Windows 2000 Server/DC Recovery Procedures

April 2002


This document outlines the steps required to recover a Windows 2000 server or domain controller. Please Note: the steps vary if the server is a member server, a primary domain controller or a secondary domain controller.

It is assumed the server has failed completely (hardware failure, disk corruption, etc). At this point you have three options:

  1. The quickest way to rebuild a server is from a PowerQuest server image or Deploy Center version 5.0 or newer. Then restore from Legato Networker backups. (covered here in parts 1,2 and 3) NOTE: Intel P4 systems seem to need a different image build than PIII’s
  2. Alternatively the W2K Server CD can be used and Legato Networker installed to restore the previous image. (may be necessary if the hardware has changed and is not supported by the Powerquest Server image. (same as above but first part not covered here)
  3. Build again from scratch and rejoin the domain manually. This may require domain or Active Directory cleanup to any old references of the server name and it’s services. (covered here in parts 1 and 3)

Recovering the server hardware is not covered by this document. See the document called Partial Active Directory Restores and Repair for additional information.


Information required before-hand includes:

  1. TCP/IP properties –
    • IP address: 129.97.____________
    • default gateway: 129.97.____________
    • DNS server: 129.97.____________
  2. Server properties –
    • computer name: _______________
    • full domain name:
    • administrator password.
    • # of hard drives that existed before
    • # and size of partitions on each hard drive that existed before
    • File System (NTFS or FAT32) that existed on each partition

Software Required

  • Latest Server Image CD (including PowerQuest Server Image or Deploy Center version 5 or newer software) Current version when this document was created is: 2Nov01 for PIII’s and 28Mar02 for P4’s
  • W2K Server CD with latest Service Pack installed (may not be required if image is complete)

Part 1: Recovering the Server Image

  • Re-create all disk partitions that existed before with the same partition sizes (or bigger)
  • Restore image from latest PowerQuest ServerImage/Deploy Center W2K Server CD
    • Configure PC to boot from CD
    • Boot
    • Change drive to d:
    • Cd pqsint
    • Run pqsint and restore server.pqi from d:\
    • Accept all defaults
  • Reboot as requested and assign IP address. (Servers do not get DHCP’d)
  • Assign correct DNS information if required
    • (NOTE: See Part 1B below under DC steps about undoing the DDNS registration registry key *IF* dynamic DNS (DDNS) is used. This is usually ONLY done if Microsoft DNS is used instead of Unix BIND DNS)
  • Assign computer name (Right-mouse click on “My Computer”, Select “Properties”, select “Network Identification” tab, select “Properties” button.) Enter suffix as “” (where “xxx” is substituted with the correct domain name) and leave update DNS button checked.
    • NOTE: You do *not* need to join the domain if the correct suffix is entered here. You will need to reboot.
  • Prepare and Clean up additional drives (we use D: and E: for instance to keep a copy of Active Directory and the Log files) so these must be re-created if they existed before and formatted with the correct file system as before (i.e. NTFS or FAT32). If data is to be restored or recreated (dcpromo) delete old data.


*** Go to Part 2: now if restoring data from backup ***



NOTE: If you are here it assumes you are *not* restoring the server from backups.

  • Join the appropriate domain now and install any additional software as required.
  • Setup WINS if appropriate


Additional Steps if Server is also a Domain Controller

  • *IF* this server is not using DNS on Unix or DDNS undo the UseDynamicDns registry key. (We have this turned off in our Powerquest image.) The key is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\UseDynamicDns
    • The default value data for the UseDynamicDns REG_DWORD value is 0x1.
    • We changed it to 0x0 so it would *not* try and update Unix DNS (which it isn’t allowed to) and so it would create a valid Netlogon.dns file to be sent to your DNS administrator.
  • If this DC is being rebuilt, be sure to remove any reference to it from an existing DC in the domain before rejoining the DC back into the domain. This is done using ntdsutil having authenticated as forest administrator. (NOTE: Does NOT work in safe mode like you do for authoritative restores.) See Appendix A for instructions.
  • Run “dcpromo” at a command prompt and specify appropriate options. (This step requires the latest Service Pack CD).
  • Now, the procedure varies depending on how many DC’s there are. In our root environment at the moment we have two DC’s sharing the role of hosting a domain their roles get defined as follows:
    •  PDC should be running:
      • 1.        Global Catalog (accessible from AD Sites and Services)
      • 2.        Schema Master (not explicitly set until schema mods require it)
      • 3.        Domain Naming (not settable)
      • 4.        PDC master (settable from AD Users and Computers)
    • Second DC should be running:
      • 1.        RID master (right mouse click AD Users and Computers domain name and select Operations Master)
      • 2.        Infrastructure Master (settable from AD Users and Computers)
      • 3.        DNS (***NOTE: We run DNS from Unix so this is not set on ours)
  • Replace DNS SRV records. Because this newly built server has a new SID and GUID. This is crucial for file replication between DC’s.


