| Author | Messages | |
seag33k
Posts:46
 | | 07/02/2009 4:56 PM |
| I am reading an AD book and have some questions regarding the restore
process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of
the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication.
Option 2 is quicker because replication only since the last backup needs to
occur. The downside of option 2 is that you'll need similar hardware and
server settings to limit setup problems. If you don't have similar enough
hardware, is it best to go with option 1? What other tips or steps have
people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
| CKaiser
Posts:23
| | 07/02/2009 5:15 PM |
| Personally, I prefer the remove and rebuild from scratch method. Less chance
of restore problems...
I also don't necessarily agree that restore from backup is quicker, either.
Often times, issues with backup software/cataloging/reading media can wipe
out any time savings from a restore.
Plus, I prefer that my DCs are relatively pristine rather than have a
restore on them.
If you're already building the OS, a DCPromo doesn't take that much more
time unless you have slow WAN links and a big AD.
I've used both methods and have not found a new DC build to take much longer
than a restore. My policy these days is only restore if it's the only DC
(like a SBS or single-DC small business). Otherwise I just spool up another
DC and DCPromo it.
Caveat: always test your backups, especially system state...
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 8:55 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Restoring a Domain Controller
>
> I am reading an AD book and have some questions regarding the
> restore process of a domain controller. The list two options.
>
> Restore from replication:
> 1. Remove the failed DC from Active Directory
> 2 Rebuild the OS
> 3. Promote the new server after enough time has passed for
> the removal of the old DC.
> 4. Configure the FSMO and GC roles as necessary
>
> Restore from backup:
>
> 1. Rebuild the OS
> 2. Restore from backup the system state 3. Reboot and allow
> replication to occur
>
> They say that option 1 can take longer to complete due to
> replication. Option 2 is quicker because replication only
> since the last backup needs to occur. The downside of option
> 2 is that you'll need similar hardware and server settings to
> limit setup problems. If you don't have similar enough
> hardware, is it best to go with option 1? What other tips or
> steps have people found to be the most effective in
> situations like this?
>
> Thanks,
> Eric
>
>
| | | |
| bdesmond
Posts:716
| | 07/02/2009 5:25 PM |
| You could always do #1 with IFM too if that's convenient which would speed up replication time.
Can you give some idea of the environment you're thinking of. Recommendations here vary quite a bit based on that.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restoring a Domain Controller
I am reading an AD book and have some questions regarding the restore process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication. Option 2 is quicker because replication only since the last backup needs to occur. The downside of option 2 is that you'll need similar hardware and server settings to limit setup problems. If you don't have similar enough hardware, is it best to go with option 1? What other tips or steps have people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
| seag33k
Posts:46
| | 07/02/2009 5:29 PM |
| What is the best method for testing system state data? Are you referring to
having a lab setup?
Thanks for the great info!
Eric
On Thu, Jul 2, 2009 at 9:11 AM, Charlie Kaiser <charliek@golden-eagle.org>wrote:
> Personally, I prefer the remove and rebuild from scratch method. Less
> chance
> of restore problems...
>
> I also don't necessarily agree that restore from backup is quicker, either.
> Often times, issues with backup software/cataloging/reading media can wipe
> out any time savings from a restore.
>
> Plus, I prefer that my DCs are relatively pristine rather than have a
> restore on them.
>
> If you're already building the OS, a DCPromo doesn't take that much more
> time unless you have slow WAN links and a big AD.
>
> I've used both methods and have not found a new DC build to take much
> longer
> than a restore. My policy these days is only restore if it's the only DC
> (like a SBS or single-DC small business). Otherwise I just spool up another
> DC and DCPromo it.
>
> Caveat: always test your backups, especially system state...
>
> ***********************
> Charlie Kaiser
> charliek@golden-eagle.org
> Kingman, AZ
> ***********************
>
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> > Sent: Thursday, July 02, 2009 8:55 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Restoring a Domain Controller
> >
> > I am reading an AD book and have some questions regarding the
> > restore process of a domain controller. The list two options.
> >
> > Restore from replication:
> > 1. Remove the failed DC from Active Directory
> > 2 Rebuild the OS
> > 3. Promote the new server after enough time has passed for
> > the removal of the old DC.
