?
Solved

Disaster: Domain Controller Failed , best way to restore?

Posted on 2010-01-13
11
Medium Priority
?
951 Views
Last Modified: 2012-05-08
Hi
just now my active directory domain controller crashed, cannot be recovered.
I am running 1 forest with 5 domains.  All domain controllers are Windows 2008 native.

A domain controller in one of my domains crashed and I would like to know  what would be the best way to proceed.
i would also like to know what would be the best wa to backup and restore a failed Domain controller.

In the domain in question I have 2 domain controllers. DC1 is the GC and DNS.
DC2 failed and has some of the fsmo roles, not sure which.

What I would do is reload the machine, give it a different name and dc promo it into the domain.
Then forcibly remove the failed DC from the domain.
Is this the best way?
Our DCs were backed up using an imaging method. The latest backup I have is 1 week old. I dont feel comfortable restoring it.

Thanks for all your help guys.
0
Comment
Question by:eugene20022002
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 435 total points
ID: 26302805
OK as you have got another DC in the domain its not all bad.

First if the second DC is not a GC, DHCP DHCP server then add these roles and point all clients to it for DNS

Next, find and if necessary seize any FSMO roles that the failed machine had - see http://www.petri.co.il/seizing_fsmo_roles.htm

Then do a cleanup to remove all traces of the failed DC - http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Install another machine and promote it to be a DC, AD will copy to it be default and as its 2008, it will also become another GC by default.

You can then transfer and FSMO roles and install additional services as you wish
0
 
LVL 70

Expert Comment

by:KCTS
ID: 26302815
Sorry ... as the remaining DC has DNS and is a GC then you don't need to add these (but its a good idea to have DNS on multiple DCs)
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26302898
Thanks KCTS. With regards to best practise backup and restore of domain controllers, what do you recommend?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 70

Expert Comment

by:KCTS
ID: 26302925
Its always best to have at least 2DCs per domain, then if one fails you can replicate an up to date copy of AD directly from the remaining DC - least hassle.

Its as well to do a system state backup (which includes AD) on a regular basis as well, that way if you delete anything and then find you want it back, you can do an authoratitive restore and get the deleted stuff back.
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26303109
Thanks. when Im planning my disaster recovery and plan for total disaster , say both DC's fail. What would you recommend in that case?
I just want to avoid this from happening again.

- Regarding the imaging, do you think we should stop backing using an image backup for backup?

- Just to summarise , if I have everything right. You saying basically I should do it the way I originally would have and thats the best way? That is setup new machine, with different name, add to domain, dc promo, transfer roles, and delete failed dc as per your link?
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 435 total points
ID: 26303176
An image backup is useful as a last resort - if both DCs fail for example.

Bear in mind that if you restore from an image then AD will be overwritten by the newer version on AD on the reamining DCs (if any), which is why a system state backup is essential for recovering deleted stuff.

Any backup must not be older than the AD tombstone period if you are going to use them sucessfully - depending on your system this is between 60 and 180 days by default - so not an issue if you back-up on a regular basis.
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26303277
Cool. Do you have any reference articles I can have a look up regarding the imaging?
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26304025
I've decided to give it another name.
Is it ok to keep the same IP address?
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26308452
Hi KCTS
Ok, Im almost sure about the solution, awsome links , I just need to know now in what order to do everything and what will be the simplest and what method has the least risk.
Please correct me if I dont have the order right but this is how Im planning to do it.
  1. Seize the roles the failed DC had to another DC
  2. Delete failed DC from AD as per http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Only do the meta data cleanup
  3. Reinstall machine with same OS , same updates etc
  4. Give machine same hostname and IP address
  5. join to domain
  6. DC promo and let it complete relication
  7. transfer the roles back?? Not sure about this.
Another thing Im not sure about is that I only have 2 DCs in faulting domain, the one still up is a Global Catalog. I know its not a good idea to transfer the Infrastructure Master role to it. Should I do it anyway and then when the failing DC is back up then just transfer it back?
Thanks again.
Wish I could allocate more points to this but I maxxed out all my points :-(
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26311923
ive done it and everything is working fine. Thanks.
0
 
LVL 7

Author Closing Comment

by:eugene20022002
ID: 31676611
I dont agree fully with regards to the imaging. You point me in the right direction and for that Im awarding the points even tho all my questions wasnt answered to my satisfaction
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question