Link to home
Create AccountLog in
Avatar of Sid_F
Sid_F

asked on

Order to restore domain controllers in

I want to find out the other I need to restore domain controllers in a multi domain controller environment for DR. I understand the restore of one DC but when there are multiple I have run into USN rollback issues. The DC's are a mix of 2003 and 2008. I have a test environment that I am restoring them to using vmware.
When I restore the first DC if it has all the FSMO roles in theory when I restore the other DC's I need to preform some sort of authoritive sync of AD?
I would like to get specifics on this as oppose to standard technet articles
Avatar of Sandeep
Sandeep
Flag of India image

Avatar of Sid_F
Sid_F

ASKER

Yes I saw those article. My main problem is regarding DR. When I restore the first DC that holds all the fsmo roles using an image based software to different hardware. The DC does not allow clients to join the domain. I run dcdiag and get
Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
Avatar of Sid_F

ASKER

We do not have RODC in the environment
What are you using to back up the DCs? If you're using the native Windows Server Backup tool or another AD-aware backup tool, you shouldn't be getting USN rollbacks. You mentioned "image based software," though. I'm concerned that it may not be AD-aware and will cause USN rollbacks no matter what order you follow.
Avatar of Sid_F

ASKER

Ok just confirmed the image based software is ad aware. It's called storagecraft. Two dc's one with running 2003 with exchange one with 2008R2 (acts as fileserver but also holds all fsmo roles)

I'm trying to find the best way of doing this. I'm thinking restore 2003 first seize all FSMO roles (as this will help keep exchange in tact) delete 2008R2 from DNS and replication partner run a meta cleanup.
Restore the 2008R2 server, run dcpromo to remove it from domain roles, select that it is the last DC. Rejoin it as a member server promote to DC and transfer all fsmo roles back.
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Sid_F

ASKER

Thanks for the help. Yes its shadowprotect 5. I totally agree it does seem like alot of work but I have yet to find one single article on successfully restoring multiple domain controllers in a DR situation with this software.
Can I confirm the normal restore process in a DR setup if I have one 2003 exchange DC and one 2008R2 DC holding all the fsmo roles. I presume restore then boot to DSRM and restore the system state, I presume I will run into an issue with the 2003exchange DC is restored as both servers will think they have the most up to date NTDS files. Thanks
Avatar of Sid_F

ASKER

If I go back to basics on this supposing I am not restoring through image based but I am using the standard tape drive windows backup. I have two servers 2003 and 2008R2. The 2008R2 has all the FSMO roles.
How do I get back to the two DC's being in sync. I presume as they are not image based I need to build the two OS from scratch but then what?
Sorry, I was put on a project at work last week that took up a lot of my time, and I forgot some of the other stuff I had going on!

Disaster recovery of DCs using NTBackup/Windows Server Backup is fairly simple as long as you've got a good full backup that includes the system state. Simply follow the normal restore procedure for the 2008 R2 DC first, since it's got the FSMO roles: boot to the OS media, select Repair your computer, select System Image Recovery, locate the backup, and restore it.

Once you've verified that the 2008 R2 DC is up and running normally, you'll restore the 2003 DC. To do that, you'll have to reinstall the OS first, then use NTBackup to restore the system state and any important files, as shown in this article. This is assuming that DC has an important app on it like Exchange - if it's only a DC and nothing else, you have the option of performing a metadata cleanup on the 2008 R2 DC to remove the 2003 DC from AD, then rebuilding the 2003 DC from scratch instead of restoring it.

When using the native tools for backups and restores, you don't have to worry about USN rollbacks; AD will work out the different versions of the database on the two DCs and will replicate the most recent changes to the other DC, so everything will be back in sync.
Avatar of Sid_F

ASKER

Got it resolved thanks