In multiple years of doing DR drills at an off-site location, I've never had a "restore AD to alternate hardware" process go anywhere near as smoothly as I'd like. (For anyone who remembers joe's "AD Gripes" thread, that was one of my big ones.) I've almost always needed to resort to a repair install or an in-place upgrade.
A few things that I've had to do to make things work in various situations: * Rip out TCP/IP & Winsock and re-install them. (4 pages of reg hacks in 2000, like 3 netsh commands in 2K3.) * Remove all video drivers and NICs before the final reboot to allow Plug&Pl(r)ay to pick them back up again correctly. * Save the boot.ini, ntldr, ntoskrnl.exe and a few other files from the new hardware -before- restoring, then copy them back on -after- the restore. (<repetitive whine> I just want to restore the DIT and the log files, for cripes' sake, why can't I just DO that?!?!?!? </ repetitive whine>) Once you get it back up, make sure that you metadata cleanup, clean up lingering replication objects and then seize all 5 FSMOs. And at the end of the day, once I have the "restored" box to the point that it's (mostly) working, I'll manually dcpromo a second box up so that it can come up "naturally" without any lingering dead bodies hiding in the depths of the restored OS. - Laura On 10/5/05, Carerros, Charles <[EMAIL PROTECTED]> wrote: > My DR plan in reality is: > > If I lose a building that hosts my DCs, I build new DCs and sync off DCs > at remote locations (I'm lucky to have DCs placed throughout the US and > Canada so I should always have a working DC somewhere to grab the AD > databases and then I seize some FSMO roles) and then do a metadata cleanup > on the boxes that are sitting under tons of rubble or in the middle of a > river, etc. > > If someone deletes the AD, then I do an authoritative restore using the > same hardware that the DC is stored on. > > The problem I'm facing right now is that we are going to do a DR test at > Sunguard and they don't use the same hardware and even though I told > everyone we don't do a full restore on a DC unless we have the hardware that > the DC was installed upon they still want me to restore a DC from tape. Oh, > and we won't have connectivity to any of our offices. > > I told them it might not be possible but I would do what I can to get it to > work. (I have a backup plan which is a VMWare copy of one of my production > DCs but it is only in the test phase). > > In reality I should never had a need for this but for my test DR site I > think I will. And I was just wondering if anyone could give me some extra > pointers that might help me along. > > Charlie > > ________________________________ > From: van Donk, Fred [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 05, 2005 12:34 PM > To: [email protected] > Subject: RE: [ActiveDir] AD Restore Problem > > > Charlie, > > A few years ago I worked with PSS on this on Windows 2000. The end result > was it will not work due to the fact it is different hardware. > Biggest problems were SCSI controllers and Video Drivers we worked on it for > a solid week straight. > > The real question is why do you want to move? Why would you not create a DC > on the new box and demote the old box? Just make sure you have a DC > somewhere in your network the hurricane will not take it out. :-) > > Fred > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Carerros, Charles > Sent: Wednesday, October 05, 2005 9:05 AM > To: '[email protected]' > Subject: [ActiveDir] AD Restore Problem > > > I'm having a problem restoring my AD to different hardware. I know there > are some issues but I hear that people have been able to follow some MS docs > and get it done but I can't seem to pull it off. > > I working with a HP server to Dell hardware and in the next week I will be > going from HP to Compaq at our DR test site and I kinda need to get this > working. > > I have included my documentation on how to do this DR restore below and they > are the steps that I went through and when I got to the end I still get the > blue screen and reboot. Can someone tell me where I'm going wrong? > > We are running W2K3 fully patched with the exception of SP1. DCs are all > GCs, DNS and WINS servers. > > Thanks, > > Charlie > > > > Active Directory Disaster Recovery > > Company Name > > April 18, 2005, Revision 4 > > > > > > The ability to recover from a catastrophic disaster is one of the goals of > the Network Team. With Active Directory quickly becoming the core > technology for items such as e-mail, Citrix and local workstation security, > it is imperative that in the case of a disaster a quick recovery can be had. > This process will outline the non-authoritative active directory restore > process. [The authoritative process is used to restore a portion of the > Active Directory while leaving parts intact.] > > > > Resources: > > To conduct a successful restore you must have the correct toolset. In > conducting restores the following items must be had. It is also important > to note that all of this must be accessible without access to network data > storage. In the case of a disaster, there will not be a network data > storage to access. > > > > q Tested backup > > q Software that was used to take the backup > > q Server installation CDs (to include hardware drivers) > > q Documentation on how the server was installed > > q Hardware to test the server on (if different hardware, you must have > drivers) > > q Workstation hardware > > q Separate VLAN that is not connected to production > > q Restore plan > > q All passwords, recovery and administrative > > > > If any of these items are not present then a restore will not be able to be > undertaken with success. > > > > The current backup strategy of the PRIMARYDC and SECONDARYDC is: > > > > Daily backup using NTBackup to BACKUPSERVER\d$\NetAdmin\AD > Backup > > This backup captures the system state and SYSVOL and Net Logon > folders > > The server name is used as the backup file > > This is then backed up with the process that backs up > BACKUPSERVER > > No automated alert is currently configured to monitor this > backup process > > > > Process: > > > Review the resources to ensure that all are present. Once all of the items > are gathered then the process may move forward. > > > Install Windows 2003 server on the server hardware using the documentation > that outlines the procedure that was taken during the creation of the > initial box. Be sure that you use disk space equal to or larger than the > original server and the drive letters MUST be the same or the