Link to home
Start Free TrialLog in
Avatar of devon-lad
devon-lad

asked on

Domain controllers accidentally deleted in AD

Customer has 5 sites with Win 2003 domain controllers at 4 branches and Windows 2008 R2 at the other.

Replication between these sites works fine.

We are replacing all 5 branch servers with Win2012 domain controllers.

One of the new servers was taken to the nearest branch, added to the domain and promoted to a domain controller.  After AD replication was complete it was brought back to our office.

VPN connection to all sites was setup from our office (using same method as branches use to communicate).

Our office and subnet were added to AD sites and services.

Event logs showed new domain controller was replicating correctly with other sites.

Added the remaining 4 servers to the domain and promoted to domain controllers.

At this point I realised, for various reasons, that we hadn't chosen the best names for the new servers.

So I used netdom to rename them all as follows:

netdom computername oldname.domain.local /add:newname.domain.local

netdom computername oldname.domain.local /makeprimary:newname.domain.local

Then after a reboot

netdom computername newname.domain.local /remove:oldname.domain.local

All worked fine.

A few days later (new servers still in our office) - I logged into one of the original DCs and whilst tidying up some user accounts noticed that two machine accounts were showing under the Computer OU for two of the new domain controllers - using the first incorrect names that they'd been given.

I very stupidly thought these were orphan objects left after all the new servers were renamed and deleted them both.

I then noticed in the FRS logs that replication hadn't been taking place due to low system disk space.  So sorted that out and got it working again.

Only shortly after this did I realise I'd made a serious mistake - by which time the server where I had deleted the two servers in AD had replicated with all other domain controllers.

As a result we now have a situation where two of the new domain controllers no longer have accounts in AD and we're unable to login to either of them.

Obviously as they're not in production yet we could just start from scratch, but there's already been a lot of work done on them setting up other software.  Unfortunately the backup process hasn't been setup on any of them yet.

Is there any way to recover from this situation?
Avatar of Dirk Mare
Dirk Mare
Flag of South Africa image

You should be able to do a authoritative restore of the two objects you deleted using the backups from the original Server 2003 (current/old DC)

After the authoritative restore of the two objects replication will take care of the rest.

DirkMare
Avatar of Brad Bouchard
Brad Bouchard

Here is what I would try first before an authoritative restore.  Log in, LOCALLY, to the servers having problems and unjoin them from the domain.  I know they aren't there in the domain but do this so that the servers also think they aren't on the domain.  Reboot, then rejoin them to the domain.

Obviously this all hinges on the fact that you have at least one working domain controller.

Post back the results if that doesn't work.
Avatar of devon-lad

ASKER

Dirk - I had considered this, however, taking into consideration time to drive to the nearest branch etc., this solution would be comparable to rebuilding the 2 DCs from an inconvenience point of view.

Brad - This was my first idea, however, I am unable to login to either problematic machine using the local admin account.  Am I right in thinking this feature is disabled on DCs?
BTW - I thought of restoring the deleted objects in a same way I would recover a deleted user account (with ldp.exe) - but presumed this wouldn't work for DCs?
Am I right in thinking this feature is disabled on DCs?

You should be able to still log on locally, however, you may need to try something like a local password reset disk.  You can burn an ISO that is super small and run it and it will take you through a command line reset of the local admin account then you could get in again.

Try this one:  pogostick.net/~pnh/ntpasswd/
I thought by default the local security policy prevents this when a server is promoted to DC?

And as we can't login to the machine we can't change this.
which for operating system AD account is deleted ??

if its 2008 or 2012 then follow http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/

note:  Also run sysdm.cpl at command prompt. after changing the password, start server in Active directory restore mode.
SOLUTION
Avatar of Dirk Mare
Dirk Mare
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The domain admin password has not been forgotten - this article doesn't apply.
it is for local admin. (i know on domain controller no local admin).

unplug the server from LAN, reset the password and start the machine in DSRM.
Dirk - I was missing the point that I could just use DSRM to get logged into the problematic servers - no need to do a directory restore - maybe what Santosh meant.

So did the following on each server:

1. Unplugged network cable
2. Logged in under DSRM
3. Forced demotion and restarted (this also removed from the domain)
4. Removed AD and restarted
5. Plugged in network cable

At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
Santosh - sorry messages crossed
At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.


Try this, then try re-joining/re-promoting:  http://support.microsoft.com/kb/260575
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
FYI - nslookup for domain hosts fails on both servers.  Though when logging into the DCs they're using as DNS, works fine.
Hi,

3. Forced demotion and restarted (this also removed from the domain)

you did force demoted the server. so there is no way to delete other records from DC.

1. ADUC - you already deleted.
2. DNS -  you need to check and deleted NS and other records if any.
3. Site & services

otherwise you will get the errors.
After metadata cleanup, plus removing objects from DNS and site and services - still couldn't join the servers to the domain.

Realised that I'd left the DNS roles installed on both servers - even though they were using one of the other DCs for DNS.

Removed the DNS role and restarted.

Now able to join to the domain again.

Hopefully that will be it - will report back later.
very 1st step: you have missed one step in DC rename operation
Update the FRS member object
http://technet.microsoft.com/en-us/library/cc785970(v=ws.10).aspx

You said that you have deleted domain controllers from computers OU
How come they moved from domain controllers OU to default computer OU ?

How many computer accounts are you able to find in domain controllers OU

Mahesh.
Further to last post - all back up and running.

Mahesh - I was going by this more up to date article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx
Articles do not have much difference
but have you followed another step after rename activity please
If you forgot that, It can cause FRS replication issues