Link to home
Start Free TrialLog in
Avatar of smschulz
smschulzFlag for United States of America

asked on

Hyper V Domain Controller Problem

Server 1 >  2003r2 - Domain Controller (FSMO roles)
Server 2>  2008R2 - SQL and Hyper V Host (member of 2003 domain)_
VM1 > 2003R2 Domain Controller

Server 1 Crashed.
VM1 was turned off because it was only used as  a part of NT-to- Active Directory Migration.
VM1 Turned now on.
Server 2> cannot log on to domain (account trust error)  ~ I can log on locally.
Same problem for desktops.
I saw a MS KB and on the desktops ~ fixed by logging on to local machine, unjoin domain and rejoin domain.
Server 1 will most likely not be replaced.

What will happen if the Server 2 is unjoined and rejoined to domain?
Note: this is the Hyper V host and  VM1 resides as a guest.

ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of smschulz

ASKER

So at minimum ~ all I need to do is seize the roles to the VM1 DC?
Then refresh the Host or unjoin/rejoin the Domain.
Then the same for any desktops.


When was the last time VM1 DC was running? Are there any other DCs other than Server 1 and VM1? It is a bad idea to run VM1 as the only DC, and it is a really really bad idea to run VM1 on Server 2 when Server 2 is joined to the domain which is managed by VM1 which is hosted on Server 2, such that there will never be a domain controller available for Server 2 because the domain controller can't boot until Server 2 has booted. See the problem?

Best best is to resuurect Server 1, at least until you can get AD to replicate. Otherwise you will lose all sorts of AD changes such as account creation/deletion, password changes of both machines and users, and I image that it would be really bad for Exchange.
When was the last time VM1 DC was running?
It was down for 60~90 days
Are there any other DCs other than Server 1 and VM1?]
 No
It is a bad idea to run VM1 as the only DC, and it is a really really bad idea to run VM1 on Server 2 when Server 2 is joined to the domain which is managed by VM1 which is hosted on Server 2, such that there will never be a domain controller available for Server 2 because the domain controller can't boot until Server 2 has booted. See the problem?
I know but the original plan was to have the VM DC and another machine DC.
It just didn't happen for a variety of reasons.
Now the objective is to get back up ASAP then deal with the rebuilt Machine DC.
Minimize time down is the main thing now.
If you bring back up VM1 you are going to lose all AD changes since it was last running, 60-90 days. You will need to rejoin every machine to the domain. I would consider it a LAST resort. better work on repairing/restoring Server 1.

Do you have Exchange?
it is also not recommended to run any services other than hyper v on a host.

especially SQL - if it's light use it can be a VM, if you have raid 10 with a minimum of 4 disks

DC's run very well as VM's and don't take up much resources.

No exchange.
Not concerned about the ad changes as there is not much.
RAID 10 4 disks -yes
The VM will be just until a new machine can be built or as another DC
Only  SQL on the machine otherwise.
If you do not have systemstate backups from the physical DC with more current data, you have little choice than to use netdom to rejoin the domain to the old VM DC after seizing FSMO roles. ntdsutil http://support.microsoft.com/kb/255504
Also make sure that the GC is checked for the VM DC (site and services, NTDS
http://technet.microsoft.com/en-us/library/cc758330%28WS.10%29.aspx


Presumably the SQL service account was not altered during the duration.

Make sure when you have the physical server restored that you do not repeat this issue by shutting down the VM DC.
Note to all:
Seized the roles, cleaned up Metadata, unjoined the domain from local logon, rejoined the domain.
Removed old DC.
Everything is fine and working.
This will allow me some time to get the physical DC fixed/built.
It will come back online as new DC with different name.