databases will > not be properly restored. If you do not use the appropriate volume sizes > the restore may fail with a blue screen. > > > Patch the server up to the same level of patching that the original server > had. If the original server did not have Windows 2003 SP1, then DO NOT > apply that patch until after the restoration process is complete. The dll > and security changes that occur during OS patching can change the system > state setup and therefore render your backup useless. > > > Ensure that you install DNS and WINS servers. (If you do not install DNS > and WINS they may not restore correctly and DNS and WINS will then need to > be restored manually). > > > Start the computer in Directory Services Restore Mode. > > > > Restart the computer > After the BIOS information is displayed, press F8. > Use the Down Arrow to select "Directory Services Restore Mode (Windows > Server 2003 domain controllers only) > Use the Up and Down Arrows to select the Windows Server 20003 operating > system, and then press ENTER. > Log on with your administrative account and password. > > > Start the Windows Server 2003 backup utility: > Click Start > Point to "All Programs" => "Accessories" => "System Tools" then click > "Backup". > > > This procedure provides steps for restoring from backup in Wizard Mode. By > default, the Always Start in Wizard Mode check box is selected in the Backup > or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page > appears, click Wizard Mode to open the Backup or Restore Wizard. > > > On the "Welcome to the Backup or Restore Wizard" page, click Next. > > > Click Restore files and settings, and then click Next. > > > Select the files that you want to restore (you should have them on the local > server), and then click Next. > > > On the Completing the Backup or Restore Wizard page, click Advanced. > > > In Restore files to, click Original Location, and then click Next. > > > Click Leave existing files (Recommended), and then click Next. > > > In Advanced Restore Options, select the following check boxes, and then > click Next: > > > > a. Restore security settings > > b. Restore junction points, but not the folders and file data they > reference > > c. Preserve existing volume mount points > > d. For a primary restore of SYSVOL, also select the following check > box: When restoring replicated data sets, mark the restored data as the > primary data for all replicas. > > > > [A primary restore is required only if the domain controller that you are > restoring is the only domain controller in the domain. A primary restore is > required on the first domain controller that is being restored in a domain > if you are restoring the entire domain or forest.] > > > Click Finish. > > > When the restore process is complete, click Close, and then do one of the > following: > > > > Change the BurFlags value to d4. [If the restored domain controller's > BurFlags value is not changed to d4, sysvol does not share out.] > > · Click Start, and then Run > > · In the Open box, type regedit, and then click OK > > · In the left pane, expand My Computer > > · Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, > NtFrs, Parameters, Backup/Restore, Process at Startup > > · In the right pane, right-click BurFlags and then click Modify > > · In the Value data box, type d4 and then click OK > > > > > > If you do not need to authoritatively restore any objects, click Yes to > restart the computer. The system will restart and replicate any new > information that is received since the last backup with its replication > partners. > > > > If you need to authoritatively restore any objects or if you need to create > an LDAP Data Interchange Format (LDIF) file to restore back-links on this > domain controller, click No to remain in Directory Services Restore Mode. > For information about how to proceed with authoritative restore, see > Performing an Authoritative Restore of Active Directory Objects. > > > If the server fails to boot properly: > Boot the computer off the Windows 2003 server CD > The repair operation begins after you accept the license agreement and after > the Setup program searches for previous installations of Windows to repair > When the Setup program finds the damaged installation, press R to repair the > installation (DO NOT USE THE RECOVERY CONSOLE) > Following the onscreen steps to complete the repair. > When the repair completes, reboot the server. > > > If the server fails to boot past BIOS: > Book the computer off the Windows 2003 server CD. > Select the appropriate HAL option for you computer hardware. > After the HAL loads, select "R" for the Recovery Console. > Logon to the Windows directory that you need to repair by selection the > appropriate number (default of 1). > Logon using the DSRM password. > At the command prompt type "disable acpi" and hit enter > Make a note of the registry change. > Type "exit" and hit "enter" to reboot the machine. > When the machine boots, follow step 17 to complete the HAL recreation. > > > Install the Windows 2003 Admin Pack. (You do not need to install this prior > to this point as the dlls will be overwritten if you are forced to follow > step 17). > > > If you run ADUC and receive an error connecting to the active directory. > Reboot the server. During the initial reboot some installation process have > not yet completed so the Active Directory does not fully execute. The > secondary reboot will correct this issue. > > Verification > > After a restore is completed verification must be done to ensure that it is > functioning correctly. The easiest way to conduct the verification is to > use a laptop that was on the network before the backup was taken. Simply > connect the laptop to the switch that server is on and attempt to > authenticate and access resources on the server (a file share could be > placed on the restored server to ensure that the authentication process is > working correction). The greatest test would be to down the server that is > being restored and plug in the current machine. Although this will allow > the best functional test, if something in the backup went wrong then you > could possibly corrupt the production sever. > > > > You will want to test the logon scripts and a number of different users (to > include administrative user accounts, delegated security user accounts and > service accounts). Once you are fully satisfied with the restore process, > this document should be updated and forwarded to the bank for safekeeping. -- ----------------------- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
