|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to restore Domain Controllers that have been down for a long treplace the existing one. The first two domain controllers have been built for test purposes some time ago. A couple of months ago I had a problem where I discovered one had gone down because of RAID controller issue. I didn't have time to work on it until recently when I discovered that the other one had been off this whole time because it hadn't come back on after a power failure we had in the server room. Not too big a deal since neither box is in production yet. The problem is that since the only two domain controllers were both down when they came back up neither considered the other or themselves a reliable partner for replication since they'd been down so long (i'm not sure what the exact time limit is). So I got them to replicate with one another by referencing this article found on technet at http://technet2.microsoft.com/WindowsServer/en/Library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx which basically removes the protection in the registry that prevents them from replicating. However, after doing this I find that neither one will respond to directory service requests so I'm wondering if they still consider themselves non-authoritative for directory service requests after being down for so long. Is there something further I have to do like maybe an authoritative restore on one of them? I remember hearing somewhere that this was a very sticky issue to address, and one to avoid at all costs. Any ideas? Michael,
Without having read your entire post (sorry...) there is one thing to know about this: the tombstone period is 60 days - by default. If a Domain Controller has been 'out of touch' for a period that exceeds the tombstone life (not going to write '60 days' here....because it can be changed!) then you need to do a couple of things: 1) dcpromo that Domain Controller. It is quite possible that you will have to use the /forceremoval switch. This will remove it from Active Directory....or, at least, it should. NOTE: before you do the dcpromo process make sure that you change the IP Configuration, specifically the DNS information. It should not point to itself in this case. Make sure that it is pointing to other DNS Servers. This will help in cleaning up the DNS records.... 2) run ntdsutil (available natively....that is to say, that it is not a part of the Support Tools) and do a metadata cleanup. There is a lot of information on this. The key is to remember that you need to run this on an existing Domain Controller, and not on the DC that you are trying to remove (I would suggest doing this after you have removed it via the DCPROMO process, assuming that it works). 3) Look at ADSIEdit and do any additional house cleaning that you might need. Also, it might be a rally good idea to include what the NOS is and at what Service Pack level (for example, Windows 2000 SP4). -- Show quoteHide quoteCary W. Shultz Roanoke, VA 24012 "Michael Leighty" <Michael Leig***@discussions.microsoft.com> wrote in message news:833F716F-1AA6-4B7F-9889-B6435E752027@microsoft.com... > I've been working on building a new Active Directory domain for my company > to > replace the existing one. The first two domain controllers have been > built > for test purposes some time ago. A couple of months ago I had a problem > where I discovered one had gone down because of RAID controller issue. I > didn't have time to work on it until recently when I discovered that the > other one had been off this whole time because it hadn't come back on > after a > power failure we had in the server room. Not too big a deal since neither > box is in production yet. The problem is that since the only two domain > controllers were both down when they came back up neither considered the > other or themselves a reliable partner for replication since they'd been > down > so long (i'm not sure what the exact time limit is). So I got them to > replicate with one another by referencing this article found on technet at > http://technet2.microsoft.com/WindowsServer/en/Library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx > which basically removes the protection in the registry that prevents them > from replicating. However, after doing this I find that neither one will > respond to directory service requests so I'm wondering if they still > consider > themselves non-authoritative for directory service requests after being > down > for so long. Is there something further I have to do like maybe an > authoritative restore on one of them? I remember hearing somewhere that > this > was a very sticky issue to address, and one to avoid at all costs. Any > ideas? Thank you for your reply Cary,
I apologize for not being more thorough in my first post. I was somewhat rushed at the time. I'm running Windows Server 2003 Standard Edition with SP1. Your solution sounds good except for one problem. These are the first two domain controllers in this forest and the only ones. In that case I'm not sure I can dcpromo them, because if I dcpromo'ed them both I would destroy the forest. I wouldn't care about that execept I have a forest trust setup that I'm actively using to authenticate a new NAS device which will be a part of the new forest I'm creating. I think I may be forced to do some trick where I simultaneously reset the clocks on both to the time before the 60 limit and then move them forward together until they can trust their existing database. Anybody have documentation on whether this will work or how it should be done effectively? 
Other interesting topics
How to exclude ADAM user from AD domain lockout policy??
Domain Controllers not talking to each other W2K3 server time slow CSVDE export fields ordering Error in Accessing Primary Domain Controller from Backup Domain Controller restore a windows 2000 domain controller Issue DHCP IP's only to computers in AD? Replace Primary DC with new 2003 Server Authentication problems on member server (file/print) Restricting User Logons |
|||||||||||||||||||||||
