WellingtonIS
asked on
Lost my domain can't get it back
HELP! I lost my domain after I decomissioned my 2008 r2 server. I lost all the roles and I can't even access AD. When I try to use metadata cleanup I get the following:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ntdsut
The filename, directory name, or volume label syntax is incorrect.
C:\Windows\system32>ntdsut
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections: set creds kk.local administrator kkcp@$
server connections: connect to server kkdc02.local
Binding to kkdc02.local as kk.local\administrator...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:
When I try to sieze the roles I get:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ntdsut
ntdsutil: roles
fsmo maintenance: connections
server connections: kkdc02
Error parsing Input - Invalid Syntax.
server connections: kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ntdsut
The filename, directory name, or volume label syntax is incorrect.
C:\Windows\system32>ntdsut
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections: set creds kk.local administrator kkcp@$
server connections: connect to server kkdc02.local
Binding to kkdc02.local as kk.local\administrator...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:
When I try to sieze the roles I get:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ntdsut
ntdsutil: roles
fsmo maintenance: connections
server connections: kkdc02
Error parsing Input - Invalid Syntax.
server connections: kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to kkdc02.local
Error parsing Input - Invalid Syntax.
server connections: connect to server kkdc02.local
Binding to kkdc02.local ...
DsBindWithSpnExW error 0x5(Access is denied.)
server connections:
Senthil Kumar
Do you have a backup?
ASKER
OF what?
Which Server did you decommission?
kkdc02.local This Server seems to be the problem does this still exist? If so can you ping it, remote desktop to it, etc.?
Thanks,
Charles
kkdc02.local This Server seems to be the problem does this still exist? If so can you ping it, remote desktop to it, etc.?
Thanks,
Charles
Senthil is most likely referring to a backup of your 2008 Server that was demoted.
Did you check the health of AD before you demoted this DC?
Did you verify that AD was replicating properly before demoting the DC?
Did you transfer any FSMO roles before you demoted this server?
When you demoted this server, did you choose that it was the last DC in the domain?
-saige-
Did you check the health of AD before you demoted this DC?
Did you verify that AD was replicating properly before demoting the DC?
Did you transfer any FSMO roles before you demoted this server?
When you demoted this server, did you choose that it was the last DC in the domain?
-saige-
Your best option is to recover from backup at this situation (if you have a backup).
If you are not an AD expert and play with it will make ur situation more worse.
Follow the experts guidelines will help you recover.
If you are not an AD expert and play with it will make ur situation more worse.
Follow the experts guidelines will help you recover.
ASKER
I'm truly in a bind. I can't access AD. Can't used NTdsutil either access is denied. REally in trouble
ASKER
everything checked 100% the server I forced to decommission was KKDC. I rebooted and now I'm stuck.
ASKER
So I should restore the kkdc server?
-->So I should restore the kkdc server?
Yes. If you have a backup restore backup for now.
Yes. If you have a backup restore backup for now.
ASKER
ok I"m totally screwed no system state backup. Any other ideas?
ASKER
what about starting over? I can break down the domain if I have to and just redo it
Without a backup this is your only recourse. This, of course, means that you will have to re-join all workstations to the new domain (even if named the same thing as before). All computers and users will have new SID's issued which also means that all user profiles from the old domain will no longer work. There are methods to migrate user profiles but I do not know if you can migrate a user profile without being able to contact the DC for the domain that the profile is associated with.
-saige-
-saige-
ASKER
That's fine. I'm going to have to force it. Do you think I'll get it back?
I don't really understand what happened here I'm struggling to see how this got so screwed up.
How many DC's did you have?
What one did you decom?
How many DC's did you have?
What one did you decom?
Your old domain? No, that is, unfortunately, gone now.
-saige-
-saige-
ASKER
i had 2 a 2008 server and a 2012 server. I demoted by force the 2008 server and now I'm stuck. The admin didn't backup the system state
So when you log on to the 2012 DC what does it think it's roles are in Server Manager?
Charles, if I were to garner a guess. A couple of things off the top of my head:
1. DCPROMO was ran selecting the option that this was the last DC in the domain (AD gets wiped out, database destroyed, no replication of anything to any peers).
2. FRS was still being used (as opposed to DFSR) and was in a corrupted state which meant that no new DC's added to the domain could ever complete the DCPROMO process (there should be log entries on the other DC's to this effect)
-saige-
1. DCPROMO was ran selecting the option that this was the last DC in the domain (AD gets wiped out, database destroyed, no replication of anything to any peers).
2. FRS was still being used (as opposed to DFSR) and was in a corrupted state which meant that no new DC's added to the domain could ever complete the DCPROMO process (there should be log entries on the other DC's to this effect)
-saige-
ASKER
Well, I can't even demote the server I have... can this be done via command line?
1. DCPROMO was ran selecting the option that this was the last DC in the domain (AD gets wiped out, database destroyed, no replication of anything to any peers).
Yeah I think your probably right....
Gotta admit I've seen a lot of scenario's as a contractor but never that one so not sure what state it leaves itself in.. I'm guessing it destroys the metadata...
Yeah I think your probably right....
Gotta admit I've seen a lot of scenario's as a contractor but never that one so not sure what state it leaves itself in.. I'm guessing it destroys the metadata...
ASKER
ok but how can I demote what I have?
Now that being said, you could try to do an Authoritative Restore of FRS on your 2012 DC. If that can complete (and it at least has the initial copy of the AD DB) then it should come back online and allow for you to do some cleanup. You may lose some objects that were not replicated from the 2008 server.
-saige-
-saige-
ASKER
ok how?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in the process. Should I log in to the domain?
Login any way you can to the remaining DC to complete this process. And reboot once completed.
P.S. - A DC that has completed the DCPROMO process should *only* allow AD authenticated access.
-saige-
P.S. - A DC that has completed the DCPROMO process should *only* allow AD authenticated access.
-saige-
ASKER
OMG that worked!!! Do I need to do anything else?
Just verify that all of your objects still exist. If you added anything (users, computers, etc) to AD since this DC was added to the domain, those things will most likely need to be readded.
-saige-
-saige-
I would also recommend moving FRS to DFSR.
https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
-saige-
https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/
-saige-
ASKER
you're the best! I can't believe its all back... THANK YOU SO MUCH!!!
Matter of fact it would be best to check everything. DNS, DHCP, WINS (if used). Make sure that the FSMO roles are homed to the new DC. Make sure that your DC (once it has the PDCe FSMO role) is configured properly to manage the AD Time Synchronization process.
-saige-
-saige-