Solved

AD restore of operations masters(FSMO) role

Posted on 2013-11-02
9
863 Views
Last Modified: 2013-11-15
Hello,
I am trying to figure out if in case of failure of one of our Domain Controller which holds all FSMO roles is it possible to restore it.
As per the MS article,
Restoring the RID Master can result in Active Directory data corruption, so it is not recommended.
Restoring the Schema Master can result in orphaned objects, so it is not recommended.

So in case we need to restore RID and Schema Master, what is the best practice? Is it possible to restore this server?

Windows servers are 2003R2. domain functional level is also 2003R2.
0
Comment
Question by:dedri
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 125 total points
ID: 39618610
You should be able to restore a domain controller regardless of the FSMO roles it is running.  The main rule is that you should not restore a DC that was holding a FSMO role -- if you have seized the role.  


To restore an operations master role holder, you must perform one of the following procedures:

•Restore the failed operations master from backup.
•Seize the role to another domain controller within the environment. Seize the operations master role only if you do not intend to restore the original role holder from backup

Tom
0
 
LVL 5

Expert Comment

by:alicain
ID: 39618621
Hi,

As you say, when the RID master has been seized, it must not be returned to service.  Although this is different to the scenario of : the DC holding the RID master fails, no roles are transferred/seized and the DC is non-authoritatively restored from backup.

I cannot think what the information you've read about the schema master is referring to.  It is only used during the process of updating the schema.  I cannot see how doing a non-authoritative restore of the schema master would result in orphaned objects, unless it was done in an unsupported way i.e. rollback of a VM image, but that's a different story...

Also, it is worth considering that in the event of a failure, it may be less pain to transfer/seize the roles, metadata cleanup then rebuild the DC rather than restore from backup, depending on the nature of the failure.

Documenting the possible failure scenarios and your recovery plan in each case will help.  Given you have multiple DCs, consider spreading them around.

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39618726
here is the article from the microsoft site which I am reading:
http://technet.microsoft.com/en-us/library/cc526503.aspx
0
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39618739
Interesting article -- I wish they had a published date on it.  Assuming that your DCs are only being DCs (and DNS), I like the articles recommendation of starting fresh.  It sounds like a little bit of conflicting information.  The bullet list that I provided was of Microsoft's site and that talks about restoring form backup.

Tom
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39618765
The recommendation regarding the Schema Master and Domain Naming Master are to not bring them back online if they have been seized.  But I think that is erring on the side of caution.  The other guidance to "rebuild the DC and let replicate" is probably the safest and easiest solution and the way I would go in the vast majority of cases.

Remember that you can live without the Schema and Domain Naming master being online - until you need to extend the schema or add a domain.  The PDCe needs to be online ASAP after a failure and the RID sooner rather than later.  So separating those roles between the DCs gives more options when responding to a failure.

This is the article that I refer back to for these situations :
     Responding to operations master failures
     http://technet.microsoft.com/en-us/library/cc737648(v=ws.10).aspx

Also, the Forest Recovery whitepaper gives excellent guidance :
     http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=ws.10).aspx

Regards,
Alastair.
0
 

Author Comment

by:dedri
ID: 39619732
yes, I know that the best practices is to sieze the roles, reinstall the server , but in my situation this is not only the domain controller and server holds also Certificate Authority, Terminal server licenses, home folders, etc.., and in case of failure I was wondering if restore is possible, and if this restore will not make any bad things to my active directory
0
 
LVL 5

Assisted Solution

by:alicain
alicain earned 375 total points
ID: 39619747
Do you have enough Domain Controllers to be able to distribute the roles away from this DC, so that they are held on DCs that are disposable?


The following is from : http://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx
It describes a scenario where the roles are seized after a failure and then the original DC is successfully recovered resulting in two DCs being online and holding the roles:
"...the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the AD DS database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure."

Restoring the Schema Master wont necessarily lead to orphaned objects, but depending on circumstances, occurring in the middle of a schema update, it may.  Due to the catastrophic impact of the worst case, the advice has to be to avoid the possibility of being in that situation.

Hope that helps...
Alastair.
0
 

Author Comment

by:dedri
ID: 39621274
10x alicain,
you clarify to me about Schema Master.
So, just to summarize, in case of  failure I can restore the server from backup, the prerequisite is the roles shouldn't be seized.
0
 
LVL 5

Accepted Solution

by:
alicain earned 375 total points
ID: 39621359
Yes, that is possible, but to avoid potential issues, it is not recommended.

The best solution is to position the roles so that you do not put yourself in a situation that may result in having to take action this is not recommended...

Regards,
Alastair.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now