<

Hyper-v Snapshots in a Multi-Domain Controller Environment

Published on
10,662 Points
4,562 Views
1 Endorsement
Last Modified:
Approved
Hopefully if you are reading this article you have NOT attempted to use an old Hyper-V snapshot on a Domain Controller.  If you have, you're probably beyond frustrated as you have searched Google relentlessly only to find out that doing a snapshot on a Domain Controller is NOT recommended.

Relax, things get better.

I just recently restored my Primary Domain Controller (PDC) back to it's original state after making the same mistake.  Hopefully this article will help you in order to solve your issues.

First thing first.  Let's discuss all the errors you're probably getting.  After I reverted back to my older snapshot, all hell broke loose.  I wasn't able to replicate to the other domain controllers, group policy was failing, I couldn't UNC (\\Servername) to other domain controllers but could do it only by IP Address, and things only got worse.

Sound familiar?  Good.  You're in the right place.  Let's move past all this reading because I'm sure you're just wanting to figure out how to resolve this issue.  This is the steps you're going to have to take.

1. Use Netdom.exe to Reset Machine Account Passwords
2. Transfer Roles to other Domain Controllers in the Domain
3. Demote Domain Controller
4. Remove Metadata
5. Promote Domain Controller


Okay, seems like a lot, but it's not that bad.  Let's delve into the specifics.

First thing I done was followed the article below on how to reset the password on all the domain controllers.

http://support.microsoft.com/kb/260575

That requires stopping the Kerberos Key Distribution Center service.  You'll have to disable it, stop it, reboot each domain controller including the PDC.  After they come back up, you'll run the command on each server:

netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*

After that you need to reboot each domain controller.

Things were good for me after this point, well, I thought they were until I realized I still wasn't able to replicate or apply group policies.  It may look like everything is fine, but it isn't.  You'll notice that you can now UNC into each server, but don't let that fool you.  

The next thing I did was ran this command (you can do this on any DC)

netDOM /query FSMO

that command showed me what roles the problem domain controller had because these are the roles you will have to transfer to another domain controller.  To transfer the roles you can go to Active Directory Users and Computers, right click on the Domain, go to Operations Master, and transfer the roles over to the appropriate Domain Controller.

If it doesn't allow you, then you will have to use the ntdsutil command to transfer and/or seize the roles.  The article below can help you out in that field.  It's easy.

http://support.microsoft.com/kb/255504

Once the roles have been transferred, you'll need to forcibly demote the DC using the command:

dcpromo /forceRemoval

You'll have to force it because since you can't replicate you'll error out trying to do it the regular way.

After you remove AD, the next thing to do is to go to another Domain Controller, go to Active Directory Users and Computers, click on the Domain Controllers OU, and delete the DC you just demoted.  In Windows 2008, cleaning metadata is automated.  However, if you demote your DC by force, all you have to do is go to the Domain Controller OU and delete the DC.  You can read more information on it below:

http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

That's all you have to do in cleaning the metadata for Windows 2008 R2.  With earlier versions, you'll have to use the ntdsutil command which is also included in the article above.

Lastly, you'll need to promote the DC back which is the easiest part.  All of your DNS, DHCP, WINS settings you had in place will come back.  Yay!


One last thing, the policies you had in place, you may want to recreate them because although I just had to relink them back to the domain, it was giving me problems so I went ahead and recreated them and was good to go.

That's it.  The moral of the story is DO NOT TAKE SNAPSHOTS WITH HYPER-V!


Hope this article helps someone.
1
Comment
Author:cshepfam
1 Comment
 
LVL 2

Expert Comment

by:Trefenwyd
Bookmarking this for future reference. Thanks for writing!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Wrapper-1-Query. Use an Excel function to calculate a column for an Access query. Part 1. Shows a query in Access that has a calculated column with the results of an Excel worksheet function. See how to call a wrapper function from a query, and …
Please check the video also in regards to recovery of deleted emails from office 365 admin center and through the MFCMAPI tool. I have mentioned each and every step with the proper steps that need to be taken care of.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month