Recovering Active Directory

Posted on 2003-10-27
Last Modified: 2010-04-14
I just recovered my main Windows 2000 domain controller into a test environment to test my disaster recovery procedures.   I have two domain controllers in my live environment, but this server holds all of the FSMO roles. I used Arcserve 9.0 to recover the server onto a new box and restore the active directory with an authorative restore.  The problem I am encountering now is that I keep getting an event id 16650.  I've searched the web and found instructions to add authenticated users and another group to the local security policy, but that does not seem to correct the problem.  Although I am recovering in a test environment,  I'd like to ensure that in the event of a real disaster, I would be able to restore both of my domain controllers and have them sync up and continue to provide authentication to the domain.  Any advice would be greatly appreciated.
Question by:rudejoe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1

Accepted Solution

Littlefry earned 125 total points
ID: 9630583
Well, try this. When you take the system down that has all the FSMO roles it would be a good idea to sieze the roles to the other domain box. Then reload the box you took down and do the authoritative restore. The error might be that one of the roles has not come back correctly after the restore. The infrastucture master cannot be on the same server as the global catalog.

Expert Comment

ID: 9631242
The problem is most likely due to the RID master not initializing properly. Since you are in a test environment you can seize the role. NOTE: Once you do this do not allow this machine back on your production network until it has been blown away and re-built.

 Infrastructure Master and all other roles CAN be on the same box. Think about it... If it was not allowed you couldn't build your first/only DC, you'd have nowhere else for the role to reside until you built the second DC.

Expert Comment

ID: 9631341
Well its not like it can't be set up that way but it may not work properly if they are on the same box since infastructure looks at the global catalog if it doesnt have what it is looking for. If you only have one box thats kinda stupid for redundancy purposes. Two boxes would be great for redundancy and quicker logon times for users. It is possible to seize the roles in a test environment. Each role is still given out no matter the environment.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 9633773
Thanks for the advice.  I've included the exact error message in this message:

Event it: 16650

The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

There are no other related messages in the event log.  My one concern with seizing the roles, is that I have another domain controller on the network which houses some key files and applications which would also need to restored in the event of a total disaster.  If I were to seize the roles, I would not be able to restore this machine in it's entirety.  I would be forced to do a partial restore and then I would have to re-install the applications.

Are there any other things I should be looking for or any other steps I should take before seizing the roles?

Thanks for all the great advice!

Expert Comment

ID: 9633881
In your test, does the other DC hold any of the FSMO roles? Is it up and running? Can you dcpromo it down, get the first box up and running with AD ( by seizing the roles if necessary), then dcpromo the box back up? What other apps are involved? E2K, SQL?

Author Comment

ID: 9634165
In my test environment, I've only restored this one server, but this server holds all of the roles in the production environment.  I don't have another spare box to restore the other DC for testing purposes, but I want to ensure that in the event of a total disaster I would be able to restore both servers.  As for other apps involved,  I am not running E2K or SQL on any of the DCs, but I do have ADP software installed, Pervasive SQL 2000, and Synergy installed.  None of these programs utilize AD.  Do you think this error I am getting could be the result of the way that I restored the machine?

I initially installed this machine as a standalone Win2K box with the same name as the production server.  I then installed Arcserve 9.0.  I restored the drives and the active state, then I restarted the machine in active directory recovery mode and restored the active state once again in authoritive mode.



Expert Comment

ID: 10741277
I am having the same problem, any luck with this?

Author Comment

ID: 10741918
I haven't found any work around yet.  If there is an existing Domain Controller already on the network it seems to synch up and resolve the problem.

Expert Comment

ID: 10741958
Trouble is I am testing for our disaster recovery site and at the moment there will only be one DC there. try this fix I found, I havent tested it yet but it sounds promising. and is consistent with the problem we are both having ie one DC in a Lab environment.

During our testing of recoverying the AD from a total disaster, we too had this similar issue.  We contacted a Microsoft PSS person and he provided us with the following answer.  This is a direct quote from the response.  We executed the steps and the RID initialized with no problem.  

In addition, we did do other Metadata Cleanup steps such as removing DCs we were not going to bring online and removing the DCs from AD Sites and Services.  

Hope this helps...

"Restoring a DC invalidates it RID pool. After SRP1 there is a requirement for a restored RID master to sync with another DC in it's own domain before bringing the RID master role on line. It can be any DC in the entire domain.

This senario usually will only happen in a LAB as usually there will be another DC in a production domain available. If the only DC in the domain is restored there will be no replica links so the RID Master will come on line

To fix the issue you can do one of 2 things.

1. Restore a second DC for the RID master to sync with.

2. Delete all of the replica links with repadmin. The syntax is:

repadmin /delete CN=Schema,CN=Configuration,DC=domainname,DC=com <restored server name> <guid-based-dns-name of replica partner> /localonly

The easiest way to get the guid-based dns name is to use repadmin /showreps /v  first, where it will be displayed.

You have to delete the links for all naming contexts."

Expert Comment

ID: 10742034
What I have already done but need to wait and test tomorrow after a backup runs is transfered the RID master to another DC in the live environment and after I restore the server in the test environment i should be able to seize the RID master role. Not sure if it will work but its worth a shot.

I have tried the fix above but I keep getting a message saying 'the naming context specified for this replication operation is invalid' maybe I am typing it in wrong but i cant seem to get it to work

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question