Hyper-v Snapshots in a Multi-Domain Controller Environment
Published:
Browse All Articles > Hyper-v Snapshots in a Multi-Domain Controller Environment
Hopefully if you are reading this article you have NOT attempted to use an old Hyper-V snapshot on a Domain Controller. If you have, you're probably beyond frustrated as you have searched Google relentlessly only to find out that doing a snapshot on a Domain Controller is NOT recommended.
Relax, things get better.
I just recently restored my Primary Domain Controller (PDC) back to it's original state after making the same mistake. Hopefully this article will help you in order to solve your issues.
First thing first. Let's discuss all the errors you're probably getting. After I reverted back to my older snapshot, all hell broke loose. I wasn't able to replicate to the other domain controllers, group policy was failing, I couldn't UNC (\\Servername) to other domain controllers but could do it only by IP Address, and things only got worse.
Sound familiar? Good. You're in the right place. Let's move past all this reading because I'm sure you're just wanting to figure out how to resolve this issue. This is the steps you're going to have to take.
1. Use Netdom.exe to Reset Machine Account Passwords
2. Transfer Roles to other Domain Controllers in the Domain
3. Demote Domain Controller
4. Remove Metadata
5. Promote Domain Controller
Okay, seems like a lot, but it's not that bad. Let's delve into the specifics.
First thing I done was followed the article below on how to reset the password on all the domain controllers.
http://support.microsoft.com/kb/260575
That requires stopping the Kerberos Key Distribution Center service. You'll have to disable it, stop it, reboot each domain controller including the PDC. After they come back up, you'll run the command on each server:
netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*
After that you need to reboot each domain controller.
Things were good for me after this point, well, I thought they were until I realized I still wasn't able to replicate or apply group policies. It may look like everything is fine, but it isn't. You'll notice that you can now UNC into each server, but don't let that fool you.
The next thing I did was ran this command (you can do this on any DC)
netDOM /query FSMO
that command showed me what roles the problem domain controller had because these are the roles you will have to transfer to another domain controller. To transfer the roles you can go to Active Directory Users and Computers, right click on the Domain, go to Operations Master, and transfer the roles over to the appropriate Domain Controller.
If it doesn't allow you, then you will have to use the ntdsutil command to transfer and/or seize the roles. The article below can help you out in that field. It's easy.
http://support.microsoft.com/kb/255504
Once the roles have been transferred, you'll need to forcibly demote the DC using the command:
dcpromo /forceRemoval
You'll have to force it because since you can't replicate you'll error out trying to do it the regular way.
After you remove AD, the next thing to do is to go to another Domain Controller, go to Active Directory Users and Computers, click on the Domain Controllers OU, and delete the DC you just demoted. In Windows 2008, cleaning metadata is automated. However, if you demote your DC by force, all you have to do is go to the Domain Controller OU and delete the DC. You can read more information on it below:
http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx
That's all you have to do in cleaning the metadata for Windows 2008 R2. With earlier versions, you'll have to use the ntdsutil command which is also included in the article above.
Lastly, you'll need to promote the DC back which is the easiest part. All of your DNS, DHCP, WINS settings you had in place will come back. Yay!
One last thing, the policies you had in place, you may want to recreate them because although I just had to relink them back to the domain, it was giving me problems so I went ahead and recreated them and was good to go.
That's it. The moral of the story is DO NOT TAKE SNAPSHOTS WITH HYPER-V!
Hope this article helps someone.
Relax, things get better.
I just recently restored my Primary Domain Controller (PDC) back to it's original state after making the same mistake. Hopefully this article will help you in order to solve your issues.
First thing first. Let's discuss all the errors you're probably getting. After I reverted back to my older snapshot, all hell broke loose. I wasn't able to replicate to the other domain controllers, group policy was failing, I couldn't UNC (\\Servername) to other domain controllers but could do it only by IP Address, and things only got worse.
Sound familiar? Good. You're in the right place. Let's move past all this reading because I'm sure you're just wanting to figure out how to resolve this issue. This is the steps you're going to have to take.
1. Use Netdom.exe to Reset Machine Account Passwords
2. Transfer Roles to other Domain Controllers in the Domain
3. Demote Domain Controller
4. Remove Metadata
5. Promote Domain Controller
Okay, seems like a lot, but it's not that bad. Let's delve into the specifics.
First thing I done was followed the article below on how to reset the password on all the domain controllers.
http://support.microsoft.com/kb/260575
That requires stopping the Kerberos Key Distribution Center service. You'll have to disable it, stop it, reboot each domain controller including the PDC. After they come back up, you'll run the command on each server:
netdom resetpwd /server:Replication_Partne
After that you need to reboot each domain controller.
Things were good for me after this point, well, I thought they were until I realized I still wasn't able to replicate or apply group policies. It may look like everything is fine, but it isn't. You'll notice that you can now UNC into each server, but don't let that fool you.
The next thing I did was ran this command (you can do this on any DC)
netDOM /query FSMO
that command showed me what roles the problem domain controller had because these are the roles you will have to transfer to another domain controller. To transfer the roles you can go to Active Directory Users and Computers, right click on the Domain, go to Operations Master, and transfer the roles over to the appropriate Domain Controller.
If it doesn't allow you, then you will have to use the ntdsutil command to transfer and/or seize the roles. The article below can help you out in that field. It's easy.
http://support.microsoft.com/kb/255504
Once the roles have been transferred, you'll need to forcibly demote the DC using the command:
dcpromo /forceRemoval
You'll have to force it because since you can't replicate you'll error out trying to do it the regular way.
After you remove AD, the next thing to do is to go to another Domain Controller, go to Active Directory Users and Computers, click on the Domain Controllers OU, and delete the DC you just demoted. In Windows 2008, cleaning metadata is automated. However, if you demote your DC by force, all you have to do is go to the Domain Controller OU and delete the DC. You can read more information on it below:
http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx
That's all you have to do in cleaning the metadata for Windows 2008 R2. With earlier versions, you'll have to use the ntdsutil command which is also included in the article above.
Lastly, you'll need to promote the DC back which is the easiest part. All of your DNS, DHCP, WINS settings you had in place will come back. Yay!
One last thing, the policies you had in place, you may want to recreate them because although I just had to relink them back to the domain, it was giving me problems so I went ahead and recreated them and was good to go.
That's it. The moral of the story is DO NOT TAKE SNAPSHOTS WITH HYPER-V!
Hope this article helps someone.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Commented: