Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restoring 2008 R2 Domain Controller in DR scenario

Posted on 2013-10-24
10
Medium Priority
?
470 Views
Last Modified: 2013-11-29
Here is the scenario. My building was hit by meteorite.
All I have is a desktop PC, OS disk and full DC backup.
I need to restore my DC to a different hardware.

I would like to get a WORKING solution someone actually TRIED.

My original Domain consisted 4 domain controllers. 3 x 2003 R2 and 1 x 2008 R2 (FSMO).
I'm restoring that 2008 R2.

I know that there are hundreds of posts everywhere on the internet. And that’s the problem. After searching for a long time, I couldn’t find anything useful.

So please, don’t just google for 'restore domain controller to different hardware' and copy paste the result (or actual solution). I know how to use google.

I'm only interested in first hand experience. Otherwise, shush ! :)
0
Comment
Question by:tp-it-team
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39597109
There is a KB that talks about restoring to different hardware but I'm not going to post that since you have probably seen it.   It is not fun and I won't blow smoke I haven't done it in years.  Having said that I've never tried to restore a DC backup on server grade hardware onto a PC.

Your best bet for the scenario you mentioned is to plan ahead and have a DC offsite at a different location.  This is even getting easier these days with cloud based solutions like Azure and others becoming even more mature.  If the building is taken out in that scenario then you have that offsite "COOP" site and a working DC.  You would have to cleanout the old DCs but it is not that bad.

You could also virtualize a DC and then have that data to restore bring back up in a true DR building gone scenario.

Thanks

Mike
0
 
LVL 1

Author Comment

by:tp-it-team
ID: 39597128
So, what approach did you take ? Did you install clean DC and did a restore ? was it authoritative or non-authoritative ?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39597156
If you have a system state backup and all of your DC's are gone, do the following...

- Install the OS on your new hardware
- Install your backup agent on the newly created server
- Restore your System State backup to the new server
- Open cmd (elevated)
- Use NTDSUtil and do any meta data cleanup
http://www.msserverpro.com/metadata-cleanup-using-ntdsutil-in-windows-server-2008-r2/ 
- Open DNS Manager
- Expand your internal domain zone and open the _msdcs and make sure that your SRV records for the 2003 DC's are not present. If they are delete them
- Open Sites and Services and and make sure that you remove any 2003 DC's that are still there
- Check to ensure that all sysvol/netlogon shares have the correct data
- Check replication/DNS functionality (DCDiag /v)
Once the above has been completed you can start to introduce new DC's into the environment.

Non-Authoritative and Authoratative resotres come into play when you have multiple DC's in your environment and you want to restore individual objects back into Active Directory, which is no longer required if you have 2008 R2 Recycle Bin feature.

Since you only have 1 DC to restore and there are no other DC's in the mix there is no need for this.

Another note you need to preform the steps above regarding metadata and DNS due to the system state you restore. It has all of the entires from the old 2003 DC's that no longer exist.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39597194
Since you asked what we did was follow the steps in the Microsoft KB  here   http://support.microsoft.com/kb/263532?

Looking back in our situation it was a single DC that died and now with experience behind me I would have just done a metadata cleanup and built a new box so our scenario was different.

You also have to make sure your backups/tapes are offsite in your scenario.

Thanks

Mike
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 39597247
My opinion on it is that you should have an available DC in another site, one that won’t get hit by the meteor

I think Azure is the way to go for businesses with single sites you can get a low spec machine for a monthly charge, you can get site to site VPN links and all sorts of cool stuff.

Basically get a DC in the private cloud, this will be covered by Microsoft DR's multi replication over multiple sites etc.

You could also have a very small Office 365 environement too thay way you have comms during DR and all your staff can keep working to a degree while you rebuild, and of course being the cloud all your staffs homes become their DR Site and of course Lync/Office.
0
 
LVL 1

Author Comment

by:tp-it-team
ID: 39597584
I want to know how to do it just for piece of mind. I know its problematic, I know that Microsoft made it such and incredible, magical experience. Not so long ago there were no clouds and other fancy options. I find it hard to believe that its not possible unless someone very knowledgeable will tell me so. And then the question would be, why Microsoft, why oh [beeep] WHY !
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 39597941
In that case you need to read this

http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery%28v=ws.10%29.aspx

Microsoft offer a service where by you can plan, document and test this process for your specific environment...but it does not come cheap.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 39598029
Officially system state backup is not supported on different hardware it is to be used on the same system or similar but seen scenario where it doesn't work on similar system also due to driver version difference.

However you are multiple DC as other suggested if one DC goes down and cannot be brought back you can perform metadata cleanup of DC and reinstall OS and promote the server back as DC.If you still want to test the same you need to take systemstate backup of the existing DC and restore the same on new DC and test.Please ensure that you perfrom the same in test env.

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

If the FSMO role holder cannot be bring back or taking long time you can seize the role on other DC.
 
There's some info on FSMOs and what would happen if any specific FSMO is down for any length of time, permanently or termporarily.
 
Active Directory FSMO Roles Explained and What Happens When They Fail and Why you may not be able to keep a DC up once roles were seized.
http://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx


 Hope this helps
0
 
LVL 1

Author Comment

by:tp-it-team
ID: 39600643
So many years and Microsoft couldn't separate DC backup from hardware drivers. Its just so annoying...
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question