Solved

Domain controllers accidentally deleted in AD

Posted on 2014-03-24
20
1,296 Views
Last Modified: 2014-03-31
Customer has 5 sites with Win 2003 domain controllers at 4 branches and Windows 2008 R2 at the other.

Replication between these sites works fine.

We are replacing all 5 branch servers with Win2012 domain controllers.

One of the new servers was taken to the nearest branch, added to the domain and promoted to a domain controller.  After AD replication was complete it was brought back to our office.

VPN connection to all sites was setup from our office (using same method as branches use to communicate).

Our office and subnet were added to AD sites and services.

Event logs showed new domain controller was replicating correctly with other sites.

Added the remaining 4 servers to the domain and promoted to domain controllers.

At this point I realised, for various reasons, that we hadn't chosen the best names for the new servers.

So I used netdom to rename them all as follows:

netdom computername oldname.domain.local /add:newname.domain.local

netdom computername oldname.domain.local /makeprimary:newname.domain.local

Then after a reboot

netdom computername newname.domain.local /remove:oldname.domain.local

All worked fine.

A few days later (new servers still in our office) - I logged into one of the original DCs and whilst tidying up some user accounts noticed that two machine accounts were showing under the Computer OU for two of the new domain controllers - using the first incorrect names that they'd been given.

I very stupidly thought these were orphan objects left after all the new servers were renamed and deleted them both.

I then noticed in the FRS logs that replication hadn't been taking place due to low system disk space.  So sorted that out and got it working again.

Only shortly after this did I realise I'd made a serious mistake - by which time the server where I had deleted the two servers in AD had replicated with all other domain controllers.

As a result we now have a situation where two of the new domain controllers no longer have accounts in AD and we're unable to login to either of them.

Obviously as they're not in production yet we could just start from scratch, but there's already been a lot of work done on them setting up other software.  Unfortunately the backup process hasn't been setup on any of them yet.

Is there any way to recover from this situation?
0
Comment
Question by:devon-lad
  • 9
  • 4
  • 3
  • +2
20 Comments
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39950460
You should be able to do a authoritative restore of the two objects you deleted using the backups from the original Server 2003 (current/old DC)

After the authoritative restore of the two objects replication will take care of the rest.

DirkMare
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39950490
Here is what I would try first before an authoritative restore.  Log in, LOCALLY, to the servers having problems and unjoin them from the domain.  I know they aren't there in the domain but do this so that the servers also think they aren't on the domain.  Reboot, then rejoin them to the domain.

Obviously this all hinges on the fact that you have at least one working domain controller.

Post back the results if that doesn't work.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39950557
Dirk - I had considered this, however, taking into consideration time to drive to the nearest branch etc., this solution would be comparable to rebuilding the 2 DCs from an inconvenience point of view.

Brad - This was my first idea, however, I am unable to login to either problematic machine using the local admin account.  Am I right in thinking this feature is disabled on DCs?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:devon-lad
ID: 39950587
BTW - I thought of restoring the deleted objects in a same way I would recover a deleted user account (with ldp.exe) - but presumed this wouldn't work for DCs?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39950592
Am I right in thinking this feature is disabled on DCs?

You should be able to still log on locally, however, you may need to try something like a local password reset disk.  You can burn an ISO that is super small and run it and it will take you through a command line reset of the local admin account then you could get in again.

Try this one:  pogostick.net/~pnh/ntpasswd/
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39950683
I thought by default the local security policy prevents this when a server is promoted to DC?

And as we can't login to the machine we can't change this.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39950718
which for operating system AD account is deleted ??

if its 2008 or 2012 then follow http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/

note:  Also run sysdm.cpl at command prompt. after changing the password, start server in Active directory restore mode.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 200 total points
ID: 39950725
Correct the local account is disabled.  The only active local account is the Active Directory Restore Mode Admin Account which is only available through restore mode.

Because its a DC your options are somewhat limited.

DirkMare
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39950739
The domain admin password has not been forgotten - this article doesn't apply.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39951036
it is for local admin. (i know on domain controller no local admin).

unplug the server from LAN, reset the password and start the machine in DSRM.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39951054
Dirk - I was missing the point that I could just use DSRM to get logged into the problematic servers - no need to do a directory restore - maybe what Santosh meant.

So did the following on each server:

1. Unplugged network cable
2. Logged in under DSRM
3. Forced demotion and restarted (this also removed from the domain)
4. Removed AD and restarted
5. Plugged in network cable

At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39951055
Santosh - sorry messages crossed
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39951062
At this point ran into some problems.

On one server could rejoin domain, re-add AD - but wouldn't promote to DC

On the other could not join domain.

In both cases it reported that a domain controller couldn't be contacted - both servers have the addresses of two functioning domain controllers set as DNS.


Try this, then try re-joining/re-promoting:  http://support.microsoft.com/kb/260575
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 300 total points
ID: 39951074
Hi,

@devon-lad, yes i mean to say DSRM, i thought you also forgot that password.


1. Again remove the server from domain.
2. Run the Metadata cleanup on Domain Controller.
Note:Make sure there is no entry remain in ADUC, DNS and site & services before proceeding to join domain.
3. then join the server to domain.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39951082
FYI - nslookup for domain hosts fails on both servers.  Though when logging into the DCs they're using as DNS, works fine.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39951151
Hi,

3. Forced demotion and restarted (this also removed from the domain)

you did force demoted the server. so there is no way to delete other records from DC.

1. ADUC - you already deleted.
2. DNS -  you need to check and deleted NS and other records if any.
3. Site & services

otherwise you will get the errors.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39951188
After metadata cleanup, plus removing objects from DNS and site and services - still couldn't join the servers to the domain.

Realised that I'd left the DNS roles installed on both servers - even though they were using one of the other DCs for DNS.

Removed the DNS role and restarted.

Now able to join to the domain again.

Hopefully that will be it - will report back later.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39951350
very 1st step: you have missed one step in DC rename operation
Update the FRS member object
http://technet.microsoft.com/en-us/library/cc785970(v=ws.10).aspx

You said that you have deleted domain controllers from computers OU
How come they moved from domain controllers OU to default computer OU ?

How many computer accounts are you able to find in domain controllers OU

Mahesh.
0
 
LVL 1

Author Comment

by:devon-lad
ID: 39951588
Further to last post - all back up and running.

Mahesh - I was going by this more up to date article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39951651
Articles do not have much difference
but have you followed another step after rename activity please
If you forgot that, It can cause FRS replication issues
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question