The promotion of the rebuilt DC will have a new NTDS Settings object, which has its own GUID and CNAME record. It's that CNAME record that existing DC's will use when trying to contact the new DC. This assumes, of course, AD replication is working and the existing DC's now know of the new DC. The old CNAME record should not be referenced by the existing DC's anymore, except in the case that the old DC's NTDS Settings object was left (and the new DC's created side-by-side to it). I've seen this a couple times, but it's a separate issue.
I'm not saying to *not* delete a DC's metadata when decommissioning/rebuilding it, but in this specific example the old GUID record should not cause immediate harm. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Tetrault, Mike (OFT) > Sent: Friday, July 01, 2005 10:11 > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > That is correct for a new Domain Controller. However, if a > Domain Controller is re-promoted before the old CNAME records > are cleaned up, there may be other Domain Controllers in the > Domain that still have the OLD CNAME record with the old GUID > and if there are different GUIDs for the same host name, > replication problems can happen. > > This is why they recommend running a metadata cleanup and > removing any old records before promoting the DC again. It is > also recommended that you remove the old FRS entries using ADSI Edit. > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, July 01, 2005 10:16 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > That really still shouldn't be an issue unless I am missing > something here. > Please bear with me. > > The mapping in DNS isn't hostname to GUID, it is GUID to > hostname. When a DC wants to replicate with this new DC, it > will use the new GUID and that shouldn't exist in DNS until > the repromoed DC registers it. > > Prior to registration the GUID would be unresolvable and no > replication would be allowed[1]. I used to use that for > stopping DC's from pulling replication from a specific DC - > usually when the troublesome DC was on the end of a > misbehaving WAN connection and I was experiencing rough RPC > and excessive timeouts. > > Once registered, the GUID would be found and translated to a > hostname which can in turn be resolved to an IP. This would > in turn allow for the replication to work again. > > joe > > > > > [1] At least pre-K3 SP1, I haven't checked it since but I > know there are supposed to be changes. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 9:58 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > It will be a problem if the other Domain Controllers have > different CNAME records in root/_msdcs for the new Domain > Controller. > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, July 01, 2005 9:44 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > > If the server is promoted again the GUID will be different and will > > cause File Replication problems among other things. > > It really shouldn't be an issue. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 9:02 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > As long as you still have a Domain Controller with a "good" > copy of the Active Directory Database, I would just demote it > and then run dcpromo to promote it again. Make sure you check > that the CNAME and SRV records in DNS are removed after the > demotion. If the server is promoted again the GUID will be > different and will cause File Replication problems among > other things. I would also recommend running ntdsutil to > perform a MetaData cleanup of the server object you are > demoting before you promote it again. > Microsoft has a procedure for doing this on the website if > you are not familiar with it. > > > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > > -------------------------------------------------------- > This e-mail, including any attachments, may be confidential, > privileged or otherwise legally protected. It is intended > only for the addressee. > If you received this e-mail in error or from someone who was > not authorized to send it to you, do not disseminate, copy or > otherwise use this e-mail or its attachments. Please notify > the sender immediately by reply e-mail and delete the e-mail > from your system. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, June 30, 2005 12:17 PM > To: [email protected] > Subject: [ActiveDir] Corrupted NTDS.dit > > Hi, > I have a corrupt NTDS.dit file with no backup, although > the windows > 2003 DC starts up fine and partially replicates to my other 4 > DC's. Can someone tell me the best steps to restore this > file. This particular DC is also the FSMO holder. I was > considering transferring the role temporarily, demoting and > then promoting this DC and having DCPROMO rewrite the NTDS.dit. > Is this suicide? Thanks in advance > > Kevin Atnip > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
