Unable to recover Active Directory

Active directory was corrupted by bad VM memory. I do not have full admin access only vsphere access. DNS does not have domain or forest DNS Zones. Unable to manually build.  sysvol and netlogon unfixable. Finally after a week of having fun I did a bare metal image of DC1 (FSMO).  I am able to build from scratch (after demoting to member server) the same two servers back up and they are running fine. Good replication, Net share is good. However I do not want to use DSRM and recover the corrupted SYSVOL and NetLOGON. I have a full GPO backup, but I don't know how to backup only the Active Directory. I am working this weekend to get this fixed.  I have already tried restoring just NTDS and the log, verifying it is good and dropping it in the correct folders. I verified/fixed the permissions. Active Directory does not see the NTDS. HELP!
LVL 1
Robert HatcherSystem Admin and Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
I have already tried restoring just NTDS and the log, verifying it is good and dropping it in the correct folders.

This is unsupported method, it do not restore default file system permissions for efficient AD working

Do you have AD system state backup to restore with

It will restore entire active directory along with Sysvol contents
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
You didn't really answer the question sir. While waiting for a response and due to lack of time I went ahead already tried just NTDS also. NTDSUTIL recover and semantic database analysis said the NTDS was good. I brought back the system and the Active Direcoty management sees nothing. I verified the NTDS was in the correct location. So now I am just doing an overall authoriitative restore.
MaheshArchitectCommented:
what antivirus you have installed on DC?

Disable it completely and check if your DC is able to find active directory

I had faced this issues once due to Mcafee antivirus
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

MaheshArchitectCommented:
and how many DCs you have?
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Sorry I missed your chat proposal...
MaheshArchitectCommented:
no by mistake its clicked
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Oh your back... a total of two DCs, 4 member servers under one domain. (ALl virtual) 3000 users and 340 client(1 per sites) computers across the nation.
MaheshArchitectCommented:
so none of DC is working?

how you attempted restore?

what is current status of AD ?
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
I have some waiting to do. a total of 300000 files in the restore and then the replication after that. Finger's crossed...
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Both DC are working fine right now. After the authoritative restore we shall see. Are you reading anything I have already stated sir?
MaheshArchitectCommented:
I already read that

your problem is even after restoring AD and repairing dit file with esenutil, still AD cannot load?

that is why I asked about AV earlier?

did you followed below article?
https://www.dell.com/support/article/in/en/indhs1/sln289101/windows-server-active-directory-database-repair-after-domain-controller-failure?lang=en

further I don't know how you restored AD on both DCs?
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
After the backup I took both systems down to workgroup level. (doing a meta clean as part of the process) . I then cleanly brought up one to a new forest (same forest actually). Verified everything. and configured the dns for the other potential DC. I then brought up the other system and the two are communicating perfectly as two DCs/GCs with no custom AD or GPO yet. As I write this I have about 5 minutes left before the authoritative restore is finished. This is my last ditch attempt. If this doesn't work I have to manually build all of AD.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
I am doing all of this because I don't weant to tell 3000 users to reset their passwords if I do the import csv process on a new system.
MaheshArchitectCommented:
did you restored both servers from backup?

or  you restored one with backup and promoted another one from scratch?
MaheshArchitectCommented:
Sorry but am not able to understand what exactly you have as backup and how you restored both servers?
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Nope. Just the one (FSMO) Becasue it is authoritative restore it will overwrite the DC2. System just rebooted... It didn't crash. Yey. Will be right back.
MaheshArchitectCommented:
how you restored AD authoritatively?

You need to restore it authoritatively manually with Ntdsutil

after that 2nd DC must be promoted fresh

All you ned to do is:
restore one server from backup (normal restore)
seize fsmo
clean-up metadata for another DC
build new server from scratch and promote it to DC

I am running out of time
all the best
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Replication per DFS management is working. That's a first in awhile. Domain and Forest DNS Zones still good. Another first...
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Doing a non-auth caused it to crash every time. If what I did doesn't work out I'll try your thoughts tomorrow.
MaheshArchitectCommented:
There's no trial for AD
It's a proven systematic method
The way you tried won't help much and it's non-supported
And frankly speaking, I did not understand what approach you are trying, it's never clear from your comments
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
I've tried to catch up as well.
And I think that you should describe what you want to do and then describe the steps that you're doing so we can actually understand what you're doing.


