Solved

AD restore of operations masters(FSMO) role

Posted on 2013-11-02
9
871 Views
Last Modified: 2013-11-15
Hello,
I am trying to figure out if in case of failure of one of our Domain Controller which holds all FSMO roles is it possible to restore it.
As per the MS article,
Restoring the RID Master can result in Active Directory data corruption, so it is not recommended.
Restoring the Schema Master can result in orphaned objects, so it is not recommended.

So in case we need to restore RID and Schema Master, what is the best practice? Is it possible to restore this server?

Windows servers are 2003R2. domain functional level is also 2003R2.
0
Comment
Question by:dedri
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 125 total points
ID: 39618610
You should be able to restore a domain controller regardless of the FSMO roles it is running.  The main rule is that you should not restore a DC that was holding a FSMO role -- if you have seized the role.  


To restore an operations master role holder, you must perform one of the following procedures:

•Restore the failed operations master from backup.
•Seize the role to another domain controller within the environment. Seize the operations master role only if you do not intend to restore the original role holder from backup

Tom
0
 
LVL 5

Expert Comment

by:alicain
ID: 39618621
Hi,

As you say, when the RID master has been seized, it must not be returned to service.  Although this is different to the scenario of : the DC holding the RID master fails, no roles are transferred/seized and the DC is non-authoritatively restored from backup.

I cannot think what the information you've read about the schema master is referring to.  It is only used during the process of updating the schema.  I cannot see how doing a non-authoritative restore of the schema master would result in orphaned objects, unless it was done in an unsupported way i.e. rollback of a VM image, but that's a different story...

Also, it is worth considering that in the event of a failure, it may be less pain to transfer/seize the roles, metadata cleanup then rebuild the DC rather than restore from backup, depending on the nature of the failure.

Documenting the possible failure scenarios and your recovery plan in each case will help.  Given you have multiple DCs, consider spreading them around.

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39618726
here is the article from the microsoft site which I am reading:
http://technet.microsoft.com/en-us/library/cc526503.aspx
0
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39618739
Interesting article -- I wish they had a published date on it.  Assuming that your DCs are only being DCs (and DNS), I like the articles recommendation of starting fresh.  It sounds like a little bit of conflicting information.  The bullet list that I provided was of Microsoft's site and that talks about restoring form backup.

Tom
0
[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39618765
The recommendation regarding the Schema Master and Domain Naming Master are to not bring them back online if they have been seized.  But I think that is erring on the side of caution.  The other guidance to "rebuild the DC and let replicate" is probably the safest and easiest solution and the way I would go in the vast majority of cases.

Remember that you can live without the Schema and Domain Naming master being online - until you need to extend the schema or add a domain.  The PDCe needs to be online ASAP after a failure and the RID sooner rather than later.  So separating those roles between the DCs gives more options when responding to a failure.

This is the article that I refer back to for these situations :
     Responding to operations master failures
     http://technet.microsoft.com/en-us/library/cc737648(v=ws.10).aspx

Also, the Forest Recovery whitepaper gives excellent guidance :
     http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39619732
yes, I know that the best practices is to sieze the roles, reinstall the server , but in my situation this is not only the domain controller and server holds also Certificate Authority, Terminal server licenses, home folders, etc.., and in case of failure I was wondering if restore is possible, and if this restore will not make any bad things to my active directory
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39619747
Do you have enough Domain Controllers to be able to distribute the roles away from this DC, so that they are held on DCs that are disposable?


The following is from : http://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx
It describes a scenario where the roles are seized after a failure and then the original DC is successfully recovered resulting in two DCs being online and holding the roles:
"...the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the AD DS database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure."

Restoring the Schema Master wont necessarily lead to orphaned objects, but depending on circumstances, occurring in the middle of a schema update, it may.  Due to the catastrophic impact of the worst case, the advice has to be to avoid the possibility of being in that situation.

Hope that helps...
Alastair.
0
 

Author Comment

by:dedri
ID: 39621274
10x alicain,
you clarify to me about Schema Master.
So, just to summarize, in case of  failure I can restore the server from backup, the prerequisite is the roles shouldn't be seized.
0
 
LVL 5

Accepted Solution

by:
alicain earned 375 total points
ID: 39621359
Yes, that is possible, but to avoid potential issues, it is not recommended.

The best solution is to position the roles so that you do not put yourself in a situation that may result in having to take action this is not recommended...

Regards,
Alastair.
0

Featured Post

Swamped with email signature updates?

Have you been given a load of changes to make to your users’ email signatures? Having to manually implement multiple signatures for every department? Let Exclaimer save you from being swamped with email signature updates!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Restrict RDP Remote Access through SonicWall 3 97
Allowing a local account for incoming Rdp but not outgoing Rdp 15 113
mac maintenance 6 35
i am cortana ask me anything 5 30
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Know what services you can and cannot, should and should not combine on your server.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now