Help! Lost the AD Forest Root!

Posted on 2003-11-18
Last Modified: 2008-02-26
I'm an MCSA who's been thrown in completely at the deep end with the mother of all disaster recovery challenges. Two days to resurrect a forest root domain controller that hosts a number of subdomains.

Sounds easy? Well, it was the only DC in its domain and we don't have ANY backup apart from the GHOST image created after running DCPROMO for the first time.

I work at a college, and recently set up a lab of W2K servers.

We were broken into recently, and a bunch of machines and drives were nicked from the office adjoining the lab; unfortunately this included the forest root - a machine called INSTRUCTOR which was the first DC in the Room.College domain.

Even more unfortunately, in the resulting nicking spree, the backups were nicked as well as a couple of student machines. Fortunately they were disturbed before the whole room got cleared out.

(I'm not joking.)

The remaining PCs in this room were set up as seperate DCs, each in its own subdomain. For example,


The students on these machines all logged in as Administrator in their own domains, OR Instructor in the domain Room.College.

Here's the tricky bit. There's no backup of the Forest Root, at least not since the day it was first built. The class has evolved around building the AD over the past month or so.

As luck would have it, I created GHOST images of the server prior to handing it over to the tutor so I have been able to build up a spare machine as a replacement.

However, the only existing backup of INSTRUCTOR is (quite understandably) unaware of any of its child domains, far less any of the objects in them.

I've left it disconnected from the LAN while I figure out how to proceed. One of the remaining student machines is also a Global Catalog for the domain, but won't synch with the other DCs until DNS is up and running (which means powering up INSTRUCTOR).

If I jack INSTRUCTOR back into the network, what's likely to happen? If I boot into DS Restore Mode and tell it to do a non-authoritative restore, will the other servers re-integrate with the AD?

Question by:tstaddon
  • 3
  • 2

Author Comment

ID: 9772407
Should add at this point that we are talking a number of students who have paid for a 12 week course, all of whom have customised their own AD as they see fit.

Aside from the AD, there's no loss of data. The server wasn't used for generic File & Print services, all it did was authentication, DNS, and proive the teacher with a machine that was connected to an electronic whiteboard.

Expert Comment

by:nader alkahtani
ID: 9772714

Expert Comment

by:nader alkahtani
ID: 9773000
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Author Comment

ID: 9777407
Thanks for the links.

I checked the troubleshooting flowchart for this state of affairs, and no suggestion is available for this instance because the DC in question was the only server in that domain, it held all the FSMO roles prior to the theft, and was therefore the ONLY machine that had any idea of the structure of the Active Directory.

The backup only restores the server to the point it was at BEFORE the child domains were created.

This is a rough description of the directory structure as it now stands:

Room.College                 |  Student1Dom.Room.College    Student2Dom.Room.College     Student3Dom.Room.College
DC: Instructor                 |  DC: Student1DC                     DC: Student2DC                      DC: Student2DC
Member Servers: none    |  Member Servers: None           Member Servers: None            Member Servers: None
DNS                               |  Global Catalog (created
Infrastructure Master       |  after Instructor went down)
Schema Master               |  
Global Catalog
PDC Emulator
RID Master
** Doesn't know about the Child Domains **

The students can log in locally to the DCs, but I will need them to access Instructor at some point because they are learning about AD and need access to the root domain, to join existing standalone 2K servers to the AD.


Author Comment

ID: 9881002
Sorry, lads, but I figured this one out on my own. I exported lists of AED objects on each server, used DCPROMO /FORCEREMOVAL to kill off the directory, then restored the instructor server, and then DCPROMO'd the other DCs.

Using the object lists, I had the network up and running again after a couple of hours.

Accepted Solution

PashaMod earned 0 total points
ID: 9900343
Question closed and points refunded

CS Moderator

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory Replication 10 1,145
Disk size support for operating systems 12 536
Terminal 2000 connection RDP 5 140
How to install Windows 2000 network drivers 4 126
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question