Solved

Recovering from USN Rollback When reverting to a VM snapshot of DC

Posted on 2013-10-27
8
856 Views
Last Modified: 2013-10-30
I made a mistake and reverted to a snapshot of my Primary Domain Controller while trouble shooting a problem. The back up Domain Controller took over primary role while I rebooted the server and when the revert was finished there was a conflict and I had USN rollback issues. My primary DC that I reverted recovered the Active Directory and stopped netlogon so nobody could logon to the server. The secondary lost connection with the primary and no longer had a populated active directory. I took down the secondary DC thinking it was causing conflict but that moment had passed. This happened yesterday during down time so I restored my primary domain controller from my netapp snapshot to a time when it was the primary and had no conflict. I power it up while leaving the secondary offline.

Things seem to be operational on the primary now but the secondary is shutdown thinking it has the primary role. How can I bring this back online and take the secondary position again? If I power up as is will it recognize the primary and take its place or do I have to do an unauthoritative restore and force it to talk to the primary? Last couple of options is to restore the secondary DC with the same time stamp from netapp or demote/rebuild the secondary server, strip the meta data from the primary and rejoin?

whats the best/easiest/less risk thing to do? other options?

Thanks,
Rob
0
Comment
Question by:RobMes
  • 3
  • 3
  • 2
8 Comments
 
LVL 118

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 250 total points
ID: 39604196
I would forget about the secondary, and Transfer Roles from the Secondary to the Primary.

or, what is commonly known as SIEZE the Roles. Then destroy the secondary server, rebuild and re-install from new, and then Promote to a Domain Controller.

See Microsofts Aerticles on how to complete this operation.

How to view and transfer FSMO roles in the graphical user interface

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
0
 

Author Comment

by:RobMes
ID: 39604224
How do I get rid of the reference to the secondary dc in the primary? Does Sieze the role do that?

I  have a follow up question. We are in the process of moving from a physical to virtual environment to handle growth. We started with the terminal server also being domain controller. I then migrated that to a vm and built the secondary dc with the intention of rebuilding the terminal server in vm running 2008 instead of 2003 we are running now. Everything is moving to 2008. I read that 2003 does not demote nicely so what steps what you recommend to avoid this usn problem during this upgrade. I was thinking rebuild sec dc and dcpromo it and demote the primary dc which is the 2003 ts but I don't think that's possible because ts needs ad to work. Thoughts?

Thanks again,
Rob
0
 
LVL 118
ID: 39604451
You follow the Microsoft articles, which will delete the failed DC.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 250 total points
ID: 39610288
Here is the Microsoft article you need to follow in order to remove reference to an old DC in AD...

http://support.microsoft.com/kb/216498

Good Luck
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Closing Comment

by:RobMes
ID: 39610605
I ended up falling back on a Netapp restore point for the Primary DC/TS for when it actually had the primary role. That brought it back online. Then I rolled back the secondary DC from the same Netapp restore point when it actually had the secondary role. I started in AD restore mode so the to talked and since there was nothing to actually fix I rebooted and all was good. Not always the best solution but this happened on a weekend and there was no data loss by rolling back to a couple hours earlier.

Thanks for the help.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39611268
Just an FYI. Vsphere 5.1 is VmGeneraware aware which can help protect USN role backs with AD DC's.

https://communities.vmware.com/message/2165678
0
 

Author Comment

by:RobMes
ID: 39611417
I'm running Vsphere 5.1 and VMware does have this to help sort out its VM snapshots but I don't think that in it self would do anything about USN Rollback. When I reverted the snapshot originally, the VM's started with no issue and I think that feature could have some part in that. Only in Server 2012 has Microsoft provided the ability to give an ID to the VM layer to help DC's replicate. Basically it may exist but unless your running Server 2012 you still have to be very careful about restoring any DC no matter if it's a VM or not.

Good info but just for anyone else reading I wanted to point out you need Server 2012. Don't rely on it with anything earlier. Hell not sure if you should rely on it at all! This stuff scares the crap out of me. lol
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39611721
You are correct RobMEs, I forgot to mention this is a new feature in Windows 2012..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Teach the user how to convert virtaul disk file formats and how to rename virtual machine files on datastores. Open vSphere Web Client: Review VM disk settings: Migrate VM to new datastore with a thick provisioned (lazy zeroed) disk format: Rename a…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now