Announcement

Collapse
No announcement yet.

Active Directory Restore

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Restore

    Hello folks,

    This is the first time trying a restore of the AD in a w2k03 server. This box has ALL the roles including PDC. My Problem is that the default domain GPO seems to be corrupted. I get the event ID: 1096 (registry.pol is inaccessible or corrupt). I have tried tweaking folder permissions but am still unable to edit default domain GPO.

    My question is: can I just restore the sysvol when I go to Directory Service Restore Mode?

    Thanks in advance!!!

    Yellow_doh
    Last edited by yellow_doh; 1st February 2007, 09:43. Reason: need better title

  • #2
    Re: Active Directory Restore

    Is this the only DC in the forest ?
    Did you have the default domain GPO configured with defaults or you have performed significant changes ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Active Directory Restore

      Hello Guyt,

      No significant changes had been made prior to the corruption appearing in the log files. As I inherited this setup, all FSMO roles seem to be pointed to this box. Including PDC emulation. This is the only domain in the forest. The Default Domain GPO is customized to suit the corp's needs. But this customization was an initial thing and not a trickle tweak. As I further research this subject...a new question arises:

      Does the tombstone time affect sysvol as well?
      ...and can I install a 8 month old sysvol and ONLY THE SYSVOL???

      As it stands, I'm thinking about rebuilding the AD from scratch one weekend...but as I'm contracted out to this corp. I can't seem to get the IT mgr. to give me the approval...but that's typical corp. bs.

      Regards,
      yellow_doh
      Last edited by yellow_doh; 4th February 2007, 08:54.

      Comment


      • #4
        Re: Active Directory Restore

        Originally posted by yellow_doh View Post
        This is the only domain in the forest.
        Is it the only Domain Controller in the forest/domain ?

        Depending on the answer, you will have one of 2 options:

        1) restore the GPO to it's default using dcgpofix /target:domain
        2) Authoritatively restore the SYSVOL
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Active Directory Restore

          Hello guyt,

          There is only one forest but this is the PDC with all FSMO roles. There are two other DCs here.

          Can I use authoritative restore of sysvol that is over 7 months old? I realize recent GPOs will be lost but se la vie.

          Regards,
          yellow_doh

          Comment


          • #6
            Re: Active Directory Restore

            By default, GP Editor will focus on PDC Emulator when editing a GPO.
            Can you try pointing the GP editor to another DC and try to edit the GPO ?
            Performing an authoritative restore is way too much for such an issue.

            Please review the NTFRS event logs on all the DCs and let us know whether there are any error events related to NTFRS.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Re: Active Directory Restore

              Hello guyt,

              Doesn't work...I get the error message:

              Failed to open the GPO. You may not have appropriate rights.
              Details: Unspecified error.

              Permissions for folder:

              Domain Admins - full

              Doesn't the PDC propagate the registry.pol to all the other DCs as well? Or should I try making another DC the PDC and see if that fixes it...

              Any suggestions?

              Regards,
              yellow_doh
              Last edited by yellow_doh; 6th February 2007, 19:18.

              Comment


              • #8
                Re: Active Directory Restore

                Update to AD restore:

                Believe it or not...I used a sys bkup from feb of last year!!!! It wasn't all that bad as there weren't too many changes that occurred from then to now. Things that changed:

                Security config changes made to SharePoint
                Network printers (had to recreate/publish back into AD...and of course users lost all their printers - THAT WAS FUN! :-\ )

                Since this was my first restore attempt...I didn't even consider the printers...just wondering if I should have unshared them first as well as unlisting them in AD...

                I was surprised to see that user configs did not change...including permissions/rights assignments.

                All seems stable now.

                regards,
                yellow_doh

                Comment


                • #9
                  Re: Active Directory Restore

                  WHAT?!?!?

                  That is TOTALLY IMPOSSIBLE.

                  An Active Directory (System State) Backup which is older than the "Tombstone Life" of an object (by default 60 days) can NEVER work. It becomes un-restoreable. Are you talking about System State, or about a file restore of the C: drive?


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: Active Directory Restore

                    It was the system state. I know about the tombstone restriction but it worked. Don't ask me how...

                    What I needed done was restoring the default domain profile since I could no longer access it and the registry.pol in the machine account was "corrupt". It appeared to have worked. Logs are very stable now and I have been spending the last few days creating test user accounts in every OU to see if anything unusual was occurring...nada.

                    Regards,
                    yellow_doh

                    Comment


                    • #11
                      Re: Active Directory Restore

                      It's not a "restriction"... it's a hard and fast limit. It's there to prevent the progressive and total destruction of every AD object over a period of hours, and the complete loss of any consistency or usability in your entire forest.

                      Whatever you've achieved I hope I never have to look at it, because if I look at it, my luck will kick in and your entire system will self-destruct in seconds.

                      Seriously though, monitor the a$$ off that system for the next two months and take regular (daily?) system state backups. This might yet backfire, and I'm utterly dumbfounded that it even allowed the restore.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment

                      Working...
                      X