Domain Controller Recovery

August 2004

Step 1

Make sure FSMO roles are covered.

It usually takes the better part of a day-or-more to rebuild a DC. Most people will not notice a missing DC if all FSMO roles are running.

How to query FSMO roles:

C:\ >netdom query FSMO                 (or netdom query /domain:ads FSMO)

Schema owner                redwood.uwad.uwaterloo.ca

Domain role owner           redwood.uwad.uwaterloo.ca

PDC role                    douglasfir.ads.uwaterloo.ca

RID pool manager            oak.ads.uwaterloo.ca

Infrastructure owner        oak.ads.uwaterloo.ca

The command completed successfully.

How to transfer FSMO roles:

http://win2k/Disaster_Recovery/Partial_Active_Directory_Restores_and_Repair.htm or

http://win2k.uwaterloo.ca/Disaster_Recovery/Preparing_for_Planned_DC_Shutdown.htm

 

NOTE: BE SURE TO UPDATE DNS IF ANY OF THESE ROLES CHANGE FROM ONE SERVER TO ANOTHER

 

Step 2

Make sure a Global Catalog server is available. If a DC cannot contact a GC at the point of client logon, cached local logon credentials are all the client will receive, and access to remote resources will be denied.

August 2004 our GC’s were douglasfir and redwood.

How to check and change Global Catalog Server:

“AD Sites and Services” is the tool that lists all domain controllers. If you select any server (under Sites/Default-First-Site-Name/Servers) Right-Mouse click  NTDS Settings” beneath the server name and select “Properties”. You will see “Global Catalog” as selectable here with a check mark beside the servers selected as GC servers. You can change or check this here.

Step 3

Restore or Reinstall the missing DC.

To decide which of these two is best/fastest see the following guidelines:

  1. If the server was a GC try and restore it. Always perform an Authoritative Restore on a DC.
  2. If the server was an RID Master (oak and koa) do a reinstall, not a restore.
  3. If the server was not running any FSMO roles (maple) a reinstall is likely faster.

 

How to Restore a DC

http://win2k.uwaterloo.ca/Disaster_Recovery/Windows2000Server_recovery.htm

How to remove a failed DC from the existing Active Directory

See Appendix A in: http://win2k.uwaterloo.ca/Disaster_Recovery/Windows2000Server_recovery.htm

How to do an Authoritative Restore of Active Directory Data

See the last chapter of: http://win2k/Disaster_Recovery/Partial_Active_Directory_Restores_and_Repair.htm

 

 


Document created by Manfred Grisebach