[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Recovering from USN Rollback When reverting to a VM snapshot of DC

Posted on 2013-10-27
Medium Priority
Last Modified: 2013-10-30
I made a mistake and reverted to a snapshot of my Primary Domain Controller while trouble shooting a problem. The back up Domain Controller took over primary role while I rebooted the server and when the revert was finished there was a conflict and I had USN rollback issues. My primary DC that I reverted recovered the Active Directory and stopped netlogon so nobody could logon to the server. The secondary lost connection with the primary and no longer had a populated active directory. I took down the secondary DC thinking it was causing conflict but that moment had passed. This happened yesterday during down time so I restored my primary domain controller from my netapp snapshot to a time when it was the primary and had no conflict. I power it up while leaving the secondary offline.

Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?

whats the best/easiest/less risk thing to do? other options?

Question by:RobMes
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 123

Accepted Solution

Andrew Hancock (VMware vExpert / EE MVE^2) earned 750 total points
ID: 39604196
I would forget about the secondary, and Transfer Roles from the Secondary to the Primary.

or, what is commonly known as SIEZE the Roles. Then destroy the secondary server, rebuild and re-install from new, and then Promote to a Domain Controller.

See Microsofts Aerticles on how to complete this operation.

How to view and transfer FSMO roles in the graphical user interface

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

Author Comment

ID: 39604224
How do I get rid of the reference to the secondary dc in the primary? Does Sieze the role do that?

I  have a follow up question. We are in the process of moving from a physical to virtual environment to handle growth. We started with the terminal server also being domain controller. I then migrated that to a vm and built the secondary dc with the intention of rebuilding the terminal server in vm running 2008 instead of 2003 we are running now. Everything is moving to 2008. I read that 2003 does not demote nicely so what steps what you recommend to avoid this usn problem during this upgrade. I was thinking rebuild sec dc and dcpromo it and demote the primary dc which is the 2003 ts but I don't think that's possible because ts needs ad to work. Thoughts?

Thanks again,
LVL 123
ID: 39604451
You follow the Microsoft articles, which will delete the failed DC.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 20

Assisted Solution

compdigit44 earned 750 total points
ID: 39610288
Here is the Microsoft article you need to follow in order to remove reference to an old DC in AD...


Good Luck

Author Closing Comment

ID: 39610605
I ended up falling back on a Netapp restore point for the Primary DC/TS for when it actually had the primary role. That brought it back online. Then I rolled back the secondary DC from the same Netapp restore point when it actually had the secondary role. I started in AD restore mode so the to talked and since there was nothing to actually fix I rebooted and all was good. Not always the best solution but this happened on a weekend and there was no data loss by rolling back to a couple hours earlier.

Thanks for the help.
LVL 20

Expert Comment

ID: 39611268
Just an FYI. Vsphere 5.1 is VmGeneraware aware which can help protect USN role backs with AD DC's.


Author Comment

ID: 39611417
I'm running Vsphere 5.1 and VMware does have this to help sort out its VM snapshots but I don't think that in it self would do anything about USN Rollback. When I reverted the snapshot originally, the VM's started with no issue and I think that feature could have some part in that. Only in Server 2012 has Microsoft provided the ability to give an ID to the VM layer to help DC's replicate. Basically it may exist but unless your running Server 2012 you still have to be very careful about restoring any DC no matter if it's a VM or not.

Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
LVL 20

Expert Comment

ID: 39611721
You are correct RobMEs, I forgot to mention this is a new feature in Windows 2012..

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question