Announcement

Collapse
No announcement yet.

How to properly bring up a DC after failure

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to properly bring up a DC after failure

    Hello
    We have 2 DCs. DC1 and DC2.
    I was wondering what needs to be done to properly bring backup a failed DC under following scenarios so that I can better prepare for disasters.

    1. DC2 fails (OS failure) and but DC1 has the most recent changes.
    Perform a full restore on DC2 using a full backup which also includes system state.
    -No need to boot into a directory restore mode and perform a non-authoritative restore since I'm assuming by performing a full backup which includes a system state backup is considered a non-authoritative restore anyway and the up to date data will be replicated to this DC2 from DC1?
    Please correct me if I'm wrong.

    2. DC1 fails (OS failure) and DC1 had the most recent changes and not DC2.
    Perform a full restore on DC1 using a full backup which also includes a system state.
    Boot into a directory restore mode and restore the system state again?
    Then perform an authoritative restore?


    Thanks!

  • #2
    Re: How to properly bring up a DC after failure

    Ok, when a dc fail, lets say the os of that dc fails. This means that files replication is correct and no objects are wrongfully deleted. You need to restore your domain controller in active directory restore mode. By placing that server in Avtive directory restore, boots the server up without the active directory services being active, which enables you to restore AD. When that is done, the server will reboot and AD changes will be replicated to that server. This server sequence number is lower than the current, and this DC will pull changes to update his AD database.

    If an object is wronfully deleted, and replication has occured, you'll need to perform an authoritive restore. This means booting the server in AD restore mode, restoring the server, and modifying the replication sequence number using NTDSUTIL. This way the sequence number of data is higher than on any other DC, and changes will be replicated towards your other DC's.
    AD replication is a pulling process, So others DC's pull the AD changes of your restored DC, to update there AD database.

    Note: if the tombstone lifetime has not been succeeded you can recover a deleted item without restoring from an actual backup (Check ADrestore from sysinternals).

    Checkout : http://support.microsoft.com/?kbid=840001
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: How to properly bring up a DC after failure

      Thanks.
      So if I want to perform a non-authoritative restore, even after restoring the domain controller using a full backup which also includes system state which in turn also includes active directory (since the backup is from the night before, the USN will be lower than the other domain controller here), I still need to boot into active directory restore mode and restore the system state once again?

      Comment


      • #4
        Re: How to properly bring up a DC after failure

        To restore AD, you have to reboot that server in active directory restore mode.
        Why?
        This allows the server to boot up without the NTDS services being active. If you where to restore while these services where active, your restore would fail.

        Placing the server in active directory restore mode does not make it authoritive, modifying the sequence number does (using NTDSUTIL).
        [Powershell]
        Start-DayDream
        Set-Location Malibu Beach
        Get-Drink
        Lay-Back
        Start-Sleep
        ....
        Wake-Up!
        Resume-Service
        Write-Warning
        [/Powershell]

        BLOG: Therealshrimp.blogspot.com

        Comment

        Working...
        X