RobMes
asked on
Recovering from USN Rollback When reverting to a VM snapshot of DC
I made a mistake and reverted to a snapshot of my Primary Domain Controller while trouble shooting a problem. The back up Domain Controller took over primary role while I rebooted the server and when the revert was finished there was a conflict and I had USN rollback issues. My primary DC that I reverted recovered the Active Directory and stopped netlogon so nobody could logon to the server. The secondary lost connection with the primary and no longer had a populated active directory. I took down the secondary DC thinking it was causing conflict but that moment had passed. This happened yesterday during down time so I restored my primary domain controller from my netapp snapshot to a time when it was the primary and had no conflict. I power it up while leaving the secondary offline.
Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?
whats the best/easiest/less risk thing to do? other options?
Thanks,
Rob
Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?
whats the best/easiest/less risk thing to do? other options?
Thanks,
Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You follow the Microsoft articles, which will delete the failed DC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ended up falling back on a Netapp restore point for the Primary DC/TS for when it actually had the primary role. That brought it back online. Then I rolled back the secondary DC from the same Netapp restore point when it actually had the secondary role. I started in AD restore mode so the to talked and since there was nothing to actually fix I rebooted and all was good. Not always the best solution but this happened on a weekend and there was no data loss by rolling back to a couple hours earlier.
Thanks for the help.
Thanks for the help.
Just an FYI. Vsphere 5.1 is VmGeneraware aware which can help protect USN role backs with AD DC's.
https://communities.vmware.com/message/2165678
https://communities.vmware.com/message/2165678
ASKER
I'm running Vsphere 5.1 and VMware does have this to help sort out its VM snapshots but I don't think that in it self would do anything about USN Rollback. When I reverted the snapshot originally, the VM's started with no issue and I think that feature could have some part in that. Only in Server 2012 has Microsoft provided the ability to give an ID to the VM layer to help DC's replicate. Basically it may exist but unless your running Server 2012 you still have to be very careful about restoring any DC no matter if it's a VM or not.
Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
You are correct RobMEs, I forgot to mention this is a new feature in Windows 2012..
ASKER
I have a follow up question. We are in the process of moving from a physical to virtual environment to handle growth. We started with the terminal server also being domain controller. I then migrated that to a vm and built the secondary dc with the intention of rebuilding the terminal server in vm running 2008 instead of 2003 we are running now. Everything is moving to 2008. I read that 2003 does not demote nicely so what steps what you recommend to avoid this usn problem during this upgrade. I was thinking rebuild sec dc and dcpromo it and demote the primary dc which is the 2003 ts but I don't think that's possible because ts needs ad to work. Thoughts?
Thanks again,
Rob