Solved

Domain controllers accidentally deleted in AD

Posted on 2014-03-24
20
1,266 Views
Last Modified: 2014-03-31
Customer has 5 sites with Win 2003 domain controllers at 4 branches and Windows 2008 R2 at the other.

Replication between these sites works fine.

We are replacing all 5 branch servers with Win2012 domain controllers.

One of the new servers was taken to the nearest branch, added to the domain and promoted to a domain controller.  After AD replication was complete it was brought back to our office.

VPN connection to all sites was setup from our office (using same method as branches use to communicate).

Our office and subnet were added to AD sites and services.

Event logs showed new domain controller was replicating correctly with other sites.

Added the remaining 4 servers to the domain and promoted to domain controllers.

At this point I realised, for various reasons, that we hadn't chosen the best names for the new servers.

So I used netdom to rename them all as follows:

netdom computername oldname.domain.local /add:newname.domain.local

netdom computername oldname.domain.local /makeprimary:newname.domain.local

Then after a reboot

netdom computername newname.domain.local /remove:oldname.domain.local

All worked fine.

A few days later (new servers still in our office) - I logged into one of the original DCs and whilst tidying up some user accounts noticed that two machine accounts were showing under the Computer OU for two of the new domain controllers - using the first incorrect names that they'd been given.

I very stupidly thought these were orphan objects left after all the new servers were renamed and deleted them both.

I then noticed in the FRS logs that replication hadn't been taking place due to low system disk space.  So sorted that out and got it working again.

Only shortly after this did I realise I'd made a serious mistake - by which time the server where I had deleted the two servers in AD had replicated with all other domain controllers.

As a result we now have a situation where two of the new domain controllers no longer have accounts in AD and we're unable to login to either of them.

Obviously as they're not in production yet we could just start from scratch, but there's already been a lot of work done on them setting up other software.  Unfortunately the backup process hasn't been setup on any of them yet.

Is there any way to recover from this situation?
0
Comment
Question by:devon-lad
  • 9
  • 4
  • 3
  • +2
20 Comments
 
LVL 16

Expert Comment

by:Dirk Mare
Comment Utility
You should be able to do a authoritative restore of the two objects you deleted using the backups from the original Server 2003 (current/old DC)

After the authoritative restore of the two objects replication will take care of the rest.

DirkMare
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
Here is what I would try first before an authoritative restore.  Log in, LOCALLY, to the servers having problems and unjoin them from the domain.  I know they aren't there in the domain but do this so that the servers also think they aren't on the domain.  Reboot, then rejoin them to the domain.

Obviously this all hinges on the fact that you have at least one working domain controller.

Post back the results if that doesn't work.
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
Dirk - I had considered this, however, taking into consideration time to drive to the nearest branch etc., this solution would be comparable to rebuilding the 2 DCs from an inconvenience point of view.

Brad - This was my first idea, however, I am unable to login to either problematic machine using the local admin account.  Am I right in thinking this feature is disabled on DCs?
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
BTW - I thought of restoring the deleted objects in a same way I would recover a deleted user account (with ldp.exe) - but presumed this wouldn't work for DCs?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
Am I right in thinking this feature is disabled on DCs?

You should be able to still log on locally, however, you may need to try something like a local password reset disk.  You can burn an ISO that is super small and run it and it will take you through a command line reset of the local admin account then you could get in again.

Try this one:  pogostick.net/~pnh/ntpasswd/
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
I thought by default the local security policy prevents this when a server is promoted to DC?

And as we can't login to the machine we can't change this.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
which for operating system AD account is deleted ??

if its 2008 or 2012 then follow http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/

note:  Also run sysdm.cpl at command prompt. after changing the password, start server in Active directory restore mode.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 200 total points
Comment Utility
Correct the local account is disabled.  The only active local account is the Active Directory Restore Mode Admin Account which is only available through restore mode.

Because its a DC your options are somewhat limited.

DirkMare
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
The domain admin password has not been forgotten - this article doesn't apply.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
it is for local admin. (i know on domain controller no local admin).

unplug the server from LAN, reset the password and start the machine in DSRM.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:devon-lad
Comment Utility
Dirk - I was missing the point that I could just use DSRM to get logged into the problematic servers - no need to do a directory restore - maybe what Santosh meant.

So did the following on each server:

1. Unplugged network cable
2. Logged in under DSRM
3. Forced demotion and restarted (this also removed from the domain)
4. Removed AD and restarted
5. Plugged in network cable

At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
Santosh - sorry messages crossed
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.


Try this, then try re-joining/re-promoting:  http://support.microsoft.com/kb/260575
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 300 total points
Comment Utility
Hi,

@devon-lad, yes i mean to say DSRM, i thought you also forgot that password.


1. Again remove the server from domain.
2. Run the Metadata cleanup on Domain Controller.
Note:Make sure there is no entry remain in ADUC, DNS and site & services before proceeding to join domain.
3. then join the server to domain.
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
FYI - nslookup for domain hosts fails on both servers.  Though when logging into the DCs they're using as DNS, works fine.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

3. Forced demotion and restarted (this also removed from the domain)

you did force demoted the server. so there is no way to delete other records from DC.

1. ADUC - you already deleted.
2. DNS -  you need to check and deleted NS and other records if any.
3. Site & services

otherwise you will get the errors.
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
After metadata cleanup, plus removing objects from DNS and site and services - still couldn't join the servers to the domain.

Realised that I'd left the DNS roles installed on both servers - even though they were using one of the other DCs for DNS.

Removed the DNS role and restarted.

Now able to join to the domain again.

Hopefully that will be it - will report back later.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
very 1st step: you have missed one step in DC rename operation
Update the FRS member object
http://technet.microsoft.com/en-us/library/cc785970(v=ws.10).aspx

You said that you have deleted domain controllers from computers OU
How come they moved from domain controllers OU to default computer OU ?

How many computer accounts are you able to find in domain controllers OU

Mahesh.
0
 
LVL 1

Author Comment

by:devon-lad
Comment Utility
Further to last post - all back up and running.

Mahesh - I was going by this more up to date article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Articles do not have much difference
but have you followed another step after rename activity please
If you forgot that, It can cause FRS replication issues
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now