Something like:
  • I have backups from a week ago.
  • I did the install on a new fresh server and restore the system state on that computer.

Remember We don't know what your infrastructure is and I know that you feel a bit frustrated and you're running out the time, but the best you define the systematic steps that you're taking we're going to be able to help you Robert.

So a:
Description of the issue

Steps that you've taken

The goal that you want to achieve

So we can actually proceed with a Solution.

That template works perfectly :)

Finally, your 1st comment is that Mahesh is not answering your question, but you are not answering his questions either. So to be able to have communication you should be able to answer clearly to the Mahesh questions because those answers/Steps represents the logical way to solve AD issues and to know what are the resources that we have to help you with your problem.

I mean, I know we have "Wizard" ranks lol but that's just a label :) we can't actually do magic.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
I am quite sure I answered his questions, yet he came right back and asked what I had just answered. I did get a little frustrated at the time. Sorry if I misinterpreted this. I am now back at work (on Sunday) trying again.

I built this from 2003 and migrated to 2012  and the 2012 R2. No issues. I was detailed away from this for about a year while another person took over. I came back and found the domain running as a single server for a long time. He is gone. (left no notes) Unable to connect DC2. I slowly have been correcting permissions and straightening up ASDIEdit, DNS and GPO. I did a bare metal

I have taken both servers back to workgroup level. I meta cleaned the one server (DC1) that was the FSMO.
I intend to bring back up DC1 as a clean system. I haven't had any issues doing this.
Mahesh advised to use ntdsutil to restore. I have used recover and the sementic database analyzer and it shows no problems. I do not know how to restore an image through ntdsutil.

Overall I wish to get this back up to some point where the users can use it.
Scott SilvaNetwork AdministratorCommented:
If you had one ad server working and one died, it would have been much easier to just build another server from scratch, and then join, install ad role and promote... Once you have the two servers synced, you can just cleanse the bad server from AD manually. Taking an old server down to a member server and bringing it back might just leave broken garbage around that might have tanked it in the first place...
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
In general I agree except the software people that built the original Windows XP clients hard coded the domain info.
I have 3000 users, 300+ sites. 68 of them are 2012 R2 based and the rest are STILL Windows XP.
MaheshArchitectCommented:
I have taken both servers back to workgroup level. I meta cleaned the one server (DC1) that was the FSMO.
I intend to bring back up DC1 as a clean system. I haven't had any issues doing this.


Sorry to say but this is beyond my understanding
How did you taken servers to workgroup?
Then what happens with AD?
If you already taken both servers to workgroup, what else left for metadata cleanup? And what left for authoritative restore?
After that how you reinstate AD, did you restored both servers from backup?
OR
You have created brand new ad with same forest name / domain name and replaced new ntds.dit file with old active directory?
Whatever steps you taken are not coming up sequential in writing, hence unable to get where you are now
On what basis i could answer your queries?

I really don't know why you need to take both servers in workgroup?
Her you broke entire stanard procedure?

There is Hugh gap in what you written, what you have and what did you actually did?
Either my AD knowledge is very poor or your Ad knowledge is extra ordinary so that you don't want to follow standard procedure and you can restore AD with advanced techniques which is beyond my understanding
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
To quote you sir:
"You have created brand new ad with same forest name / domain name and replaced new ntds.dit file with old active directory?"  At present I am working with only one server. AV is disabled. I am not trying anything unusual since your initial responses. I am really attempting to do it the proper way.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
To continue. From workgroup I just finished building to a singe server domain. I then rebooted and went into DSRM mode, BUT now I get "There are currently no logon servers available to service the logon request". This is the first I have ever seen this. Now what?
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
Login back in under domain and using ntdsutil to reset password. Any yes...I am not using the domain\administrator account under DSRM. Now I can get into DSRM.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
I looked through numerous backups and picked one 2 weeks ago. It is presently restoring. I am wiped and leaving for home. We'all see tomorrow what happened. Thank you for your patience.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
I located via Google a document stating "How to Restore Active Directory to a different server" This fixed it. Thank You

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
That's nice Robert, I'm glad you found the solution.
Robert HatcherSystem Admin and Network EngineerAuthor Commented:
In hindsight I believe going down to workgroup makes the server being restored appear to be a different computer (SID or GUID). Thank you very much all of you and I'll try to be more clear next time. Hopefully there won't be a next time :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.