Recently recovered a windows 2003 SP1 Domain Controller which is the only DC within the domain using NTBACKUP from a system state backup (dated 22nd Dec 09 and restored 19th Feb 2010) Only backup that was available. Restore went fine no errors, AD looked fine. Took back to site 21st Feb to test ready for the monday and found clients could not logon. Domain unavailable or computer account not found errors. Accounts exist in AD etc, DHCP fine, clients recieve ip addresses etc. but there is event id 5722 logged in eventvwr for any clients that have attempted logon to the domain
Description: The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied."
Now the quick fix is to re add clients to the domain and all is well again but there is hundreds of computers to readd.
question 1) is there a way to fix this on mass without running around?
question 2) i have read the following article - http://support.microsoft.com/kb/216393/en-us
- The time between system state backup and the first client attempting contact would be 65 days after system state restored, the article mentions every 30 days the secure channel pw are sycn'ed but if problems occurr you get the 5722 id. The secure channel is broken from the tests but what i dont understand is this 30 days, i have had clients not contact the DC for more than 30 days and still operated fine? Can a good explanation be given for this anyone?
question 3) You cannot apparntly restore DC system state data that is older than the Tombstone lifetime, in windows 2003 sp1 this is 180 days. Just for future reference does this apply in a single Domain Controller Network config or does it just apply in multi partner replication secnerios?