2000 Server/DC Recovery Procedures
document outlines the steps required to recover a Windows 2000 server or domain
controller. Please Note: the steps vary if the server is a member server, a
primary domain controller or a secondary domain controller.
is assumed the server has failed completely (hardware failure, disk corruption,
etc). At this point you have three options:
- The quickest way to
rebuild a server is from a PowerQuest server image or Deploy Center version 5.0 or newer. Then restore from Legato Networker backups.
(covered here in parts 1,2 and 3) NOTE: Intel P4 systems seem to need a
different image build than PIII’s
- Alternatively the W2K
Server CD can be used and Legato Networker installed to restore the previous
image. (may be necessary if the hardware has changed and is not supported
by the Powerquest Server image. (same as above but first part not covered
- Build again from
scratch and rejoin the domain manually. This may require domain or Active
Directory cleanup to any old references of the server name and it’s
services. (covered here in parts 1 and 3)
the server hardware is not covered by this document. See the document called Partial
Active Directory Restores and Repair for additional information.
- TCP/IP properties –
Server properties –
- IP address: 129.97.____________
- default gateway: 129.97.____________
- DNS server: 129.97.____________
- computer name: _______________
- full domain name: ____________.uwaterloo.ca
- administrator password.
- # of hard drives that existed before
- # and size of partitions on each hard drive that
- File System (NTFS or FAT32) that existed on each
- Latest Server Image CD (including PowerQuest
Server Image or Deploy Center version 5 or newer software) Current version
when this document was created is: 2Nov01
for PIII’s and 28Mar02 for P4’s
- W2K Server CD with latest Service Pack installed
(may not be required if image is complete)
Part 1: Recovering the Server Image
- Re-create all disk partitions that existed before
with the same partition sizes (or bigger)
image from latest PowerQuest ServerImage/Deploy
Center W2K Server CD
- Configure PC to boot from CD
- Change drive to d:
- Cd pqsint
- Run pqsint and restore server.pqi from d:\
- Accept all defaults
- Reboot as requested and assign IP address. (Servers do not get DHCP’d)
- Assign correct DNS information if required
- (NOTE: See Part 1B below under DC steps about
undoing the DDNS registration registry key *IF* dynamic DNS (DDNS) is
used. This is usually ONLY done if Microsoft DNS is used instead of Unix
computer name (Right-mouse click
on “My Computer”, Select “Properties”, select “Network Identification”
tab, select “Properties” button.) Enter
suffix as “xxx.uwaterloo.ca” (where “xxx” is substituted with the
correct domain name) and leave update DNS button checked.
- NOTE: You do *not* need to join the domain if
the correct suffix is entered here. You will need to reboot.
- Prepare and Clean up additional drives (we use D: and E: for instance to
keep a copy of Active Directory and the Log files) so these must be
re-created if they existed before and formatted with the correct file
system as before (i.e. NTFS or FAT32). If data is to be restored or
recreated (dcpromo) delete old data.
*** Go to Part 2: now
if restoring data from backup ***
NOTE: If you are here it assumes you are *not*
restoring the server from backups.
- Join the appropriate domain now and install any
additional software as required.
- Setup WINS if appropriate
Additional Steps if Server is also a
- *IF* this
server is not using DNS on Unix or DDNS undo the UseDynamicDns registry key. (We have this turned off in our
Powerquest image.) The key is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\UseDynamicDns
- The default value data for the
UseDynamicDns REG_DWORD value is 0x1.
- We changed it to 0x0 so it would
*not* try and update Unix DNS (which it isn’t allowed to) and so it would
create a valid Netlogon.dns file to be sent to your DNS administrator.
- If this DC is being rebuilt, be sure to remove
any reference to it from an existing DC in the domain before rejoining the DC back into the domain. This is done
using ntdsutil having
authenticated as forest administrator. (NOTE: Does NOT work in safe mode
like you do for authoritative restores.) See Appendix A for instructions.
- Run “dcpromo” at a command prompt and specify appropriate options.
(This step requires the latest Service Pack CD).
