2092 8456 and other Active directory errors probaby caused by DC virtual machiine import from backup

Posted on 2010-11-18
Last Modified: 2012-05-10
Where to start.

3 DC's
DC1 = Server 2008R2 as a virtual machine
DC2 = Server 2008R2 as a virtual machine
DC3 = Server 2003 physical machine, and looking to retire soon

Wanted to move the vm's to a new host.  Restored from backups taken through the VM interface (xencenter).  You can guess the rest (now I know too).  Stuck in a USN rollback issue.

Getting trust issues with machines trying to log in, etc.

How to get out of it?  Without killing the domain and starting over? Can give you dcdiags of each server.

Thanks for looking!
 1qpcserver-diag.pdf 2qpcserver-diag.pdf qpcserver1-diag.pdf
Question by:dustypenguin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 27

Accepted Solution

KenMcF earned 350 total points
ID: 34166162
Follow the steps in this article. Under
Recovering from a USN rollback
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 150 total points
ID: 34166335
So in short you have to

demote the DC force removal
metadata cleanup that old DC
Seize FSMO roles (if applicable)
then you can add back to the domain and promote it again

Ken's link is a good one and another good blog entry is here:



Author Comment

ID: 34166707
I've actually skimmed through the MS-875495 article earlier during some research ... will read that through with more vigour.

The other one I will study as well.

Have either of you gone through the process?  What are the potential things I should look out for?  

Other things.  

1 - Will DC1 automatically start replication when DC2 comes back?
2 - Do I need to demote DC2 and DC3?  Or if I demote DC2 and re-promote, should replication start working between those two at least?
3 - If I have dhcp still running on DC3 will there be any issues stopping that and setting up and starting it on DC1 before demoting DC3
4 - Most importantly, what will happen to my users accessing resources they can still get to.  If I have work-arounds in place for now, is this something I should wait until the weekend to do?  If the system goes all the way down during the week, I'm a very unpopular guy!
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 59

Expert Comment

by:Darius Ghassem
ID: 34166742
I have done both the USN and force demote. If you have working DCs I would go with Mike's solution and just demote the servers and run through the steps
LVL 27

Expert Comment

ID: 34166850
Yes I have gone through the process.

If the demotion is not clean you may have to run dcpromo /forceremoval
and then run through metadatacleanup on the fialed DCs

Once they are re-promoted replication should work as long as you followed the steps.

Author Comment

ID: 34180118
Pretty much worked.  I demoted both DC2 and DC3 and kept DC1 ... will add DC2 back later.  Since the user and machine database was not in agreement, there were a few users that had to be recreated, and a couple of workstations that needed to be unjoined and rejoined to the domain.
Other hints for those going through this:
1 - I was able to transfer all roles before demotion, so did not have to seize them later.

2 - dcpromo failed on both servers I wanted to demote.  Needed to use dcpromo /forceremoval .  This recommended ONLY if dcpromo does not work.

3 - Since I did a force removal, did do metadata cleanup for both demoted servers from DC1.  

4 - Need to go through DNS with a fine tooth comb and delete all records of the old servers if there are any.

5 - Had DHCP configured but off until demotion of server that had been handling that, and then turned DHCP on the left over DC.
6 - Global Catalogue had not replicated, or I had not set up global catalog on the server I kept, so needed to go to Active Directory Sites and Services > Sites > Default First Site Name > Servers > name of your server > NTDS Settings.  Right click on that > Select Properties > select General tab > check Global Catalog.  You may get a warning about if you really want to add global catalog to an infrastucture master, but from what I can read, in a single domain forest that is not a problem.  After a few minutes, DC! became a global catalog, and could process new user and machine requests.

7 - Make sure that you have an entry in DNS > Forward Lookup Zones > -msdcs.domain name > GC for the global catalog.  When you configure the server to be a global catalog, it should do that after about 5 to 10 minutes ... mine did.

8 - Restarted all the workstations to make sure they could log in to their primary user, and they had access to resources.

9 - Breathed a sigh of relief that it was not as bad as I had feared, and gave a prayer of thanks that things went relatively well.

Hope this may help someone.

Author Comment

ID: 34180133
10 - One other thing I did have to do was turn replication on on the existing server (as recommended by dcdiag ) after all was said and done.  This will be crucial as I add the second DC back into the mix.

Thanks Guys, appreciate it.

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question