> > 4. Configure the FSMO and GC roles as necessary
> >
> > Restore from backup:
> >
> > 1. Rebuild the OS
> > 2. Restore from backup the system state 3. Reboot and allow
> > replication to occur
> >
> > They say that option 1 can take longer to complete due to
> > replication. Option 2 is quicker because replication only
> > since the last backup needs to occur. The downside of option
> > 2 is that you'll need similar hardware and server settings to
> > limit setup problems. If you don't have similar enough
> > hardware, is it best to go with option 1? What other tips or
> > steps have people found to be the most effective in
> > situations like this?
> >
> > Thanks,
> > Eric
> >
> >
>
>
| | | |
| pbbergs
Posts:133
| | 07/02/2009 5:39 PM |
| You are missing a step in the restore from replication scenario.
The old server and its metadata are still within AD and that has to be cleaned up. If you do a restore then this isn't an issue. In the times I have lost a dc, I have always opted to cleaned and build from scratch. As far as rep speed, unless you have a slow link I wouldn't worry about this too much.
I have short blog on metadata cleanup at:
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
Thanks
Paul
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restoring a Domain Controller
I am reading an AD book and have some questions regarding the restore process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication. Option 2 is quicker because replication only since the last backup needs to occur. The downside of option 2 is that you'll need similar hardware and server settings to limit setup problems. If you don't have similar enough hardware, is it best to go with option 1? What other tips or steps have people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
| seag33k
Posts:46
| | 07/02/2009 5:41 PM |
| That is a very good point. Our environment is very small. We have a single
forest with one root domain. We have 2 domain controllers with the FSMO
roles held on one server. Both DC's are configured as GC's. The server
hardware is different for the DC's (HP and Dell).
Thanks,
Eric
On Thu, Jul 2, 2009 at 9:23 AM, Brian Desmond <brian@briandesmond.com>wrote:
> *You could always do #1 with IFM too if that’s convenient which would
> speed up replication time.*
>
> * *
>
> *Can you give some idea of the environment you’re thinking of.
> Recommendations here vary quite a bit based on that. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c - 312.731.3132*
>
> * *
>
> *Active Directory, 4th Ed** - http://www.briandesmond.com/ad4/*
>
> *Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* Thursday, July 02, 2009 10:55 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Restoring a Domain Controller
>
>
>
> I am reading an AD book and have some questions regarding the restore
> process of a domain controller. The list two options.
>
>
> Restore from replication:
> 1. Remove the failed DC from Active Directory
> 2 Rebuild the OS
> 3. Promote the new server after enough time has passed for the removal of
> the old DC.
> 4. Configure the FSMO and GC roles as necessary
>
> Restore from backup:
>
> 1. Rebuild the OS
> 2. Restore from backup the system state
> 3. Reboot and allow replication to occur
>
> They say that option 1 can take longer to complete due to replication.
> Option 2 is quicker because replication only since the last backup needs to
> occur. The downside of option 2 is that you'll need similar hardware and
> server settings to limit setup problems. If you don't have similar enough
> hardware, is it best to go with option 1? What other tips or steps have
> people found to be the most effective in situations like this?
>
> Thanks,
> Eric
>
| | | |
| CKaiser
Posts:23
| | 07/02/2009 6:06 PM |
| Yep. VMWare and isolated network segments are your friend... Although I do
test exchange and file restores to production machines, but to "different
locations" so as not to overwrite data.
***********************
Charlie Kaiser
charliek@golden-eagle.org
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 9:28 AM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Restoring a Domain Controller
>
> What is the best method for testing system state data? Are
> you referring to having a lab setup?
>
> Thanks for the great info!
>
> Eric
| | | |
| irishbug
Posts:53
| | 07/02/2009 6:28 PM |
| I think step 1 is seize any FSMO roles that might have been on the dead DC.
Steve Kelly
GoogleVoice 973.512.4284
Rita Rudner <http://www.brainyquote.com/quotes/authors/r/rita_rudner.html>
- "I was a vegetarian until I started leaning toward the sunlight."
On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org>wrote:
> Yep. VMWare and isolated network segments are your friend... Although I do
> test exchange and file restores to production machines, but to "different
> locations" so as not to overwrite data.
>
> ***********************
> Charlie Kaiser
> charliek@golden-eagle.org
> Kingman, AZ
> ***********************
>
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> > Sent: Thursday, July 02, 2009 9:28 AM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Restoring a Domain Controller
> >
> > What is the best method for testing system state data? Are
> > you referring to having a lab setup?
> >
> > Thanks for the great info!
> >
> > Eric
>
>
| | | |
| pbbergs
Posts:133
| | 07/02/2009 7:03 PM |
| Well, I'm not sure if you meant delete the account or clean up AD. I took it to mean delete the account and that isn't good enough, you have to clean all references per the link I previously provided.
Thanks
Paul
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 11:44 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
Paul,
Step 1 says to Remove the failed DC from Active Directory. I guess that is a short description for the number of steps to manually remove the DC from AD. Is that what you are referring to?
Thanks for the link!
Eric
On Thu, Jul 2, 2009 at 9:37 AM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
You are missing a step in the restore from replication scenario.
The old server and its metadata are still within AD and that has to be cleaned up. If you do a restore then this isn't an issue. In the times I have lost a dc, I have always opted to cleaned and build from scratch. As far as rep speed, unless you have a slow link I wouldn't worry about this too much.
I have short blog on metadata cleanup at:
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
Thanks
Paul
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
Sent: Thursday, July 02, 2009 10:55 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Restoring a Domain Controller
I am reading an AD book and have some questions regarding the restore process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication. Option 2 is quicker because replication only since the last backup needs to occur. The downside of option 2 is that you'll need similar hardware and server settings to limit setup problems. If you don't have similar enough hardware, is it best to go with option 1? What other tips or steps have people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
| seag33k
Posts:46
| | 07/02/2009 7:09 PM |
| Good point, but wouldn't you need an active DC to seize the FSMO roles to,
so that step would be near the end of the process?
Eric
On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com> wrote:
> I think step 1 is seize any FSMO roles that might have been on the dead DC.
> Steve Kelly
> GoogleVoice 973.512.4284
>
>
> Rita Rudner <http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
>
> On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org>wrote:
>
>> Yep. VMWare and isolated network segments are your friend... Although I do
>> test exchange and file restores to production machines, but to "different
>> locations" so as not to overwrite data.
>>
>> ***********************
>> Charlie Kaiser
>> charliek@golden-eagle.org
>> Kingman, AZ
>> ***********************
>>
>> > -----Original Message-----
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
>> > Sent: Thursday, July 02, 2009 9:28 AM
>> > To: activedir@mail.activedir.org
>> > Subject: Re: [ActiveDir] Restoring a Domain Controller
>> >
>> > What is the best method for testing system state data? Are
>> > you referring to having a lab setup?
>> >
>> > Thanks for the great info!
>> >
>> > Eric
>>
>>
>
| | | |
| pbbergs
Posts:133
| | 07/02/2009 7:23 PM |
| As long as you have more than 1 dc seizing is a good first step, especially if you lost your PDCe. Yes you would need an active dc, but the initial statement mentioned 2 dc's. If there is only 1 dc than restoration is the only option.
Thanks
Paul
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 1:07 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
Good point, but wouldn't you need an active DC to seize the FSMO roles to, so that step would be near the end of the process?
Eric
On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com<mailto:irish.bug@gmail.com>> wrote:
I think step 1 is seize any FSMO roles that might have been on the dead DC.
Steve Kelly
GoogleVoice 973.512.4284
Rita Rudner<http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>> wrote:
Yep. VMWare and isolated network segments are your friend... Although I do
test exchange and file restores to production machines, but to "different
locations" so as not to overwrite data.
***********************
Charlie Kaiser
charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 9:28 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Restoring a Domain Controller
>
> What is the best method for testing system state data? Are
> you referring to having a lab setup?
>
> Thanks for the great info!
>
> Eric
| | | |
| seag33k
Posts:46
| | 07/02/2009 8:06 PM |
| So actually seizing the FSMO roles to the second DC makes sense and then
restoring or building a new DC to ensure I have 2 DC's seems like the
smarter path in this situation.
Thanks,
Eric
On Thu, Jul 2, 2009 at 11:23 AM, Paul Bergson (ALLETE)
<pbergson@allete.com>wrote:
> As long as you have more than 1 dc seizing is a good first step,
> especially if you lost your PDCe. Yes you would need an active dc, but the
> initial statement mentioned 2 dc’s. If there is only 1 dc than restoration
> is the only option.
