Solved

DC failure  Windows Server 2008 R2

Posted on 2013-12-24
15
450 Views
Last Modified: 2013-12-27
Both machines mentioned are VMs (xenserver)

I have a dc server that has failed. (Raid failure and corrupted VM)  It was also a DNS server and had DFRS namespace function.

There is a second server that has all the roles and is a global catalog.

I do have a vm image (3-4 days old) of the failed server.  
1 - Would there be any benefit to boot the image and run dcpromo to remove it from the domain?  Or would there be AD contamination?
2 - I can live without the DFRS for a few days
3 - If I do not do dcpromo on the image, how do I make sure that the server is removed from the domain?
4 - What about DNS?

Thanks
0
Comment
Question by:dustypenguin
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 39737865
Consider what you would do if these machines were physical.  Adsiedit would be required to remove the failed server.  So you could go that route.  But if the VM's images are only 3/4 days old could you not replace the failed drives and restore the images?

Consider what would happen if the failed DC were simply accidently turned off for the weekend.  On the next working day, when restarted it would replicate with the live DC's in the domain, updating and exchanging information until they were in sync.  I don't believe restoring a 3/4 day old image will cause any harm.

In the case of DNS, it seems to me you will want to have a DNS server on your network.  You say this one was "a dns server".  If there are no others, you can add the role to any other server in the domain either permanently or temp.
0
 

Author Comment

by:dustypenguin
ID: 39737870
Can I indeed, just use the Active Directory Users and Computers snap in and remove the failed server from the Domain Controllers list?
0
 

Author Comment

by:dustypenguin
ID: 39737876
Thanks for the reply fl_flyfishing, yes there is another DNS server on the network.

Having lived through a domain crash, I am hesitant to just restore and go if there is a chance that it would inject bad data into the AD.  Especially in light of wanting the next couple of days off!
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 39737898
No ADUC will not clean up the other DC's.  ADSIedit is required.  You should be able to find the steps in the MS KB.  As far as the other DC's are concerned, this DC has simply been turned off.  ADUC is for removing AFTER the DC has been DCPromo'd out of the AD.
0
 

Author Comment

by:dustypenguin
ID: 39737915
I am restoring the image ... we'll give that a go and monitor the event viewer.  I would have done that earlier (last night), except for my bad experience about 5 years ago.  Ugly ugly ugly.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39737936
The appropriate way to cleanup AD is below...
- Use ntdsutil (perform a metadata cleanup) to remove the broken server
- DO NOT bring up the old imaged server that was from 3-4 days ago
*as soon as you bring this server back up in the environment it is going to start replicating and authenticating users. The USN will be out of sync due to this failure.
- Once you have remove cleaned up the server using ntdsutil, you will need to go into ADUC delete the computer account
- Open Sites and Services and remove the computer object from there
- Open DNS Manager and under _msdcs folder (SRV records) you will need to remove all of the records that were associated with your DC that you are removing (kereros/ldap/gc/etc)
- You will also want to change your DNS server settings on your DHCP client scopes so that they no longer point to this DNS server

Once you have completely removed all of the objects from your environment you can bring up a new server and promote this server as a domain controller and it will replicate it's data from healthy DC.

Below is a link on how to use NTDSUTIL to remove cleanup metadata and also removing the object from AD. http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 

Author Comment

by:dustypenguin
ID: 39737950
Thanks for the reply, Will.  I think I agree with you.

Here is the part I do not understand.  I did not have to seize any roles, since the roles already resided on the other DC.

What is my next step directly after that?

Your link says "Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services"  I am not sure I have done that part ("forced removal") yet ....
0
 

Author Comment

by:dustypenguin
ID: 39737959
Will

In the text of the link it says "Expand the domain of the domain controller that was forcibly removed ... "

That's the part I am unsure of.  Do I have to do an action to forcibly remove the DC or is the failure itself the removal?

Thanks
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39737993
If the FSMO role holder is dead you need to seize the role and perform metadata cleanup. Not your issue.

If you have a BDC (backup DC) that has failed you still need to perform the metadata cleanup and remove this DC from Active Directory and Sites and Services. As stated as well you need to update your DHCP scopes DNS server settings. SRV records are also required.

Basically all you need to do from NTDSUTIL is do metadata cleanup and then proceed with the removal of computer objects for that account.

Will.
0
 

Author Comment

by:dustypenguin
ID: 39738004
Ok, good.

From what I see from the link provided, I can do both things from Active Directory Users and Computers, and I do not need to use NTDSUTIL, as metadata will be cleaned up as well through the GUI.  

("When you use Remote Server Administration Tools (RSAT) or the Active Directory Users and Computers console (Dsa.msc) that is included with Windows Server 2008 or Windows Server 2008 R2 to delete a domain controller computer account from the Domain Controllers organizational unit (OU), the cleanup of server metadata is performed automatically. Previously, you had to perform a separate metadata cleanup procedure.")

Would you agree with that assessment?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39738021
This is correct. I prefer to do it from NTDSUTIL (personal preference). However if you choose to do it from the GUI it would be a good idea to ensure that it is removed by using ntdsutil which can verify this.

You still need to cleanup sites and services and most importantly is SRV records in DNS.

Will.
0
 

Author Comment

by:dustypenguin
ID: 39738027
Ok, thanks ...
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39741366
Restoring a VM image of a failed domain controller is not a support recovery option by Microsoft or VM. Both companies recommend not doing that.

You are on the right track about removing the old DC. You don't need to have it running to delete it.

It is a failed DC so you can safely just delete the computer account for the DC from ADUC.
Using the GUI is the preferred method on AD2008.

Once you've deleted the computer account you should then format the drive and re-install Windows and then add the Directory Services.
0
 

Author Closing Comment

by:dustypenguin
ID: 39741867
This article ( https://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx?Redirected=true ) was also very helpful in understanding why this was the right answer.

While fl_flyfishing's answer was correct for a physical machine that had died, the issue with a VM is that between the time of the VM backup, and the time the machine had died, there may have been (and likely were) USN updates that would have made the VM backup out of sync with the rest of the DCs on the network.  Since the failed machine had accepted some new USNs since the backup, it can not just get back to the level of the other machines since they would see a conflict there in trying to resubmit USNs that had already been accepted.

Thanks for each of your participation.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 39742252
Lesson Learned.  Thanks everyone.
0

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now