SAME EXAMPLE AGAIN Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL
Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time and all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. For each GC in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST <FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL> DC=CHILD1,DC=BLABLA,DC=LOCAL "FQDN" means "Fully Qualified Domain Name" <FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL> means all the DNS HOSTNAMES of the GCs in the other domains that currently host a read-only naming context of CHILD1.BLABLA.LOCAL say that BLABLA.LOCAL has three DCs that also are GCs (GC01, GC02, GC3) say that CHILD1.BLABLA.LOCAL has three DCs that also are GCs (GC04, GC05, GC06) say that CHILD2.BLABLA.LOCAL has three DCs that also are GCs (GC07, GC08, GC9) Taking the example mentioned above into account, the following commands should be executed: REPADMIN /UNHOST GC01.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC02.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC03.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC07.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC08.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL REPADMIN /UNHOST GC09.CHILD2.BLABLA.LOCAL DC=CHILD1,DC=BLABLA,DC=LOCAL This should only be needed if you are certain that objects were added to the domain CHILD1.BLABLA.LOCAL or objects were changed Remember: procedures like this should always be available, tested and proven. Besides this, the persons responsible for executing this procedure should know how to perform such a procedure. If you're not experienced with this, the possibility exists that something goes wrong and things are made even worse. So be carefull with what you are doing, and again: TEST, TEST, TEST!!! Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 2/5/2004 6:10 PM Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main SO then the command would be Repadmin /unhost <child1.blabla.local> dc=child1,dc=blabla,dc=local On each DC/GC in the forest? -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Hi, NO With the command you mention below you are telling the DC1.DOMAIN.LOCAL dc to remove its own domain naming context, and you don't want that! It won't happen also because it will try and than generate an error (at least that's my experience when I tried it in a test environment as I'm always curious) EXAMPLE: Forest/Domain structure: Forest root domain: BLABLA.LOCAL Child domain 1 of forest root domain: CHILD1.BLABLA.LOCAL Child domain 2 of forest root domain: CHILD2.BLABLA.LOCAL Lets say all DCs in CHILD1.BLABLA.LOCAL are restored from backup. Because CHILD1.BLABLA.LOCAL went back in time all the GCs in the other domains MIGHT have newer data of CHILD1.BLABLA.LOCAL than the DCs in CHILD1.BLABLA.LOCAL. So all GCs in CHILD2.BLABLA.LOCAL and BLABLA.LOCAL should rebuild their data for CHILD1.BLABLA.LOCAL. On each GC in CHILD1.BLABLA.LOCAL and BLABLA.LOCAL (locally or remotely) execute: REPADMIN /UNHOST <FQDN GC that needs to rebuild CHILD1.BLABLA.LOCAL> DC=CHILD1,DC=BLABLA,DC=LOCAL Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:47 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main REPADMIN /UNHOST <FQDN TARGET GC> <DN NC> So the command for a Windows 2000 SP3 GC with the computer name of DC1 would be REPADMIN /UNHOST dc1.domain.local dn=domain, dn=local -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main The repadmin executed remote from a WXP or W2K3 station The DC/GC must be W2KSP3 or higher or W2K3 On the DC you'll see (in the DS log) event id 1658 (removing NC) and later on event id 1660 (NC removed) and later on event id 1264 (replication link added to rebuild the NC) Be sure to execute this against all GCs at once otherwise a GC that is rebuilding the NC might the get the data from a GC that still has the old data Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, February 05, 2004 17:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main So by running the repadmin tool, on each DC that is a GC will rebuild the naming context? -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore a failed DC that was the only DC for a do main Steps are: * Restore the DC marking the data set as primary * Increment the RID pool in AD with 100000 (see to it that the DC/RIDMaster has not allocated a RID pool to itself---> error event ids 16651 or 16651 are OK) If you see event id 16648 before raiding the RID pool, create 501 objects in the domain and delete them afterwards) (In the event viewer event id 16648 should appear within 30 minutes or something after incrementing the RID POOL in AD) * Now the interesting part: if you have DCs in other domains that are also GC, demote these GC servers, after all GCs are demoted promote them back to GC. One other solution is to rebuild the child domain naming context on all GCs that are in other domains (I prefer the latter solution) (A few days ago I posted something concerning the GC contents when all DCs within a domain where restored from backup. Because all DCs are restored the domain went back in time while the GCs in the other domains contain current data. As the GCs with the newer data will never update the authoritative DCs the GC data concerning the child domain naming context has to be rebuild!!!) The tool to use for the latter solution is REPADMIN /UNHOST <FQDN TARGET GC> <DN NC> (w2k3 support tools) * If you are using cross-domain memberships check those to see if everything is OK * Finally check event viwer for errors and warnings and take appropriate measures * Don't forget to test/check trusts, computer accounts memberships and user accounts. Recreate accounts that were created after the backup that was used for the restore of the DC * Check ACLs on files and folders (SUBINACL) to remove unknown accounts These are a few steps you can use. Be sure to test these in a test environment!!! See also: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echn ol/ad/windows2000/support/adrecov.asp Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 04, 2004 17:20 To: ActiveDir (E-mail) Subject: [ActiveDir] Restore a failed DC that was the only DC for a domain What are the steps to restore a DC that was the only DC for a child domain? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
