Solved

AD restore of operations masters(FSMO) role

Posted on 2013-11-02
9
904 Views
Last Modified: 2013-11-15
Hello,
I am trying to figure out if in case of failure of one of our Domain Controller which holds all FSMO roles is it possible to restore it.
As per the MS article,
Restoring the RID Master can result in Active Directory data corruption, so it is not recommended.
Restoring the Schema Master can result in orphaned objects, so it is not recommended.

So in case we need to restore RID and Schema Master, what is the best practice? Is it possible to restore this server?

Windows servers are 2003R2. domain functional level is also 2003R2.
0
Comment
Question by:dedri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 125 total points
ID: 39618610
You should be able to restore a domain controller regardless of the FSMO roles it is running.  The main rule is that you should not restore a DC that was holding a FSMO role -- if you have seized the role.  


To restore an operations master role holder, you must perform one of the following procedures:

•Restore the failed operations master from backup.
•Seize the role to another domain controller within the environment. Seize the operations master role only if you do not intend to restore the original role holder from backup

Tom
0
 
LVL 5

Expert Comment

by:alicain
ID: 39618621
Hi,

As you say, when the RID master has been seized, it must not be returned to service.  Although this is different to the scenario of : the DC holding the RID master fails, no roles are transferred/seized and the DC is non-authoritatively restored from backup.

I cannot think what the information you've read about the schema master is referring to.  It is only used during the process of updating the schema.  I cannot see how doing a non-authoritative restore of the schema master would result in orphaned objects, unless it was done in an unsupported way i.e. rollback of a VM image, but that's a different story...

Also, it is worth considering that in the event of a failure, it may be less pain to transfer/seize the roles, metadata cleanup then rebuild the DC rather than restore from backup, depending on the nature of the failure.

Documenting the possible failure scenarios and your recovery plan in each case will help.  Given you have multiple DCs, consider spreading them around.

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39618726
here is the article from the microsoft site which I am reading:
http://technet.microsoft.com/en-us/library/cc526503.aspx
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39618739
Interesting article -- I wish they had a published date on it.  Assuming that your DCs are only being DCs (and DNS), I like the articles recommendation of starting fresh.  It sounds like a little bit of conflicting information.  The bullet list that I provided was of Microsoft's site and that talks about restoring form backup.

Tom
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39618765
The recommendation regarding the Schema Master and Domain Naming Master are to not bring them back online if they have been seized.  But I think that is erring on the side of caution.  The other guidance to "rebuild the DC and let replicate" is probably the safest and easiest solution and the way I would go in the vast majority of cases.

Remember that you can live without the Schema and Domain Naming master being online - until you need to extend the schema or add a domain.  The PDCe needs to be online ASAP after a failure and the RID sooner rather than later.  So separating those roles between the DCs gives more options when responding to a failure.

This is the article that I refer back to for these situations :
     Responding to operations master failures
     http://technet.microsoft.com/en-us/library/cc737648(v=ws.10).aspx

Also, the Forest Recovery whitepaper gives excellent guidance :
     http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39619732
yes, I know that the best practices is to sieze the roles, reinstall the server , but in my situation this is not only the domain controller and server holds also Certificate Authority, Terminal server licenses, home folders, etc.., and in case of failure I was wondering if restore is possible, and if this restore will not make any bad things to my active directory
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39619747
Do you have enough Domain Controllers to be able to distribute the roles away from this DC, so that they are held on DCs that are disposable?


The following is from : http://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx
It describes a scenario where the roles are seized after a failure and then the original DC is successfully recovered resulting in two DCs being online and holding the roles:
"...the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the AD DS database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure."

Restoring the Schema Master wont necessarily lead to orphaned objects, but depending on circumstances, occurring in the middle of a schema update, it may.  Due to the catastrophic impact of the worst case, the advice has to be to avoid the possibility of being in that situation.

Hope that helps...
Alastair.
0
 

Author Comment

by:dedri
ID: 39621274
10x alicain,
you clarify to me about Schema Master.
So, just to summarize, in case of  failure I can restore the server from backup, the prerequisite is the roles shouldn't be seized.
0
 
LVL 5

Accepted Solution

by:
alicain earned 375 total points
ID: 39621359
Yes, that is possible, but to avoid potential issues, it is not recommended.

The best solution is to position the roles so that you do not put yourself in a situation that may result in having to take action this is not recommended...

Regards,
Alastair.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question