>
>
>
>
>
> Thanks
>
>
>
> Paul
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* Thursday, July 02, 2009 1:07 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Restoring a Domain Controller
>
>
>
> Good point, but wouldn't you need an active DC to seize the FSMO roles to,
> so that step would be near the end of the process?
>
> Eric
>
> On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com> wrote:
>
> I think step 1 is seize any FSMO roles that might have been on the dead DC.
> Steve Kelly
> GoogleVoice 973.512.4284
>
>
> Rita Rudner <http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
>
>
>
> On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org>
> wrote:
>
> Yep. VMWare and isolated network segments are your friend... Although I do
> test exchange and file restores to production machines, but to "different
> locations" so as not to overwrite data.
>
>
> ***********************
> Charlie Kaiser
> charliek@golden-eagle.org
> Kingman, AZ
> ***********************
>
> > -----Original Message-----
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
>
> > Sent: Thursday, July 02, 2009 9:28 AM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Restoring a Domain Controller
> >
> > What is the best method for testing system state data? Are
> > you referring to having a lab setup?
> >
> > Thanks for the great info!
> >
> > Eric
>
>
>
>
>
| | | |
| pbbergs
Posts:133
| | 07/02/2009 8:10 PM |
| Don't seize if you are going to restore
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 2:06 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
So actually seizing the FSMO roles to the second DC makes sense and then restoring or building a new DC to ensure I have 2 DC's seems like the smarter path in this situation.
Thanks,
Eric
On Thu, Jul 2, 2009 at 11:23 AM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
As long as you have more than 1 dc seizing is a good first step, especially if you lost your PDCe. Yes you would need an active dc, but the initial statement mentioned 2 dc's. If there is only 1 dc than restoration is the only option.
Thanks
Paul
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
Sent: Thursday, July 02, 2009 1:07 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Restoring a Domain Controller
Good point, but wouldn't you need an active DC to seize the FSMO roles to, so that step would be near the end of the process?
Eric
On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com<mailto:irish.bug@gmail.com>> wrote:
I think step 1 is seize any FSMO roles that might have been on the dead DC.
Steve Kelly
GoogleVoice 973.512.4284
Rita Rudner<http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>> wrote:
Yep. VMWare and isolated network segments are your friend... Although I do
test exchange and file restores to production machines, but to "different
locations" so as not to overwrite data.
***********************
Charlie Kaiser
charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 9:28 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Restoring a Domain Controller
>
> What is the best method for testing system state data? Are
> you referring to having a lab setup?
>
> Thanks for the great info!
>
> Eric
| | | |
| deji
Posts:242
| | 07/02/2009 8:21 PM |
| Well, technically, he can't do anything but seize since the other DC is dead and there is only one DC. But, yeah, generally, you seize when you know for certain that the dead DC will not be coming back in its previous incarnation - meaning that you are going to completely rebuild it.
In OP's small environment, I think the process will be like this:
DC dead, one DC alive (whew! clsoe shave!)
Turn off dead DC
On live DC, seize ALL roles previously held by dead DC
Ensure that live DC is a GC
On live DC, do metadata cleanup to remove dead DC
In DNS, clean up ALL references to dead DCs (go through ALL the hives to be sure)
In Sites and Services, remove dead DC
Check ADUC and remove dead DC
Rebuild dead DC
Promote dead DC
Pop a champagne and pour a libation for the AD gods who gave you the wisdom to have at least a second DC.
In your situation, I would not mess with a restore at all.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE) [pbergson@allete.com]
Sent: Thursday, July 02, 2009 12:08 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Restoring a Domain Controller
Don’t seize if you are going to restore
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 2:06 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
So actually seizing the FSMO roles to the second DC makes sense and then restoring or building a new DC to ensure I have 2 DC's seems like the smarter path in this situation.
Thanks,
Eric
On Thu, Jul 2, 2009 at 11:23 AM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
As long as you have more than 1 dc seizing is a good first step, especially if you lost your PDCe. Yes you would need an active dc, but the initial statement mentioned 2 dc’s. If there is only 1 dc than restoration is the only option.
Thanks
Paul
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
Sent: Thursday, July 02, 2009 1:07 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Restoring a Domain Controller
Good point, but wouldn't you need an active DC to seize the FSMO roles to, so that step would be near the end of the process?