*** Skip to Part 3: ***


Part 2: Recover the Image from Legato NetWorker Backups


1)Start the NetWorker User program (Start->Programs->Networker Group->Networker User).

2)Click on the Recover icon and select the last known good backup date. NOTE: verify all partitions exist in backup before choosing the date.

3)Mark all the drives, the SYSTEM STATE, SYSTEM FILES and SYSTEM DB nodes for recovery. NOTE: Verify all main folders/files got marked before starting. Sometimes selecting “Mark” at the top does not ripple all the way down the tree

4)Open the Options menu item and click on the “Recover Options” item. Turn on the ‘Overwrite Existing File’ button. If you forget to do this, you will get prompted with a Naming Conflict dialog box. In here you need to enable overwriting of existing files and also turn on the Suppress Further Prompting option.

5)Select Start. As the recover proceeds, the files being recovered are displayed in the NetWorker window. There will be some messages about recovery being deferred for files in use.

·         You will know it’s done when: a dialog comes up asking you to “reboot to complete the recovery process”.  (It stops a lot during recovery leading you to believe it’s done)

6)If there are Recycle bin files to recover, you will get prompted with a password protection window. Choose Recover->OK to recover these if you want.

7)Check the file C:\NETWORKR.LOG for errors.

8)Reboot the computer. It should now be in the same state as it was when the backup was performed.


Part 3: Test the operating system


1)Verify that the network protocols are functioning properly. Test this by running ping from a command prompt.

2)Verify that name resolution is working. Test this by running nslookup from a command prompt.

3)Verify that you are indeed part of the domain as requested.

4)Verify additional services installed work as expected.

5)Check the time zone defined and the time and date settings. You may have to issue the “net time” as it seems to get lost on occasion.

6)On a DC verify that trust relationships are working (AD Domains and Trusts) and replication is working between DC’s (AD Sites and Services)

7)Verify Event logs are clean of errors since the restore time happened.

a)      If you are getting Event ID’s 455, 454, 1202 and/or 1000 in the Application log see Microsoft’s KnowledgeBase article Q278316.

i)        It requires you to hide the .log files in %SystemRoot%\Security, rename %SystemRoot%\Security\Database\Secedit.sdb and run mmc, add Security and Configuration and Analysis, Open Database, type Secedit.sdb and click Open, and import the Setup Security.inf template.

ii)       These steps will eliminate these errors.


Appendix A, Removing a failed Domain Controller from the existing Active Directory

If a domain controller has not been properly promoted out of a domain (i.e. it crashed) it may be necessary to delete references to it from Active Directory. This is required if a server is rebuilt and re-promoted (via dcpromo) to the name it had before. This is not required if a domain controller is restored from backups.


NOTE: To do this you must be an enterprise administrator


  1. Launch a “Command Prompt” from Programs/Accessories from any W2K system in your domain. The system does not have to be a DC.
  2. Type ntdsutil and press enter
  3. From ntdsutil, type metadata cleanup and press enter
  4. From metadata cleanup, type connections and press enter
  5. Now type connect to server <name of any active directory controller in your forest> and press enter. For example, type “connect to server”
  6. Now type quit and press enter. You will be brought back to the metadata cleanup menu.
  7. Type select operation target and press enter.
  8. Type list domains and press enter.
  9. Locate the domain that contains the failed DC. It will have a number next to it.
  10. Type select domain <domain number> and press enter.
  11. Type list sites and press enter.
  12. Type select site <failed domain controllers site number> and press enter. (It will be 0 for most of our domains.)
  13. Type list servers in site and press enter.
  14. Locate the failed domain controller by number. Now type select server <failed DC server number> and press enter.
  15. Type quit and press enter.
  16. To remove the failed domain controller from Active Directory, at the metadata cleanup menu, type remove selected server and press enter.


At this point you are finished. If the replacement domain controller will not retain the same host name as the failed domain controller, you will need to perform these additional steps:

  1. Remove the failed domain controller object from the Active Directory Sites and Services snap-in.
  2. Expand the Sites folder until the failed domain controller’s site is showing.
  3. Expand the site’s Servers folder until you see the domain controller listed.
  4. Right-click the failed domain controller and select Delete.
  5. Remove the failed DC account from the ad Users and Computers snap-in.
  6. Click on the container that contains the failed DC
  7. Right-click the DC and select Delete.