No announcement yet.

Restoring W2K Active Directory

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restoring W2K Active Directory

    Hi Everyone,

    First of all let me say thanks for reading.

    I have been reading about restoring Active Directory on Windows 2000 Server all day long. I have read many many articles and pored over Google's results for a very long time and I'm left more confused than I was when I started.

    I started with the company three months ago and have now been tasked with ensuring that our backup procedure translates into an effective restore procedure too. Obviously there's little point in spending ages backing stuff up if restoring it isn't going to work.

    Anyway, as much as I've read and learned today, I have been left equally as confused by the stipulations and recommendations I've read. Finding a decent article that covers the kind of scenario I need to recover from isn't easy either.

    Let us just say that a bomb has gone off in my server room and everything is completely destroyed. Luckily I have my backup media and a blank server sitting in front of me that I need to restore to.

    My current AD domain is a single forest and a single domain. Oddly my predecessor named it as a child domain so it's I have four DC's, one of which holds all 5 FSMO roles. Now if you read around some of the articles I've come across, they say not to restore the RID master. First question: Since one of my DC's holds all 5 FSMO roles (including the RID master role of course) does this automatically make that DC inelligible for restoration? I can't find anything that suggests otherwise. Given that a bomb hasn't gone off in my server room, I can move FSMO's around if I want... but is it necessary?

    I've read articles that suggest that for single forest, single domain structures, you should host all 5 FSMO roles on one server. Can that be described as best practice given that restoring the RID master role (apparently) causes problems?

    Ultimately I want to replicate my current AD structure in to a test lab BUT do not want to do it by promoting a member server in to my existing domain. For the purposes, assume I've got nothing of the old network left, I'm standing there with a completely new and unrelated server and the backup tapes. How can I get my AD up and running again when all 5 FSMO roles (including the RID master) are hosted on one DC? I presume that this one DC should be the one to be restored but....

    See what I mean?

    Any help would be appreciated.


  • #2
    Re: Restoring W2K Active Directory

    I am quite sure the RID Master thing has been fixed in W2K3 SP1, but I do not seem to find any reference.

    In any case, you can always put RID master on another DC and when performing the restore of the DC that was holding the rest 4 FSMOs (it is indeed the best candidate for the restore), just seize the RID Master role (this will also bump up the RID pool sequence number).

    After that just DCPROMO some more DCs and you have a test lab almost identical to your production AD.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Restoring W2K Active Directory

      Thanks for your response Guy. For info I'm running a Windows 2000 SP4 Domain and Forest.

      This may seem like a daft question but is seizing the FSMO roles still required after I've run the restore? Do I just avoid seizing the RID role, promote another DC and then seize the RID role to that instead? Can the restored DC still operate properly without the RID role while I'm still bringing up another DC?

      My apologies but this restore process is possibly the most confusing thing I've ever done!


      • #4
        Re: Restoring W2K Active Directory

        Your best bet will be add another domain controller , you can transfer some of the roles now or when restoring AD you can transfer the roles. But dont think you need to leave out the rid master when you are restoring AD . In a test environment have actually restored ad with the 5 roles


        • #5
          Re: Restoring W2K Active Directory

          Hi Kaycee, thanks for your response.

          I know that promoting a DC in to the working domain is the best bet and makes life much easier but if there is a fire in the server room and all systems are destroyed I wouldn't be able to do that.

          What causes me confusion is the fact that I'm not supposed to restore the RID role (as per Microsoft's recommendations) but if all 5 FSMO roles are on just one of the DC's (including the RID master role), how am I supposed to restore my domain without possibly causing corruption?

          The fact that other people recommend that all 5 FSMO roles remain on just one DC is even more confusing. How can that be described as good practice when as far as Microsoft are concerned, you can't (or shouldn't) restore a DC that has the RID master role.

          Microsoft also recommend that the PDC and RID roles remain on one DC and that the Schema master and Domain Naming Master also remain on one DC, whether that's the same DC that's hosting the PDC and RID roles is another question. The only role left that I can transfer to another DC is the Infrastructure master which basically means that is the only DC I could potentially restore. I see little point backing up two DC's when only one of them (assuming I transfer the Infrastructure master role) could be used for restoration purposes.

          The amount of contradicition is frightening to someone trying to familiarise themselves with this process. If anyone has any links that can shed any proper light on the contradictions I mention above, please, please get in touch.

          Thanks again for reading, again, if you can help me at all, please reply.

          PS. I've just tried to restore the DC with the 5 FSMO roles but after the restore, ntoskrnl.exe was missing or corrupt, I couldn't run an in place repair, even with an ERD! I'm following Article 263532 by Microsoft and it's woefully short of information. Argh, the frustration!


          • #6
            Re: Restoring W2K Active Directory

            I am thinking out loud here as I am trying to think why restoring the RID master would be troublesome in your scenario. After all the RID is handed out in pools to all of the DC's and in your case the other DC's will not exist, if you restore the DC with the FSMO roles first, and the others later. So as long as you haven't gone over the tombstone period, you should get everything back on-line as it was.
            Perhaps restore all of the servers one after teh other without connecting them and only when you have them all, connect them and start replicating!

            Steven Teiger [SBS-MVP(2003-2009)]
            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

            We donít stop playing because we grow old, we grow old because we stop playing.


            • #7
              Re: Restoring W2K Active Directory

              Well I'm a little further on than I was. The RID master role does cause MAJOR issues and as such I had to use repadmin /delete to remove the replication links between all of the other servers.

              The whole idea was to restore my domain from scratch using one DC, it looks like I've succeeded! Unfortunately, the process is a nightmare. I guess it's not likely to be simple though.

              I'm going to try and document the process, potential pitfalls etc but there are soooo many variables it's not even funny.

              The machine I restored was the role holder for everything on the domain but I still had to perform role seizures on all other roles. When I was doing the seizure of the RID role, it said it was already the role owner. Still, this was causing major problems. SAM account failed to initialize properly, Article 839879 covers the fix for that but it's far from being a clear article.

              I decided to perform a metadata cleanup, seize all the FSMO roles and completely remove all references to the now non-existant DC's in DNS. I also had to restore the SYSVOL again because for some reason, it didn't put it back on during the primary restore process. I had to restore the System State to an alternative location and copy the policies and scripts folders back to the relevant directory on the restored DC.

              Anyway, as I said, I'm going to try and document the process, once I've done so I'll post here for others struggling with the concept.

              At this moment everything looks just fine but if I come across any show stoppers in what I have done so far I will keep you notified also. Many thanks for your help