No announcement yet.

Resoring Domain Controller

  • Filter
  • Time
  • Show
Clear All
new posts

  • Resoring Domain Controller

    I had two domain controllers DC1, DC2, win server 2003, DC1 containing Global catalog and also ran exchange. DC1 failed yesterday and I ended up restoring last night's full backup on to DC2 by running DC2 in directory service restore mode. both had similar hardware so restoring the image pretty much went through, except one glitch when I had to install network driver and set the IP settings to exactly match what DC01 had before failing. Being the na´ve I am, I did not realize that domain controllers can not be restored like that. Now none of the computers in the domain have any trust relation with domain, if I try to join a new computer to domain it says domain is not found, all network shares are broken and all that fun stuff. I don't have any working domain controller in the domain right now to clean meta data and other things using ntdsutil. dcdiag throws bunch of errors starting with replication error, not being able to find netlogon share, ridmanager test failed.
    Please help. I am not sure what needs to be done to get things working again.

    Here is the event I am getting in event viewer along with other errors
    This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

    Operations which require contacting a FSMO operation master will fail until this condition is corrected.

    FSMO Role: CN=RID Manager$,CN=System,DC=aat,DC=local

    User Action:

    1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
    2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
    3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on

    Another event
    Active Directory was unable to establish a connection with the global catalog.

    Additional Data
    Error value:
    1355 The specified domain either does not exist or could not be contacted.
    Internal ID:

    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

    For more information, see Help and Support Center at

  • #2
    Re: Resoring Domain Controller

    I would consider
    a) Taking DC2 offline (for safety -- eventually it will be nuked)
    b) Restoring DC1 to new hardware from the backup (may need a fresh OS install first, but should then pick up computer name/SID)
    c) Testing
    d) If OK, scrap DC2, clean metadata and do a fresh rebuild for DC2, joining it to the domain and promoting it to a DC again
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **