devon-lad
asked on
Domain controllers accidentally deleted in AD
Customer has 5 sites with Win 2003 domain controllers at 4 branches and Windows 2008 R2 at the other.
Replication between these sites works fine.
We are replacing all 5 branch servers with Win2012 domain controllers.
One of the new servers was taken to the nearest branch, added to the domain and promoted to a domain controller. After AD replication was complete it was brought back to our office.
VPN connection to all sites was setup from our office (using same method as branches use to communicate).
Our office and subnet were added to AD sites and services.
Event logs showed new domain controller was replicating correctly with other sites.
Added the remaining 4 servers to the domain and promoted to domain controllers.
At this point I realised, for various reasons, that we hadn't chosen the best names for the new servers.
So I used netdom to rename them all as follows:
netdom computername oldname.domain.local /add:newname.domain.local
netdom computername oldname.domain.local /makeprimary:newname.domai n.local
Then after a reboot
netdom computername newname.domain.local /remove:oldname.domain.loc al
All worked fine.
A few days later (new servers still in our office) - I logged into one of the original DCs and whilst tidying up some user accounts noticed that two machine accounts were showing under the Computer OU for two of the new domain controllers - using the first incorrect names that they'd been given.
I very stupidly thought these were orphan objects left after all the new servers were renamed and deleted them both.
I then noticed in the FRS logs that replication hadn't been taking place due to low system disk space. So sorted that out and got it working again.
Only shortly after this did I realise I'd made a serious mistake - by which time the server where I had deleted the two servers in AD had replicated with all other domain controllers.
As a result we now have a situation where two of the new domain controllers no longer have accounts in AD and we're unable to login to either of them.
Obviously as they're not in production yet we could just start from scratch, but there's already been a lot of work done on them setting up other software. Unfortunately the backup process hasn't been setup on any of them yet.
Is there any way to recover from this situation?
Replication between these sites works fine.
We are replacing all 5 branch servers with Win2012 domain controllers.
One of the new servers was taken to the nearest branch, added to the domain and promoted to a domain controller. After AD replication was complete it was brought back to our office.
VPN connection to all sites was setup from our office (using same method as branches use to communicate).
Our office and subnet were added to AD sites and services.
Event logs showed new domain controller was replicating correctly with other sites.
Added the remaining 4 servers to the domain and promoted to domain controllers.
At this point I realised, for various reasons, that we hadn't chosen the best names for the new servers.
So I used netdom to rename them all as follows:
netdom computername oldname.domain.local /add:newname.domain.local
netdom computername oldname.domain.local /makeprimary:newname.domai
Then after a reboot
netdom computername newname.domain.local /remove:oldname.domain.loc
All worked fine.
A few days later (new servers still in our office) - I logged into one of the original DCs and whilst tidying up some user accounts noticed that two machine accounts were showing under the Computer OU for two of the new domain controllers - using the first incorrect names that they'd been given.
I very stupidly thought these were orphan objects left after all the new servers were renamed and deleted them both.
I then noticed in the FRS logs that replication hadn't been taking place due to low system disk space. So sorted that out and got it working again.
Only shortly after this did I realise I'd made a serious mistake - by which time the server where I had deleted the two servers in AD had replicated with all other domain controllers.
As a result we now have a situation where two of the new domain controllers no longer have accounts in AD and we're unable to login to either of them.
Obviously as they're not in production yet we could just start from scratch, but there's already been a lot of work done on them setting up other software. Unfortunately the backup process hasn't been setup on any of them yet.
Is there any way to recover from this situation?
Here is what I would try first before an authoritative restore. Log in, LOCALLY, to the servers having problems and unjoin them from the domain. I know they aren't there in the domain but do this so that the servers also think they aren't on the domain. Reboot, then rejoin them to the domain.
Obviously this all hinges on the fact that you have at least one working domain controller.
Post back the results if that doesn't work.
Obviously this all hinges on the fact that you have at least one working domain controller.
Post back the results if that doesn't work.
ASKER
Dirk - I had considered this, however, taking into consideration time to drive to the nearest branch etc., this solution would be comparable to rebuilding the 2 DCs from an inconvenience point of view.
Brad - This was my first idea, however, I am unable to login to either problematic machine using the local admin account. Am I right in thinking this feature is disabled on DCs?
Brad - This was my first idea, however, I am unable to login to either problematic machine using the local admin account. Am I right in thinking this feature is disabled on DCs?
ASKER
BTW - I thought of restoring the deleted objects in a same way I would recover a deleted user account (with ldp.exe) - but presumed this wouldn't work for DCs?
Am I right in thinking this feature is disabled on DCs?
You should be able to still log on locally, however, you may need to try something like a local password reset disk. You can burn an ISO that is super small and run it and it will take you through a command line reset of the local admin account then you could get in again.
Try this one: pogostick.net/~pnh/ntpassw
ASKER
I thought by default the local security policy prevents this when a server is promoted to DC?
And as we can't login to the machine we can't change this.
And as we can't login to the machine we can't change this.
which for operating system AD account is deleted ??
if its 2008 or 2012 then follow http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/
note: Also run sysdm.cpl at command prompt. after changing the password, start server in Active directory restore mode.
if its 2008 or 2012 then follow http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/
note: Also run sysdm.cpl at command prompt. after changing the password, start server in Active directory restore mode.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The domain admin password has not been forgotten - this article doesn't apply.
it is for local admin. (i know on domain controller no local admin).
unplug the server from LAN, reset the password and start the machine in DSRM.
unplug the server from LAN, reset the password and start the machine in DSRM.
ASKER
Dirk - I was missing the point that I could just use DSRM to get logged into the problematic servers - no need to do a directory restore - maybe what Santosh meant.
So did the following on each server:
1. Unplugged network cable
2. Logged in under DSRM
3. Forced demotion and restarted (this also removed from the domain)
4. Removed AD and restarted
5. Plugged in network cable
At this point ran into some problems.
On one server could rejoin domain, re-add AD - but wouldn't promote to DC
On the other could not join domain.
In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
So did the following on each server:
1. Unplugged network cable
2. Logged in under DSRM
3. Forced demotion and restarted (this also removed from the domain)
4. Removed AD and restarted
5. Plugged in network cable
At this point ran into some problems.
On one server could rejoin domain, re-add AD - but wouldn't promote to DC
On the other could not join domain.
In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
ASKER
Santosh - sorry messages crossed
At this point ran into some problems.
On one server could rejoin domain, re-add AD - but wouldn't promote to DC
On the other could not join domain.
In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
Try this, then try re-joining/re-promoting: http://support.microsoft.com/kb/260575
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
FYI - nslookup for domain hosts fails on both servers. Though when logging into the DCs they're using as DNS, works fine.
Hi,
you did force demoted the server. so there is no way to delete other records from DC.
1. ADUC - you already deleted.
2. DNS - you need to check and deleted NS and other records if any.
3. Site & services
otherwise you will get the errors.
3. Forced demotion and restarted (this also removed from the domain)
you did force demoted the server. so there is no way to delete other records from DC.
1. ADUC - you already deleted.
2. DNS - you need to check and deleted NS and other records if any.
3. Site & services
otherwise you will get the errors.
ASKER
After metadata cleanup, plus removing objects from DNS and site and services - still couldn't join the servers to the domain.
Realised that I'd left the DNS roles installed on both servers - even though they were using one of the other DCs for DNS.
Removed the DNS role and restarted.
Now able to join to the domain again.
Hopefully that will be it - will report back later.
Realised that I'd left the DNS roles installed on both servers - even though they were using one of the other DCs for DNS.
Removed the DNS role and restarted.
Now able to join to the domain again.
Hopefully that will be it - will report back later.
very 1st step: you have missed one step in DC rename operation
Update the FRS member object
http://technet.microsoft.com/en-us/library/cc785970(v=ws.10).aspx
You said that you have deleted domain controllers from computers OU
How come they moved from domain controllers OU to default computer OU ?
How many computer accounts are you able to find in domain controllers OU
Mahesh.
Update the FRS member object
http://technet.microsoft.com/en-us/library/cc785970(v=ws.10).aspx
You said that you have deleted domain controllers from computers OU
How come they moved from domain controllers OU to default computer OU ?
How many computer accounts are you able to find in domain controllers OU
Mahesh.
ASKER
Further to last post - all back up and running.
Mahesh - I was going by this more up to date article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx
Mahesh - I was going by this more up to date article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx
Articles do not have much difference
but have you followed another step after rename activity please
If you forgot that, It can cause FRS replication issues
but have you followed another step after rename activity please
If you forgot that, It can cause FRS replication issues
After the authoritative restore of the two objects replication will take care of the rest.
DirkMare