asked on
How to prepare other DCs when doing an Active Directory Authoritative Restore
I have 2 Domain Controllers. I recently used Windows System Backup to restore the system state on the PDC, restoring the Active Directory. I checked the authoritative checkbox. Up came a messagebox that said:
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
Active Directory* recovery* domain controller
Last Comment
MikeBroderick
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I should point out that the DCs are Windows 2012 R2, in case it makes a difference. I should also say that I don't work with AD/DC very often, though I have had 2 DCs since Windows 2000/2003 SBS.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.That is the correct procedure. However...
Neither systems show SYSVOL or NETLOGON.This may indicate a problem that won't be resolved with this procedure. Check the SYSVOL directory on the DC that you're restoring system state on. Is there anything in there? If not, this procedure won't accomplish much in terms of getting SYSVOL working again.
ASKER
I'm sorry, I should answer your questions:
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON
have you restored snapshots or restored system state
ASKER
I have not restored the system state yet. I put it back into the problem state.
Sorry I am unable to understand what you are trying to do
What problem you are facing with AD and Do you have problem in production environment or you are talking about test environment and what problem you are trying to reproduce?
What problem you are facing with AD and Do you have problem in production environment or you are talking about test environment and what problem you are trying to reproduce?
ASKER
Thank you all for your help. Each response gave me new info to process. I will add that setting the burflags to B4 worked this time. In previous attempts it didn't. Again, thanks.
Then do authoritative restore on PDC the way you are doing by selecting checkbox
After that on other DC set Burgflag registry to D2 and start file replication service
By following above steps, you are telling other DCs that pickup sysvol data from restored Dc
If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers
Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs
you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC
Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery