<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Hyper-v Snapshots in a Multi-Domain Controller Environment

Published on
10,763 Points
4,663 Views
1 Endorsement
Last Modified:
Approved
Hopefully if you are reading this article you have NOT attempted to use an old Hyper-V snapshot on a Domain Controller.  If you have, you're probably beyond frustrated as you have searched Google relentlessly only to find out that doing a snapshot on a Domain Controller is NOT recommended.

Relax, things get better.

I just recently restored my Primary Domain Controller (PDC) back to it's original state after making the same mistake.  Hopefully this article will help you in order to solve your issues.

First thing first.  Let's discuss all the errors you're probably getting.  After I reverted back to my older snapshot, all hell broke loose.  I wasn't able to replicate to the other domain controllers, group policy was failing, I couldn't UNC (\\Servername) to other domain controllers but could do it only by IP Address, and things only got worse.

Sound familiar?  Good.  You're in the right place.  Let's move past all this reading because I'm sure you're just wanting to figure out how to resolve this issue.  This is the steps you're going to have to take.

1. Use Netdom.exe to Reset Machine Account Passwords
2. Transfer Roles to other Domain Controllers in the Domain
3. Demote Domain Controller
4. Remove Metadata
5. Promote Domain Controller


Okay, seems like a lot, but it's not that bad.  Let's delve into the specifics.

First thing I done was followed the article below on how to reset the password on all the domain controllers.

http://support.microsoft.com/kb/260575

That requires stopping the Kerberos Key Distribution Center service.  You'll have to disable it, stop it, reboot each domain controller including the PDC.  After they come back up, you'll run the command on each server:

netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*

After that you need to reboot each domain controller.

Things were good for me after this point, well, I thought they were until I realized I still wasn't able to replicate or apply group policies.  It may look like everything is fine, but it isn't.  You'll notice that you can now UNC into each server, but don't let that fool you.  

The next thing I did was ran this command (you can do this on any DC)

netDOM /query FSMO

that command showed me what roles the problem domain controller had because these are the roles you will have to transfer to another domain controller.  To transfer the roles you can go to Active Directory Users and Computers, right click on the Domain, go to Operations Master, and transfer the roles over to the appropriate Domain Controller.

If it doesn't allow you, then you will have to use the ntdsutil command to transfer and/or seize the roles.  The article below can help you out in that field.  It's easy.

http://support.microsoft.com/kb/255504

Once the roles have been transferred, you'll need to forcibly demote the DC using the command:

dcpromo /forceRemoval

You'll have to force it because since you can't replicate you'll error out trying to do it the regular way.

After you remove AD, the next thing to do is to go to another Domain Controller, go to Active Directory Users and Computers, click on the Domain Controllers OU, and delete the DC you just demoted.  In Windows 2008, cleaning metadata is automated.  However, if you demote your DC by force, all you have to do is go to the Domain Controller OU and delete the DC.  You can read more information on it below:

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

That's all you have to do in cleaning the metadata for Windows 2008 R2.  With earlier versions, you'll have to use the ntdsutil command which is also included in the article above.

Lastly, you'll need to promote the DC back which is the easiest part.  All of your DNS, DHCP, WINS settings you had in place will come back.  Yay!


One last thing, the policies you had in place, you may want to recreate them because although I just had to relink them back to the domain, it was giving me problems so I went ahead and recreated them and was good to go.

That's it.  The moral of the story is DO NOT TAKE SNAPSHOTS WITH HYPER-V!


Hope this article helps someone.
1
Comment
Author:cshepfam
1 Comment
LVL 2

Expert Comment

by:Trefenwyd
Bookmarking this for future reference. Thanks for writing!
0

Featured Post

Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Join & Write a Comment

Basic Overview of office 365 user portal
I've published three five-minute Experts Exchange video Micro Tutorials that describe terrific features in an excellent, free PDF product called PDF-XChange Editor: How to rotate pages in a PDF with free software (https://www.experts-exchange.com…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month