Solved

AD restore of operations masters(FSMO) role

Posted on 2013-11-02
9
895 Views
Last Modified: 2013-11-15
Hello,
I am trying to figure out if in case of failure of one of our Domain Controller which holds all FSMO roles is it possible to restore it.
As per the MS article,
Restoring the RID Master can result in Active Directory data corruption, so it is not recommended.
Restoring the Schema Master can result in orphaned objects, so it is not recommended.

So in case we need to restore RID and Schema Master, what is the best practice? Is it possible to restore this server?

Windows servers are 2003R2. domain functional level is also 2003R2.
0
Comment
Question by:dedri
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 125 total points
ID: 39618610
You should be able to restore a domain controller regardless of the FSMO roles it is running.  The main rule is that you should not restore a DC that was holding a FSMO role -- if you have seized the role.  


To restore an operations master role holder, you must perform one of the following procedures:

•Restore the failed operations master from backup.
•Seize the role to another domain controller within the environment. Seize the operations master role only if you do not intend to restore the original role holder from backup

Tom
0
 
LVL 5

Expert Comment

by:alicain
ID: 39618621
Hi,

As you say, when the RID master has been seized, it must not be returned to service.  Although this is different to the scenario of : the DC holding the RID master fails, no roles are transferred/seized and the DC is non-authoritatively restored from backup.

I cannot think what the information you've read about the schema master is referring to.  It is only used during the process of updating the schema.  I cannot see how doing a non-authoritative restore of the schema master would result in orphaned objects, unless it was done in an unsupported way i.e. rollback of a VM image, but that's a different story...

Also, it is worth considering that in the event of a failure, it may be less pain to transfer/seize the roles, metadata cleanup then rebuild the DC rather than restore from backup, depending on the nature of the failure.

Documenting the possible failure scenarios and your recovery plan in each case will help.  Given you have multiple DCs, consider spreading them around.

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39618726
here is the article from the microsoft site which I am reading:
http://technet.microsoft.com/en-us/library/cc526503.aspx
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39618739
Interesting article -- I wish they had a published date on it.  Assuming that your DCs are only being DCs (and DNS), I like the articles recommendation of starting fresh.  It sounds like a little bit of conflicting information.  The bullet list that I provided was of Microsoft's site and that talks about restoring form backup.

Tom
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39618765
The recommendation regarding the Schema Master and Domain Naming Master are to not bring them back online if they have been seized.  But I think that is erring on the side of caution.  The other guidance to "rebuild the DC and let replicate" is probably the safest and easiest solution and the way I would go in the vast majority of cases.

Remember that you can live without the Schema and Domain Naming master being online - until you need to extend the schema or add a domain.  The PDCe needs to be online ASAP after a failure and the RID sooner rather than later.  So separating those roles between the DCs gives more options when responding to a failure.

This is the article that I refer back to for these situations :
     Responding to operations master failures
     http://technet.microsoft.com/en-us/library/cc737648(v=ws.10).aspx

Also, the Forest Recovery whitepaper gives excellent guidance :
     http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39619732
yes, I know that the best practices is to sieze the roles, reinstall the server , but in my situation this is not only the domain controller and server holds also Certificate Authority, Terminal server licenses, home folders, etc.., and in case of failure I was wondering if restore is possible, and if this restore will not make any bad things to my active directory
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39619747
Do you have enough Domain Controllers to be able to distribute the roles away from this DC, so that they are held on DCs that are disposable?


The following is from : http://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx
It describes a scenario where the roles are seized after a failure and then the original DC is successfully recovered resulting in two DCs being online and holding the roles:
"...the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the AD DS database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure."

Restoring the Schema Master wont necessarily lead to orphaned objects, but depending on circumstances, occurring in the middle of a schema update, it may.  Due to the catastrophic impact of the worst case, the advice has to be to avoid the possibility of being in that situation.

Hope that helps...
Alastair.
0
 

Author Comment

by:dedri
ID: 39621274
10x alicain,
you clarify to me about Schema Master.
So, just to summarize, in case of  failure I can restore the server from backup, the prerequisite is the roles shouldn't be seized.
0
 
LVL 5

Accepted Solution

by:
alicain earned 375 total points
ID: 39621359
Yes, that is possible, but to avoid potential issues, it is not recommended.

The best solution is to position the roles so that you do not put yourself in a situation that may result in having to take action this is not recommended...

Regards,
Alastair.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question