Re: AD Configuration and Disaster Recovery

TMAN,

I will jump in here for a moment...Ryan, I hope you do not mind.

When using ntdsutil you must be very careful. You can do many many good
things with this nice utility. However, you can also destroy (well, or come
really close) your environment. Not trying to scare you, just want you to
be aware of the power of this tool.

Now, as Ryan mentioned, you can transfer or seize FSMO Roles (among many
other things) with this utility. You could use ntdsutil to transfer any
FSMO Roles from one existing Domain Controller to another existing Domain
Controller if you did not want to use any of the GUI Tools (ADUC, ADDT,
ADSM). In the case of a Domain Controller popping out ungracefully you
would have to use ntdsutil to seize the FSMO Role(s) that this now dead DC
held. To do this you would have to sit down at a DC that still exists....to
do this I would suggest that you use the MSKB Article that Ryan provided.

Without getting too deep into the explanation Active Directory knows that
the roles exist and which Domain Controller holds each role. When one
Domain Controller ungracefully dies you did not have the chance to transfer
the FSMO Roles from that DC to another so Active Directory thinks that the
now dead DC still holds those FSMO Roles. In order to correct this you use
ntdsutil to seize the FSMO Roles to another DC. Kinda sorta think of this
as a transfer after the fact! But, one you seize a role using ntdsutil
because a DC died ungracefully you can never bring that dead DC back into
production....

Additionally, since we are talking about a DC that died an ungraceful death,
you would use ntdsutil to remove this Domain Controller from Active
Directory. This is called a metadata cleanup. Again, you would have to sit
down at an existing DC and bind to that DC and then remove the dead DC. The
mistake that a lot of people make when doing this is that they want to first
bind to the dead DC. Then, when they attempt to remove that dead DC they
receive an error. If you have such a situation then you need to also know
that there is a little bit of manual work to do (remove the server object in
ADSS, for example).

As Ryan also suggested, it is a Best Practice to have multiple Domain
Controllers. This typically negates the need to rebuild your environment
from backup (not a fun task at all!!!!). When you have multiple Domain
Controllers and one dies all you *typically* need to do is load up the OS on
a server and then run dcpromo to add an additional Domain Controller to an
existing domain. Normal Active Directory replication will take care of the
rest for you. Well, you may have a few manual things to do (like change
DHCP, if necessary...).

--
Cary W. Shultz
Roanoke, VA 24012

"tman" <naves.tom@xxxxxxxxx> wrote in message
news:1181498207.349360.201610@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jun 10, 8:52 am, Ryan Hanisco
<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hey tman,

I'll answer your questions by letter to make them clearer...

a. If you have more than one Domain controller -- and you should always
have
at least 2 -- you shouldn't have all of your FSMO roles on the same
machine.
They are designed to be distributed and you gain nothing by having them
on a
single box. If you only have a few DCs, I would make them all GCs and
DNS
servers, but remember if one DC fails you can restore the FSMO roles
lost.
See the following article for more direction on FSMO
placement.http://support.microsoft.com/kb/223346

b. You generally don't have to do restores on your AD if you have more
than
one DC. Of course if you are using them as file servers or to keep
profiles,
you might need to file restore those. You would simply seize the FSMO
roles
to the other machine, remove the other DC in ADU&C and DNS, rebuild it,
and
promote it to be a DC again.. From there you just put the DNS and FSMO
roles
back. You really only need to worry about restores like that if you lose
ALL
of your DCs or if you have serious lag between sites and need to recover
changes).

c. Again, this shouldn't happen as you'll not want to have them on one
box.
The most important role from a day to day operation standpoint is the
PDCe.
All of them can be transfered or forced using NTDSUTIL. This tool is
your
friend and is much easier than is used to be. You'll only need to do a
full
restore like that when it really hits the fan. Virus attack, All your DCs
are
in one place and you have a fire, newbie administrator deletes the users
container... something like that.

NTDSUTIL to seize or transfer --http://support.microsoft.com/kb/255504

Hope this helps.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.



"tman" wrote:
We just did an upgrade from NT4 to 2003 Active Directory on a 350 node
network. It seemed to go rather smothly. We upgraded a fresh PDC
with Windows 2003 compatilbe hardware then added two new DCs. We then
demoted the upgrade server and it moved its roles to one of the other
new servers.

We now have two DCs running in interim mode with a couple of NT BDCs
Both of the new DCs are Global Catalog Servers. All the FSMO roles
were moved from the upgrade server to one of the new DCs. Both DCs
are DNS servers. The DNS servers are AD integrated.

I have a hard time understanding the Disaster Recovery information
that I have read so far. I thought oe of yo could net it out for me.

a. Is me config good fro disaster recovery e.g., all the FSMO roles on
on DC?

b. I think I know how to recover if I lose the DC that does not have
the FSMO roles. I could restore the system state and do an
unauthoritative restore, reboot and get averything I need from the
other DC via replication. I this accurate?

c.What to do if I lose the DC that has all the FSMO roles? Restore
the system state and do an authoritative restore?

Thanks- Hide quoted text -

- Show quoted text -

Thanks a lot for your clear responses to my questions. I understand
it clearly. One other question comes to mind, one that I have never
seen spelled out. In the scenario where, you have two DCs and some
FSMO roles are on one DC and some on the other DC and one of the DCs
fails. Now you will want to seize the roles from the failed DC to the
one that is still up. Where are they seized from. Does each DC have
all rolls but they are only active on one DC?

Thanks



.

Relevant Pages

  • Re: AD Configuration and Disaster Recovery
    ... Now, as Ryan mentioned, you can transfer or seize FSMO Roles (among many ... FSMO Roles from one existing Domain Controller to another existing Domain ... Of course if you are using them as file servers or to keep ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Configuration and Disaster Recovery
    ... When using ntdsutil you must be very careful. ... FSMO Roles from one existing Domain Controller to another existing Domain ... Of course if you are using them as file servers or to keep ... of your DCs or if you have serious lag between sites and need to recover ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Configuration and Disaster Recovery
    ... FSMO Roles from one existing Domain Controller to another existing Domain ... Of course if you are using them as file servers or to keep ... of your DCs or if you have serious lag between sites and need to recover ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Configuration and Disaster Recovery
    ... You would still have to use ntdsutil to "seize" whatever FSMO Roles that the ... FSMO Roles from one existing Domain Controller to another existing ... If you only have a few DCs, I would make them all GCs ... servers, but remember if one DC fails you can restore the FSMO ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot bind to local DC in Ntdsutil
    ... 255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller ... '--'Subject: Re: Cannot bind to local DC in Ntdsutil ... '--'> '--'I cannot bind to the local Domain Controller. ...
    (microsoft.public.win2000.networking)