Eric
On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com<mailto:irish.bug@gmail.com>> wrote:
I think step 1 is seize any FSMO roles that might have been on the dead DC.
Steve Kelly
GoogleVoice 973.512.4284
Rita Rudner<http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>> wrote:
Yep. VMWare and isolated network segments are your friend... Although I do
test exchange and file restores to production machines, but to "different
locations" so as not to overwrite data.
***********************
Charlie Kaiser
charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 9:28 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Restoring a Domain Controller
>
> What is the best method for testing system state data? Are
> you referring to having a lab setup?
>
> Thanks for the great info!
>
> Eric
| | | |
| pbbergs
Posts:133
| | 07/02/2009 8:49 PM |
| It is considered two dc's until he does a metadata cleanup, so he needs to understand to not seize if he plans on doing a restore.
Thanks
Paul
pbergson@allete.com (e-mail)
pbbergs@msn.com (IM)
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Thursday, July 02, 2009 2:20 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Restoring a Domain Controller
Well, technically, he can't do anything but seize since the other DC is dead and there is only one DC. But, yeah, generally, you seize when you know for certain that the dead DC will not be coming back in its previous incarnation - meaning that you are going to completely rebuild it.
In OP's small environment, I think the process will be like this:
DC dead, one DC alive (whew! clsoe shave!)
Turn off dead DC
On live DC, seize ALL roles previously held by dead DC
Ensure that live DC is a GC
On live DC, do metadata cleanup to remove dead DC
In DNS, clean up ALL references to dead DCs (go through ALL the hives to be sure)
In Sites and Services, remove dead DC
Check ADUC and remove dead DC
Rebuild dead DC
Promote dead DC
Pop a champagne and pour a libation for the AD gods who gave you the wisdom to have at least a second DC.
In your situation, I would not mess with a restore at all.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE) [pbergson@allete.com]
Sent: Thursday, July 02, 2009 12:08 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Restoring a Domain Controller
Don't seize if you are going to restore
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Thursday, July 02, 2009 2:06 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
So actually seizing the FSMO roles to the second DC makes sense and then restoring or building a new DC to ensure I have 2 DC's seems like the smarter path in this situation.
Thanks,
Eric
On Thu, Jul 2, 2009 at 11:23 AM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
As long as you have more than 1 dc seizing is a good first step, especially if you lost your PDCe. Yes you would need an active dc, but the initial statement mentioned 2 dc's. If there is only 1 dc than restoration is the only option.
Thanks
Paul
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
Sent: Thursday, July 02, 2009 1:07 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Restoring a Domain Controller
Good point, but wouldn't you need an active DC to seize the FSMO roles to, so that step would be near the end of the process?
Eric
On Thu, Jul 2, 2009 at 10:26 AM, Steve K <irish.bug@gmail.com<mailto:irish.bug@gmail.com>> wrote:
I think step 1 is seize any FSMO roles that might have been on the dead DC.
Steve Kelly
GoogleVoice 973.512.4284
Rita Rudner<http://www.brainyquote.com/quotes/authors/r/rita_rudner.html> - "I was a vegetarian until I started leaning toward the sunlight."
On Thu, Jul 2, 2009 at 1:03 PM, Charlie Kaiser <charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>> wrote:
Yep. VMWare and isolated network segments are your friend... Although I do
test exchange and file restores to production machines, but to "different
locations" so as not to overwrite data.
***********************
Charlie Kaiser
charliek@golden-eagle.org<mailto:charliek@golden-eagle.org>
Kingman, AZ
***********************
> -----Original Message-----
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
> Sent: Thursday, July 02, 2009 9:28 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Restoring a Domain Controller
>
> What is the best method for testing system state data? Are
> you referring to having a lab setup?
>
> Thanks for the great info!
>
> Eric
| | | |
| gabriel/tfi
Posts:367
| | 07/02/2009 10:58 PM |
| Remember to clean-up metadata of the failed DC
http://support.microsoft.com/kb/216498.
I always prefer to rebuild a DC (with a new server name) with DCPromo rather
than from the system state backup.
Not sure to understand why the new DC has to be promoted after enough time
has passed for the removal of the old DC.
Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: giovedì 2 luglio 2009 17.55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restoring a Domain Controller
I am reading an AD book and have some questions regarding the restore
process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of
the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication.
Option 2 is quicker because replication only since the last backup needs to
occur. The downside of option 2 is that you'll need similar hardware and
server settings to limit setup problems. If you don't have similar enough
hardware, is it best to go with option 1? What other tips or steps have
people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
| SaucyWrong
Posts:37
| | 07/03/2009 3:41 PM |
| If you rebuild with a new name, then you don't have to wait for replication
of the metadata cleanup to occur--only if you plan to rebuild with the same
server name. We do this all the time in our forest. When a DC goes down,
we seize roles (if applicable) metadata cleanup, then rebuild with a fresh
server name and immediately promote (using IFM if network conditions
warrant--we have a lot of field offices with wimpy frame relay connections,
and not all of them have redundant DCs).
Thanks,
Matt
On Thu, Jul 2, 2009 at 5:45 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> Remember to clean-up metadata of the failed DC
> http://support.microsoft.com/kb/216498.
>
> I always prefer to rebuild a DC (with a new server name) with DCPromo
> rather than from the system state backup.
>
> Not sure to understand why the new DC has to be promoted “after enough time
> has passed for the removal of the old DC”.
>
>
>
> Gabriele.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* giovedì 2 luglio 2009 17.55
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Restoring a Domain Controller
>
>
>
> I am reading an AD book and have some questions regarding the restore
> process of a domain controller. The list two options.
>
> Restore from replication:
> 1. Remove the failed DC from Active Directory
> 2 Rebuild the OS
> 3. Promote the new server after enough time has passed for the removal of
> the old DC.
> 4. Configure the FSMO and GC roles as necessary
>
> Restore from backup:
>
> 1. Rebuild the OS
> 2. Restore from backup the system state
> 3. Reboot and allow replication to occur
>
> They say that option 1 can take longer to complete due to replication.
> Option 2 is quicker because replication only since the last backup needs to
> occur. The downside of option 2 is that you'll need similar hardware and
> server settings to limit setup problems. If you don't have similar enough
> hardware, is it best to go with option 1? What other tips or steps have
> people found to be the most effective in situations like this?
>
> Thanks,
> Eric
>
| | | |
| gabriel/tfi
Posts:367
| | 07/03/2009 6:24 PM |
| Good point, now I also understand Remove the failed DC from Active
Directory was intended as clean DC metadata in AD in the OP.
Personally I would never consider rebuilding a new DC with the same name as
a failed DC whose metadata were manually cleaned up.
Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Matt Quinn
Sent: venerdì 3 luglio 2009 16.39
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring a Domain Controller
If you rebuild with a new name, then you don't have to wait for replication
of the metadata cleanup to occur--only if you plan to rebuild with the same
server name. We do this all the time in our forest. When a DC goes down,
we seize roles (if applicable) metadata cleanup, then rebuild with a fresh
server name and immediately promote (using IFM if network conditions
warrant--we have a lot of field offices with wimpy frame relay connections,
and not all of them have redundant DCs).
Thanks,
Matt
On Thu, Jul 2, 2009 at 5:45 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Remember to clean-up metadata of the failed DC
http://support.microsoft.com/kb/216498.
I always prefer to rebuild a DC (with a new server name) with DCPromo rather
than from the system state backup.
Not sure to understand why the new DC has to be promoted after enough time
has passed for the removal of the old DC.
Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: giovedì 2 luglio 2009 17.55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restoring a Domain Controller
I am reading an AD book and have some questions regarding the restore
process of a domain controller. The list two options.
Restore from replication:
1. Remove the failed DC from Active Directory
2 Rebuild the OS
3. Promote the new server after enough time has passed for the removal of
the old DC.
4. Configure the FSMO and GC roles as necessary
Restore from backup:
1. Rebuild the OS
2. Restore from backup the system state
3. Reboot and allow replication to occur
They say that option 1 can take longer to complete due to replication.
Option 2 is quicker because replication only since the last backup needs to
occur. The downside of option 2 is that you'll need similar hardware and
server settings to limit setup problems. If you don't have similar enough
hardware, is it best to go with option 1? What other tips or steps have
people found to be the most effective in situations like this?
Thanks,
Eric
| | | |
|
|