Help! Lost the AD Forest Root!

I'm an MCSA who's been thrown in completely at the deep end with the mother of all disaster recovery challenges. Two days to resurrect a forest root domain controller that hosts a number of subdomains.

Sounds easy? Well, it was the only DC in its domain and we don't have ANY backup apart from the GHOST image created after running DCPROMO for the first time.

I work at a college, and recently set up a lab of W2K servers.

We were broken into recently, and a bunch of machines and drives were nicked from the office adjoining the lab; unfortunately this included the forest root - a machine called INSTRUCTOR which was the first DC in the Room.College domain.

Even more unfortunately, in the resulting nicking spree, the backups were nicked as well as a couple of student machines. Fortunately they were disturbed before the whole room got cleared out.

(I'm not joking.)

The remaining PCs in this room were set up as seperate DCs, each in its own subdomain. For example,


The students on these machines all logged in as Administrator in their own domains, OR Instructor in the domain Room.College.

Here's the tricky bit. There's no backup of the Forest Root, at least not since the day it was first built. The class has evolved around building the AD over the past month or so.

As luck would have it, I created GHOST images of the server prior to handing it over to the tutor so I have been able to build up a spare machine as a replacement.

However, the only existing backup of INSTRUCTOR is (quite understandably) unaware of any of its child domains, far less any of the objects in them.

I've left it disconnected from the LAN while I figure out how to proceed. One of the remaining student machines is also a Global Catalog for the domain, but won't synch with the other DCs until DNS is up and running (which means powering up INSTRUCTOR).

If I jack INSTRUCTOR back into the network, what's likely to happen? If I boot into DS Restore Mode and tell it to do a non-authoritative restore, will the other servers re-integrate with the AD?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tstaddonAuthor Commented:
Should add at this point that we are talking a number of students who have paid for a 12 week course, all of whom have customised their own AD as they see fit.

Aside from the AD, there's no loss of data. The server wasn't used for generic File & Print services, all it did was authentication, DNS, and proive the teacher with a machine that was connected to an electronic whiteboard.
nader alkahtaniConsultantCommented:
nader alkahtaniConsultantCommented:
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

tstaddonAuthor Commented:
Thanks for the links.

I checked the troubleshooting flowchart for this state of affairs, and no suggestion is available for this instance because the DC in question was the only server in that domain, it held all the FSMO roles prior to the theft, and was therefore the ONLY machine that had any idea of the structure of the Active Directory.

The backup only restores the server to the point it was at BEFORE the child domains were created.

This is a rough description of the directory structure as it now stands:

Room.College                 |  Student1Dom.Room.College    Student2Dom.Room.College     Student3Dom.Room.College
DC: Instructor                 |  DC: Student1DC                     DC: Student2DC                      DC: Student2DC
Member Servers: none    |  Member Servers: None           Member Servers: None            Member Servers: None
DNS                               |  Global Catalog (created
Infrastructure Master       |  after Instructor went down)
Schema Master               |  
Global Catalog
PDC Emulator
RID Master
** Doesn't know about the Child Domains **

The students can log in locally to the DCs, but I will need them to access Instructor at some point because they are learning about AD and need access to the root domain, to join existing standalone 2K servers to the AD.

tstaddonAuthor Commented:
Sorry, lads, but I figured this one out on my own. I exported lists of AED objects on each server, used DCPROMO /FORCEREMOVAL to kill off the directory, then restored the instructor server, and then DCPROMO'd the other DCs.

Using the object lists, I had the network up and running again after a couple of hours.
Question closed and points refunded

CS Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.