Solved

Recovering Active Directory

Posted on 2003-10-27
11
346 Views
Last Modified: 2010-04-14
I just recovered my main Windows 2000 domain controller into a test environment to test my disaster recovery procedures.   I have two domain controllers in my live environment, but this server holds all of the FSMO roles. I used Arcserve 9.0 to recover the server onto a new box and restore the active directory with an authorative restore.  The problem I am encountering now is that I keep getting an event id 16650.  I've searched the web and found instructions to add authenticated users and another group to the local security policy, but that does not seem to correct the problem.  Although I am recovering in a test environment,  I'd like to ensure that in the event of a real disaster, I would be able to restore both of my domain controllers and have them sync up and continue to provide authentication to the domain.  Any advice would be greatly appreciated.
0
Comment
Question by:rudejoe
  • 3
  • 3
  • 2
  • +1
11 Comments
 
LVL 1

Accepted Solution

by:
Littlefry earned 125 total points
ID: 9630583
Well, try this. When you take the system down that has all the FSMO roles it would be a good idea to sieze the roles to the other domain box. Then reload the box you took down and do the authoritative restore. The error might be that one of the roles has not come back correctly after the restore. The infrastucture master cannot be on the same server as the global catalog.
0
 
LVL 2

Expert Comment

by:lazerstl
ID: 9631242
The problem is most likely due to the RID master not initializing properly. Since you are in a test environment you can seize the role. NOTE: Once you do this do not allow this machine back on your production network until it has been blown away and re-built.

 Infrastructure Master and all other roles CAN be on the same box. Think about it... If it was not allowed you couldn't build your first/only DC, you'd have nowhere else for the role to reside until you built the second DC.
0
 
LVL 1

Expert Comment

by:Littlefry
ID: 9631341
Well its not like it can't be set up that way but it may not work properly if they are on the same box since infastructure looks at the global catalog if it doesnt have what it is looking for. If you only have one box thats kinda stupid for redundancy purposes. Two boxes would be great for redundancy and quicker logon times for users. It is possible to seize the roles in a test environment. Each role is still given out no matter the environment.
0
 

Author Comment

by:rudejoe
ID: 9633773
Thanks for the advice.  I've included the exact error message in this message:

Event it: 16650

The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

There are no other related messages in the event log.  My one concern with seizing the roles, is that I have another domain controller on the network which houses some key files and applications which would also need to restored in the event of a total disaster.  If I were to seize the roles, I would not be able to restore this machine in it's entirety.  I would be forced to do a partial restore and then I would have to re-install the applications.

Are there any other things I should be looking for or any other steps I should take before seizing the roles?

Thanks for all the great advice!
0
 
LVL 2

Expert Comment

by:lazerstl
ID: 9633881
In your test, does the other DC hold any of the FSMO roles? Is it up and running? Can you dcpromo it down, get the first box up and running with AD ( by seizing the roles if necessary), then dcpromo the box back up? What other apps are involved? E2K, SQL?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:rudejoe
ID: 9634165
In my test environment, I've only restored this one server, but this server holds all of the roles in the production environment.  I don't have another spare box to restore the other DC for testing purposes, but I want to ensure that in the event of a total disaster I would be able to restore both servers.  As for other apps involved,  I am not running E2K or SQL on any of the DCs, but I do have ADP software installed, Pervasive SQL 2000, and Synergy installed.  None of these programs utilize AD.  Do you think this error I am getting could be the result of the way that I restored the machine?

I initially installed this machine as a standalone Win2K box with the same name as the production server.  I then installed Arcserve 9.0.  I restored the drives and the active state, then I restarted the machine in active directory recovery mode and restored the active state once again in authoritive mode.

Thanks.


 
0
 

Expert Comment

by:langsfordc
ID: 10741277
I am having the same problem, any luck with this?
0
 

Author Comment

by:rudejoe
ID: 10741918
I haven't found any work around yet.  If there is an existing Domain Controller already on the network it seems to synch up and resolve the problem.
0
 

Expert Comment

by:langsfordc
ID: 10741958
Trouble is I am testing for our disaster recovery site and at the moment there will only be one DC there. try this fix I found, I havent tested it yet but it sounds promising. and is consistent with the problem we are both having ie one DC in a Lab environment.

During our testing of recoverying the AD from a total disaster, we too had this similar issue.  We contacted a Microsoft PSS person and he provided us with the following answer.  This is a direct quote from the response.  We executed the steps and the RID initialized with no problem.  

In addition, we did do other Metadata Cleanup steps such as removing DCs we were not going to bring online and removing the DCs from AD Sites and Services.  

Hope this helps...

"Restoring a DC invalidates it RID pool. After SRP1 there is a requirement for a restored RID master to sync with another DC in it's own domain before bringing the RID master role on line. It can be any DC in the entire domain.

This senario usually will only happen in a LAB as usually there will be another DC in a production domain available. If the only DC in the domain is restored there will be no replica links so the RID Master will come on line

To fix the issue you can do one of 2 things.

1. Restore a second DC for the RID master to sync with.

2. Delete all of the replica links with repadmin. The syntax is:

repadmin /delete CN=Schema,CN=Configuration,DC=domainname,DC=com <restored server name> <guid-based-dns-name of replica partner> /localonly

The easiest way to get the guid-based dns name is to use repadmin /showreps /v  first, where it will be displayed.

You have to delete the links for all naming contexts."
0
 

Expert Comment

by:langsfordc
ID: 10742034
What I have already done but need to wait and test tomorrow after a backup runs is transfered the RID master to another DC in the live environment and after I restore the server in the test environment i should be able to seize the RID master role. Not sure if it will work but its worth a shot.

I have tried the fix above but I keep getting a message saying 'the naming context specified for this replication operation is invalid' maybe I am typing it in wrong but i cant seem to get it to work
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
We have come a long way with backup and data protection — from backing up to floppies, external drives, CDs, Blu-ray, flash drives, SSD drives, and now to the cloud.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now