Trouble active directory after VM restore image

I have 6 Active directory server (windows 2003 SP3) in 3 different locations (2 servers each site).
They are VM, VMWARE 5.0.  
Friday 4/1 the VM's storage has crashed and I must restore the image of Server-AD1 and Server-AD2.
But now both server do not work: there are several error  in AD service ID1308 and Reply service ID13508.
I tried to resolve with repadmin /removelingeringobjects command but without any result.
Could you help me
Fabio
Fabio RosiglioniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff MorlenNetwork EngineerCommented:
I don't know if this helps... but...

Since AD is distributed, I would promote some other AD server to the master of all the FSMO roles.
I would rebuild the crashed controllers from scratch (might be a good time to upgrade).
I would re-add them as domain controllers and then restore any data that is needed.

I think that this may be easier than trying to recover... especially since you have working controllers already.

Just a suggestion.
Bill HerdeOwnerCommented:
Agree with Jeff.  Choose a working copy and seize FSMO roles.(if needed)  Rebuild broken servers and rejoin/promote, or disconnect network cables and force them out of domain to be rejoined later.  Note that metadata cleanup will be needed for any DC that is unceremoniously removed.
Also agree that if you are still running 2K3 servers, it's time to spend a little money.  There are so many things you are going to like in the new versions.
Carl WebsterCitrix Technology Professional - FellowCommented:
Another agreement for  Jeff and Bill. I would not have restored a DC, ever. I would have deleted them from the Domain Controllers OU and then done metadata cleanup and then cleaned up DNS and Sites and Services. Then I would have brought up two new DCs. At that point, you could have reused the original names and IP addresses if that was required.
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

Fabio RosiglioniAuthor Commented:
Yes, I agree about the update server to newer release, it is planned for the next May.
About Server-AD2 I already run dcpromo /forceremoval command but I didn't able to remove it from site&service and I didn't clean up metadata using ntdsutil.
So when I run again dcpromo the Active Direcory is mounted on Server-AD2 but it doesn't reply with other DC (server-AD3,4,5,6).
In the site and service there ins't any automate join with any others server. I tried to do one manually, but it doesn't work.

Other question: Server-AD1 is the PDC, how can I move FSMO to another server if it doesn't comunicate ?
Fabio
Jeff MorlenNetwork EngineerCommented:
You can set the DNS on your semi-functional DC to point to another DC's DNS to try to kick start the process.  This has worked for me in the past.

I would also run DCDIAG on the system to make sure that things are functioning as you expect before you attempt a DC promo.

I don't know if NETDIAG is in Windows Server 2003 or not.  But, if you have it, I'd run that too.
Bill HerdeOwnerCommented:
Chose a working DC, and use NTDSUTIL to seize FSMO roles.  Google has lots of random strangers to tell you how.  Once that is done, run metadata cleanup to remove the failed servers. Again, Goolge is your friend. Then bring up your repaired servers which are NOT joined to the domain yet, and ensure they are able to ping the FSMO role holder.  Set DNS on the repaired server to use the FSMO role holder only.  Now you should be able to rejoin the server to the domain, and dcpromo back into a DC role.  Get the second repaired server, rinse and repeat.  When it is all done you will be able to transfer FSMO to which server you desire in normal fashion.
Jeff MorlenNetwork EngineerCommented:
Bill outlined the 1-2-3 of getting this done... flex your Google-Fu and find the steps there.
This really isn't a big issue (or shouldn't be) unless you have stored data on your DCs.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Rule of thumb for DCs:

1.  Do not restore from snapshot
2.  Do not restore DC unless there is a requirement.  It is easier to build a new DC and removed the crashed/unavailable DCs
3.  If your FSMO owner was the affected server then seize FSMO roles on another DC
4.  As long as one DC is till running, you should not have to restore a DC
5.  If you need to restore then ensure you are backing up using a supported application (i.e. Windows Backup, Veeam, NetBackup, etc. and not snapshot)
Carl WebsterCitrix Technology Professional - FellowCommented:
As long as one writable DC is still running...
Bill HerdeOwnerCommented:
If you have data on your DCs, and they still run, and you don't have a backup to restore just the files, That would be a good application for a big USB drive!
Fabio RosiglioniAuthor Commented:
ntdsutil
I have issued the command "seize domain naming master" but I receive an error message "Error ldap_modify_sW 0x34 <52 (Not available) ...... Unable to contact the current FSMO owner"
How to proceed ?
Fabio RosiglioniAuthor Commented:
Sorry
It is all ok!
Fabio RosiglioniAuthor Commented:
The planning is the follow:
1 - seize FSMO roles to Server-AD3 (site n.2)
2 - demote, force out of domain Server-AD1 (PDC) and Server-AD2 (both site n.1)
3 - In server-AD3 (new PDC) I do a metadata cleanup for AD1 e AD2
3 - rejoined AD1 e AD2 in the domain
End

1 - Successfully completed
but I discovered another problem. The information is not replicated in the servers-AD5 and server-AD6 (site n.3). Only Server-AD4 (site 2) is updated.
In Site&Service there are no direct connections between Server-AD3 and site 3 servers (AD5 AD6).
I tried to create them but they do not work.
?????
Bill HerdeOwnerCommented:
Are you giving it time to replicate?  Intersite replication interval is 15 minutes minimum. Even if you run repadmin and tell it to replicate now, it still will lag, It will just make sure that all connections sync on the next cycle. (repadmin /syncall)    AD3 should not have a problem creating connections once it knows the roles.  Also, this should not prevent you from completing the repairs on AD1 and AD2, which it is not clear if you have done that yet.  Your planning also does not list dcpromo AD1 and AD2 back to DC.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.