I do any dcdiag or
> repladmin stuff to see if everything is working?
>
> Left the infrastructure role on DC2, which is NOT a global catalog
> server. I understand this is a Microsoft recommendation. All other
> roles are now on DC3.
>
> I will start building a new server and will run dcpromo to make it a
> new DC.
>
> Then I will see if I need to do anything to clean up the old DC1
> machine. I think I ran across some recommendations to clean up
> metadata or something like that.
>
> Thanks again.
>

As Meinolf mentioned, in a single Forest/Domain structure, you don't really
have to worry about IM placement. Here is a good article. Please read
completely :-)
http://support.microsoft.com/kb/223346

If you need to remove DC manually, you need to perform a metadata cleanup
http://technet.microsoft.com/en-us/l...78(WS.10).aspx


--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/

This posting is provided "AS IS" with no warranties, and confers no rights.


"Mark C" <markc@askfordomain.ok> wrote in message
news:T5idnfuC78go7RDWnZ2dnUVZ_oCdnZ2d@posted.internetamerica...
> Seizing roles seems to have worked. I kept getting an "access denied"
> error when trying to seize the schema master role, but after adding myself
> to schema admins it succeeded. Should I do any dcdiag or repladmin stuff
> to see if everything is working?
>
> Left the infrastructure role on DC2, which is NOT a global catalog server.
> I understand this is a Microsoft recommendation. All other roles are now
> on DC3.
>
> I will start building a new server and will run dcpromo to make it a new
> DC.
>
> Then I will see if I need to do anything to clean up the old DC1 machine.
> I think I ran across some recommendations to clean up metadata or
> something like that.
>
> Thanks again.
>

Hi
You need to:
- Seize the FSMO roles, Sync all existing DCs, perform metadata clean up for
the lost DC.
- Make sure that you have redundancy for DNs as well, and point the clients
to the existing DNs servers.
- Make both DCs global Catalogs, run dcdiag and search for output errors.
--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Mark C" <markc@askfordomain.ok> wrote in message
news:_KqdnYYsd7yh3xDWnZ2dnUVZ_rKdnZ2d@posted.internetamerica...
> Hello,
>
> We just lost a domain controller. I have found what looks like some
> pretty
> good documentation on recovery, and I'm about to give it a shot. However,
> I
> know there are often times when real-world experience is often more
> helpful
> than a KB article, so I thought I'd solicit any advice anyone might have.
>
> We lost DC1, one of three DCs in our domain. All DCs are Windows 2003
> SP2. DC1 was on very old hardware that probably cannot be replaced.
>
> DC1 was our primary DNS, Schema Master, and Domain Naming Master. It was
> not a Global Catalog server.
>
> DC2 is our secondary DNS, and a Global Catalog server.
>
> DC3 is RID and PDC emulator, as well as a Global Catalog.
>
> I don't know who holds the Infrastructure Manager role. I'm wondering if
> because it is a single domain with multiple DCs, if that role is somehow
> not
> present?
>
> Anyway, does anyone have any general recommendation on how to go about
> this? One question I have: I'm not sure if I should try to transfer
> Schema Master and Domain Naming Master roles to another DC, or if I should
> try to rebuild DC1 from scratch and restore system state info from tape
> backup.
>
> What if I just transfer roles to DC2 and DC3, and then create a new DC
> called DC4, and just forget about rebuilding DC1?
>
> Any other advice is appreciated --
>
> Thanks
>
> Oh, one other thing! When we lost DC1, it seems like a lot of our users
> lost access to network resources. I'm guessing because they were still
> authenticated to DC1. Once we shut DC1 down for good and had users
> reboot, they seemed to have better luck accessing network shares and
> resources. Is this how it's supposed to work? Ideally, it seems like
> users would just be transferred to a different DC transparently and would
> not notice any problems.
>