Restoring a Domain Controller

AGenMIS
AGenMIS used Ask the Experts™
on
I have a DC that is also a DNS and DHCP server. There are other DC's in our domain at every site that perform the same functions. If one of the DC's get corrupted but is still bootable, to restore the system state and C drive I boot the server into Direcotry Service Restore Mode and then login. But doesn't booting into Directory Service Restore Mode disable the NIC? If so, how can I restore the server if the NIC is disabled. We have a separate backup server which uses Backup Exec 12.5.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Yes it does disable the NIC. You need to find out which one of the DC's hold the FSMO roles in order to answer this question with certainty. Since you have BE 12.5 why not install the remote agent on the DC's to backup them up if you need to do a restore take a look at this:

1. Boot to Directory Resource Mode
2. Log on as administrator
3. Change the backup exec remote agent service to system account
4. From the backup server, get the last known good backup and restore the system state, C: and D: drive
5. Let the other domain controllers replicate to the restore DC so the restore DC can get the updated information.

Again, make sure you know which roles the servers have before do any backups/restores


Author

Commented:
We do have the Backup Exec agent on all of our DC's but if the NIC is disabled, how is the agent going to communicate with our Backup Exec server? Lets say this is a DC that does not hold the FSMO roles.

Thanks
Awarded 2009
Top Expert 2010

Commented:
If you have other DC's you may not need to do an authoratative restore.

You could do dcpromo /forceremoval on the failed DC use one of the other DC's to seize the FSMO roles then do a cleanup and the repromote your failed DC.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
That is one good option but lets just say I would like to restore from Backup Exec.

Thanks
Awarded 2009
Top Expert 2010

Commented:
Guide to seizing FSMO roles: http://support.microsoft.com/kb/255504

you would normally only do an authoritative restore if you gave a corrupt Active Directory.
Awarded 2009
Top Expert 2010
Commented:
How to cleanup a failed DC http://www.petri.co.il/delete_failed_dcs_from_ad.htm
the problem with restoring from a backup and the reason you wouldn't do it unless AD was corrupt is that an authoritative restore says "I am all the latest changes" therefore any AD changes since the backup would be wiped out.

Author

Commented:
Basically restoring it in DSRM will do nothing since the NIC is disabled so it can not communicate to our backup server. If we boot the server up without it being in DSRM and restore it that way, it will not restore the sysvol and Active Directory database information since we are not in DSRM correct? So the best way to restore a corrupt DC that does not the FSOM roles is rebuild from scratch or demote it. Since our DC's are also DNS and DHCP servers it would probably be best just to rebuild from scratch. Did I say all that right?

Thanks
Awarded 2009
Top Expert 2010

Commented:
You don't need to completely rebuild follow the steps in my previous posts for forcefully removing AD from the failed DC (obviously if it's not working at all then a rebuild might be in order)

if you can boot but AD is corrupt on only this DC then forceremoval ADSI edit cleanup, seize the roles then dcpromo back to a domain controller.
Awarded 2009
Top Expert 2010

Commented:
This is probably a quicker method than completely rebuilding as you will need to seize the roles and do a cleanup even if you did a full rebuild

Author

Commented:
If the roles aren't on the failed DC then I will not have to seize or transfer correct?
Awarded 2009
Top Expert 2010

Commented:
Correct.

Author

Commented:
Thanks for your help. One last thing. Was I correct when I said if we boot the DC up NOT in DSRM and restored the system state and C drive from our backup server, the sysvol directory and the active directory database will not be restored because we did not boot up in DSRM?
Awarded 2009
Top Expert 2010

Commented:
These folders are replicated from other domain controllers so are easily recoverable without a restore so to answer your question I am not sure because I have never had to do it.

Author

Commented:
Using the Ntsdutil to clean up the failed DC, do you open up a command prompt on the failed DC and type those commands in or do you open up a command prompt on a running DC and type those commands in?
Awarded 2009
Top Expert 2010

Commented:
It needs to be on a running DC basically you are removing any trace of the old DC from the live Active Directory

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial