Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

2092 8456 and other Active directory errors probaby caused by DC virtual machiine import from backup

Posted on 2010-11-18
7
Medium Priority
?
623 Views
Last Modified: 2012-05-10
Where to start.

3 DC's
DC1 = Server 2008R2 as a virtual machine
DC2 = Server 2008R2 as a virtual machine
DC3 = Server 2003 physical machine, and looking to retire soon

Wanted to move the vm's to a new host.  Restored from backups taken through the VM interface (xencenter).  You can guess the rest (now I know too).  Stuck in a USN rollback issue.

Getting trust issues with machines trying to log in, etc.

How to get out of it?  Without killing the domain and starting over? Can give you dcdiags of each server.

Thanks for looking!
 1qpcserver-diag.pdf 2qpcserver-diag.pdf qpcserver1-diag.pdf
0
Comment
Question by:dustypenguin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 27

Accepted Solution

by:
KenMcF earned 1400 total points
ID: 34166162
Follow the steps in this article. Under
Recovering from a USN rollback


http://support.microsoft.com/kb/875495
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 600 total points
ID: 34166335
So in short you have to

demote the DC force removal
metadata cleanup that old DC
Seize FSMO roles (if applicable)
then you can add back to the domain and promote it again

Ken's link is a good one and another good blog entry is here:  http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx

Thanks
Mike

0
 

Author Comment

by:dustypenguin
ID: 34166707
I've actually skimmed through the MS-875495 article earlier during some research ... will read that through with more vigour.

The other one I will study as well.

Have either of you gone through the process?  What are the potential things I should look out for?  

Other things.  

1 - Will DC1 automatically start replication when DC2 comes back?
2 - Do I need to demote DC2 and DC3?  Or if I demote DC2 and re-promote, should replication start working between those two at least?
3 - If I have dhcp still running on DC3 will there be any issues stopping that and setting up and starting it on DC1 before demoting DC3
4 - Most importantly, what will happen to my users accessing resources they can still get to.  If I have work-arounds in place for now, is this something I should wait until the weekend to do?  If the system goes all the way down during the week, I'm a very unpopular guy!
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34166742
I have done both the USN and force demote. If you have working DCs I would go with Mike's solution and just demote the servers and run through the steps
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34166850
Yes I have gone through the process.

If the demotion is not clean you may have to run dcpromo /forceremoval
and then run through metadatacleanup on the fialed DCs


Once they are re-promoted replication should work as long as you followed the steps.
0
 

Author Comment

by:dustypenguin
ID: 34180118
Pretty much worked.  I demoted both DC2 and DC3 and kept DC1 ... will add DC2 back later.  Since the user and machine database was not in agreement, there were a few users that had to be recreated, and a couple of workstations that needed to be unjoined and rejoined to the domain.
 
Other hints for those going through this:
1 - I was able to transfer all roles before demotion, so did not have to seize them later.

2 - dcpromo failed on both servers I wanted to demote.  Needed to use dcpromo /forceremoval .  This recommended ONLY if dcpromo does not work.

3 - Since I did a force removal, did do metadata cleanup for both demoted servers from DC1.  

4 - Need to go through DNS with a fine tooth comb and delete all records of the old servers if there are any.

5 - Had DHCP configured but off until demotion of server that had been handling that, and then turned DHCP on the left over DC.
 
6 - Global Catalogue had not replicated, or I had not set up global catalog on the server I kept, so needed to go to Active Directory Sites and Services > Sites > Default First Site Name > Servers > name of your server > NTDS Settings.  Right click on that > Select Properties > select General tab > check Global Catalog.  You may get a warning about if you really want to add global catalog to an infrastucture master, but from what I can read, in a single domain forest that is not a problem.  After a few minutes, DC! became a global catalog, and could process new user and machine requests.

7 - Make sure that you have an entry in DNS > Forward Lookup Zones > -msdcs.domain name > GC for the global catalog.  When you configure the server to be a global catalog, it should do that after about 5 to 10 minutes ... mine did.

8 - Restarted all the workstations to make sure they could log in to their primary user, and they had access to resources.

9 - Breathed a sigh of relief that it was not as bad as I had feared, and gave a prayer of thanks that things went relatively well.

Hope this may help someone.
0
 

Author Comment

by:dustypenguin
ID: 34180133
10 - One other thing I did have to do was turn replication on on the existing server (as recommended by dcdiag ) after all was said and done.  This will be crucial as I add the second DC back into the mix.

Thanks Guys, appreciate it.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question