• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1068
  • Last Modified:

AD restore of operations masters(FSMO) role

Hello,
I am trying to figure out if in case of failure of one of our Domain Controller which holds all FSMO roles is it possible to restore it.
As per the MS article,
Restoring the RID Master can result in Active Directory data corruption, so it is not recommended.
Restoring the Schema Master can result in orphaned objects, so it is not recommended.

So in case we need to restore RID and Schema Master, what is the best practice? Is it possible to restore this server?

Windows servers are 2003R2. domain functional level is also 2003R2.
0
dedri
Asked:
dedri
  • 4
  • 3
  • 2
4 Solutions
 
ButlerTechnologyCommented:
You should be able to restore a domain controller regardless of the FSMO roles it is running.  The main rule is that you should not restore a DC that was holding a FSMO role -- if you have seized the role.  


To restore an operations master role holder, you must perform one of the following procedures:

•Restore the failed operations master from backup.
•Seize the role to another domain controller within the environment. Seize the operations master role only if you do not intend to restore the original role holder from backup

Tom
0
 
alicainCommented:
Hi,

As you say, when the RID master has been seized, it must not be returned to service.  Although this is different to the scenario of : the DC holding the RID master fails, no roles are transferred/seized and the DC is non-authoritatively restored from backup.

I cannot think what the information you've read about the schema master is referring to.  It is only used during the process of updating the schema.  I cannot see how doing a non-authoritative restore of the schema master would result in orphaned objects, unless it was done in an unsupported way i.e. rollback of a VM image, but that's a different story...

Also, it is worth considering that in the event of a failure, it may be less pain to transfer/seize the roles, metadata cleanup then rebuild the DC rather than restore from backup, depending on the nature of the failure.

Documenting the possible failure scenarios and your recovery plan in each case will help.  Given you have multiple DCs, consider spreading them around.

Regards,
Alastair.
0
 
dedriAuthor Commented:
here is the article from the microsoft site which I am reading:
http://technet.microsoft.com/en-us/library/cc526503.aspx
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
ButlerTechnologyCommented:
Interesting article -- I wish they had a published date on it.  Assuming that your DCs are only being DCs (and DNS), I like the articles recommendation of starting fresh.  It sounds like a little bit of conflicting information.  The bullet list that I provided was of Microsoft's site and that talks about restoring form backup.

Tom
0
 
alicainCommented:
The recommendation regarding the Schema Master and Domain Naming Master are to not bring them back online if they have been seized.  But I think that is erring on the side of caution.  The other guidance to "rebuild the DC and let replicate" is probably the safest and easiest solution and the way I would go in the vast majority of cases.

Remember that you can live without the Schema and Domain Naming master being online - until you need to extend the schema or add a domain.  The PDCe needs to be online ASAP after a failure and the RID sooner rather than later.  So separating those roles between the DCs gives more options when responding to a failure.

This is the article that I refer back to for these situations :
     Responding to operations master failures
     http://technet.microsoft.com/en-us/library/cc737648(v=ws.10).aspx

Also, the Forest Recovery whitepaper gives excellent guidance :
     http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

Regards,
Alastair.
0
 
dedriAuthor Commented:
yes, I know that the best practices is to sieze the roles, reinstall the server , but in my situation this is not only the domain controller and server holds also Certificate Authority, Terminal server licenses, home folders, etc.., and in case of failure I was wondering if restore is possible, and if this restore will not make any bad things to my active directory
0
 
alicainCommented:
Do you have enough Domain Controllers to be able to distribute the roles away from this DC, so that they are held on DCs that are disposable?


The following is from : http://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx
It describes a scenario where the roles are seized after a failure and then the original DC is successfully recovered resulting in two DCs being online and holding the roles:
"...the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the AD DS database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure."

Restoring the Schema Master wont necessarily lead to orphaned objects, but depending on circumstances, occurring in the middle of a schema update, it may.  Due to the catastrophic impact of the worst case, the advice has to be to avoid the possibility of being in that situation.

Hope that helps...
Alastair.
0
 
dedriAuthor Commented:
10x alicain,
you clarify to me about Schema Master.
So, just to summarize, in case of  failure I can restore the server from backup, the prerequisite is the roles shouldn't be seized.
0
 
alicainCommented:
Yes, that is possible, but to avoid potential issues, it is not recommended.

The best solution is to position the roles so that you do not put yourself in a situation that may result in having to take action this is not recommended...

Regards,
Alastair.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now