RE: Disater recover of a DC
- From: Garry Starck - MCITP <vjsparx@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 3 May 2009 13:10:15 -0700
Hi Skip
-- If the FSMO roles hosted by the "dead dc", then ascertain which ones. EG:
If it hosted the PDCe roles, then seize the role to an active DC as every
time a password is changes a secure channel update occurs from any DC in the
domain straight to the PDC.
-- If the roles is RID master, you can leave it off until a dc requires to
renew a near to exhaustion rid pool assignemt. Basically the RID master
dished out unique pools of rid of 500 at a time. If this pool becomes
exhausted on a non rid master dc, then you cannot create new objects until
this RID master is seized or again contactable. (This is to ensure uniqueness
of each object created within a domain.
-- If the roles on the dead DC is the infrastructure master, you should
worry unless all your DC's are set as Global Catalog Servers and the
Infrastructure Master maintains a limited set of details (attributes) of
other objects in other domains within a multiple domain forest. These objects
are called phantoms. You don't need to worry if you are only running 1
domain. Seize will do if you need to.
Those are the FSMO roles per domain, note in Win2003 AD upwards, if you
seize any role from a dead DC and hardware vendors fix the problem, you can
the boot the dc up unlike in Win2k AD which you would have to format and
never bring it back as a dc. In 2K3 an up, a dc that hosted a FSMO role that
had been down "say for a lenghty 2 weeks", it first checks AD to ascertain if
another DC is advirtising as the role and it will automatically demote itself
before even advertising,
Forest Roles:
Schema Master: Only needs to be up if a change to the schema is required,
can leave this of for leanghty periods, and also remember Best Practice is to
unplug this server from the network, then do a schema update, check that it
is sucessful, if so, plug back to aloow new schema replication. If no
updating properly, do not add it back to the network. Rather testlab and fix
the issue before continuing
Domain Naming Master: Can be of for lenghty periods until a new domain in
the forest required creation which will update details in the configuration
partition (Forest replicated AD partition), No domains can be added to the
forest if this DC is not contactable, not child, grandchild or even separate
domain trees.
SO TO ANSWER YOU QUESTION: Don't stoe the system state only on the local
hardware, at least have a script that collates them into a central repository
as well for quicker access. I would restore the DC only if it were in a
remote site wherby the AD and SYSVOL (FRS) need to replicate across the slow
WAN links inless the site had a second DC. Remeber when restoring (I take it
you are still using NTBackup of the older 2K3 DC's, if on the dead DC you
have the sysvol on D: the AD Database (NTDS.DIT) on E: and the AD logs
fileson F:, the you need to ensure the blanck reloded DC has the exact same
drive letters, otherwise on C:\SYSTEMDRIVE will be completed and ensure the
space available is present.
Also, since you have 2k8 DC's, remeber that if only one of them is a
writeable replica DC and the other 3 are Read Only DC's, replication is
broken as 2003 DC's no not understand RODC fundmentals. A writeable 2k8 repl
partner must be a certain target
I generally will only ever perform a system state dc restore for a DC that
had any particular/peculiar software running that may be a lovely puzzle
under pressure to make the funnies work. Also, 2008 backup it more robust,
meaning it included the program files unlike 2003 and often NIC's would not
show the tab to increase the DUPLEX/SPEED settings and until fixed hobbled
along at 10MBPS if on even the slightest different HP's for instance, like
restoring a 2003 server from a HP DL380 G5 down onto a DL380 G3.This was that
some of the drivers were actually conveniently in the non-automatically
system stated backups unlike 2K8
Please advise if all your DC's are GC's, or if you have any RODC'S, and how
domains in your forest just for intests.
Last one of your questions: Yor still run 2K3 DC's which means SYSVOL is
still FRS replicated mode, when you gonna remove the 2003 DC so you can
switch to DFS replication instead for granular control (Compression). If the
DC is is a remote single DC location, you can also use the /ADV switch when
DCPROMO'ing the failed DC - depending on your SYSVOL size - could be a realy
burdon. Part of a system state is the SYSVOL, and your restore that to a
location, then DC promo using data from the restored sysvol location.
And sorry for the thesis Skip
Releveant Supporting Doc's:
http://support.microsoft.com/default.aspx/kb/324801
http://support.microsoft.com/kb/316201/en-us
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
"skip" wrote:
Hello.
Here's the senario
I have 4 DC's two of which are running Windows 2008, the other two are
running Windows 2003. I do a systeme state backup on every DC, but on the
windows 2008 DC's I store the system state backup locally on a second drive
on the server, (E:\) i use the wbadmin tool to create the system state
backups for the 2008 DC's
Example
badmin enable backup -addtarget:{00000081-0000-0000-0000-00
0000000000} -allcritical -schedule:06:00
Now if one of the Windows 2008 DC's experiences a total hardware failure or
the OS gets corrupted (C:) what are the steps for restoring the DC back into
the forest as a domain controller?
Would i reinstall the OS then do the system state restore, then promote to a
DC, kind of confused on the steps
- Prev by Date: Re: AD domain = Internet Domain
- Next by Date: RE: Corendal Directory - Open source web-based Active Directory manage
- Previous by thread: RE: Disater recover of a DC
- Next by thread: Corendal Directory - Open source web-based Active Directory management tool
- Index(es):
Relevant Pages
|
Loading
