?
Solved

Recovering from USN Rollback When reverting to a VM snapshot of DC

Posted on 2013-10-27
8
Medium Priority
?
1,012 Views
Last Modified: 2013-10-30
I made a mistake and reverted to a snapshot of my Primary Domain Controller while trouble shooting a problem. The back up Domain Controller took over primary role while I rebooted the server and when the revert was finished there was a conflict and I had USN rollback issues. My primary DC that I reverted recovered the Active Directory and stopped netlogon so nobody could logon to the server. The secondary lost connection with the primary and no longer had a populated active directory. I took down the secondary DC thinking it was causing conflict but that moment had passed. This happened yesterday during down time so I restored my primary domain controller from my netapp snapshot to a time when it was the primary and had no conflict. I power it up while leaving the secondary offline.

Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?

whats the best/easiest/less risk thing to do? other options?

Thanks,
Rob
0
Comment
Question by:RobMes
  • 3
  • 3
  • 2
8 Comments
 
LVL 124

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 750 total points
ID: 39604196
I would forget about the secondary, and Transfer Roles from the Secondary to the Primary.

or, what is commonly known as SIEZE the Roles. Then destroy the secondary server, rebuild and re-install from new, and then Promote to a Domain Controller.

See Microsofts Aerticles on how to complete this operation.

How to view and transfer FSMO roles in the graphical user interface

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
0
 

Author Comment

by:RobMes
ID: 39604224
How do I get rid of the reference to the secondary dc in the primary? Does Sieze the role do that?

I  have a follow up question. We are in the process of moving from a physical to virtual environment to handle growth. We started with the terminal server also being domain controller. I then migrated that to a vm and built the secondary dc with the intention of rebuilding the terminal server in vm running 2008 instead of 2003 we are running now. Everything is moving to 2008. I read that 2003 does not demote nicely so what steps what you recommend to avoid this usn problem during this upgrade. I was thinking rebuild sec dc and dcpromo it and demote the primary dc which is the 2003 ts but I don't think that's possible because ts needs ad to work. Thoughts?

Thanks again,
Rob
0
 
LVL 124
ID: 39604451
You follow the Microsoft articles, which will delete the failed DC.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 20

Assisted Solution

by:compdigit44
compdigit44 earned 750 total points
ID: 39610288
Here is the Microsoft article you need to follow in order to remove reference to an old DC in AD...

http://support.microsoft.com/kb/216498

Good Luck
0
 

Author Closing Comment

by:RobMes
ID: 39610605
I ended up falling back on a Netapp restore point for the Primary DC/TS for when it actually had the primary role. That brought it back online. Then I rolled back the secondary DC from the same Netapp restore point when it actually had the secondary role. I started in AD restore mode so the to talked and since there was nothing to actually fix I rebooted and all was good. Not always the best solution but this happened on a weekend and there was no data loss by rolling back to a couple hours earlier.

Thanks for the help.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39611268
Just an FYI. Vsphere 5.1 is VmGeneraware aware which can help protect USN role backs with AD DC's.

https://communities.vmware.com/message/2165678
0
 

Author Comment

by:RobMes
ID: 39611417
I'm running Vsphere 5.1 and VMware does have this to help sort out its VM snapshots but I don't think that in it self would do anything about USN Rollback. When I reverted the snapshot originally, the VM's started with no issue and I think that feature could have some part in that. Only in Server 2012 has Microsoft provided the ability to give an ID to the VM layer to help DC's replicate. Basically it may exist but unless your running Server 2012 you still have to be very careful about restoring any DC no matter if it's a VM or not.

Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39611721
You are correct RobMEs, I forgot to mention this is a new feature in Windows 2012..
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When converting a physical machine to a virtual machine using VMware vCenter Converter Standalone or vCenter Converter Enterprise, if an adapter type is not selected during the initial customization the resulting virtual machine may contain an IDE d…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question