- Now, the procedure varies depending on how many DC’s there are. In
our root environment at the moment we have two DC’s sharing the role of
hosting a domain their roles get defined as follows:
should be running:
- 1. Global Catalog
(accessible from AD Sites and Services)
- 2. Schema Master (not
explicitly set until schema mods require it)
- 3. Domain Naming (not
- 4. PDC master
(settable from AD Users and Computers)
- Second DC should be running:
- 1. RID master (right
mouse click AD Users and Computers domain name and select Operations
- 2. Infrastructure
Master (settable from AD Users and Computers)
- 3. DNS (***NOTE: We run
DNS from Unix so this is not set on ours)
- Replace DNS SRV records. Because this newly built server has a new SID
and GUID. This is crucial for file replication between DC’s.
to Part 3: ***
Part 2: Recover the Image from Legato NetWorker
the NetWorker User program (Start->Programs->Networker
on the Recover icon and select the
last known good backup date. NOTE:
verify all partitions exist in backup before choosing the date.
3)Mark all the drives, the SYSTEM STATE, SYSTEM FILES and SYSTEM DB nodes for recovery. NOTE: Verify all main folders/files got
marked before starting. Sometimes selecting “Mark” at the top does not ripple
all the way down the tree
the Options menu item and click on the “Recover
Options” item. Turn on the ‘Overwrite
Existing File’ button. If you forget to do this, you will get prompted with
a Naming Conflict dialog box. In here you need to enable overwriting of
existing files and also turn on the Suppress Further Prompting option.
Start. As the recover proceeds, the
files being recovered are displayed in the NetWorker window. There will be some
messages about recovery being deferred for files in use.
You will know
it’s done when: a dialog comes up asking you to “reboot to complete the recovery process”. (It stops a lot during recovery leading you
to believe it’s done)
there are Recycle bin files to recover, you will get prompted with a password
protection window. Choose Recover->OK to recover these if you want.
the file C:\NETWORKR.LOG for errors.
the computer. It should now be in the same state as it was when the backup was
Part 3: Test the operating system
that the network protocols are
functioning properly. Test this by running ping from a command prompt.
that name resolution is working.
Test this by running nslookup from a command prompt.
that you are indeed part of the domain
additional services installed work
the time zone defined and the time and date settings. You may have to issue the
“net time setsntp:ntp1.uwaterloo.ca”
as it seems to get lost on occasion.
a DC verify that trust relationships
are working (AD Domains and Trusts) and replication
is working between DC’s (AD Sites and Services)
7)Verify Event logs are clean of errors since the restore time happened.
If you are
getting Event ID’s 455, 454, 1202 and/or 1000 in the Application log see
Microsoft’s KnowledgeBase article Q278316.
It requires you
to hide the .log files in %SystemRoot%\Security, rename
%SystemRoot%\Security\Database\Secedit.sdb and run mmc, add Security and
Configuration and Analysis, Open Database, type Secedit.sdb and click Open, and
import the Setup Security.inf template.
These steps will
eliminate these errors.
Appendix A, Removing a failed Domain Controller from the existing Active
If a domain controller has not been properly promoted out of
a domain (i.e. it crashed) it may be necessary to delete references to it from
Active Directory. This is required if a server is rebuilt and re-promoted (via
dcpromo) to the name it had before. This is not required if a domain controller
is restored from backups.
NOTE: To do this you must be an enterprise administrator
a “Command Prompt” from Programs/Accessories from any W2K system in your
domain. The system does not have to be a DC.
- Type ntdsutil and press enter
ntdsutil, type metadata cleanup
and press enter
metadata cleanup, type connections
and press enter
type connect to server <name of
any active directory controller in your forest> and press enter.
For example, type “connect to server syslab15.uwaterloo.ca”
type quit and press enter. You
will be brought back to the metadata cleanup menu.
- Type select operation target and press
- Type list domains and press enter.
the domain that contains the failed DC. It will have a number next to it.
- Type select domain <domain number>
and press enter.
- Type list sites and press enter.
- Type select site <failed domain
controllers site number> and press enter. (It will be 0 for most of
- Type list servers in site and press
the failed domain controller by number. Now type select server <failed DC server number> and press enter.
- Type quit and press enter.
remove the failed domain controller from Active Directory, at the metadata
cleanup menu, type remove selected
server and press enter.
At this point you are finished. If the replacement domain
controller will not retain the same host name as the failed domain controller,
you will need to perform these additional steps:
the failed domain controller object from the Active Directory Sites and
the Sites folder until the failed domain controller’s site is showing.
the site’s Servers folder until you see the domain controller listed.
the failed domain controller and select Delete.
the failed DC account from the ad Users and Computers snap-in.
on the container that contains the failed DC
the DC and select Delete.