Video Screencast Help

Restoring Domain Controller from the Backup archive ?

Created: 25 Mar 2009 • Updated: 21 May 2010 | 2 comments

Hi,

I've got my system backed up using BESRO 8.5.3, it is one of the domain controller on my network. However, I'm still wondering about what might be happening incase one of them is crashed and restored using disk imaging software.

Previously I'm using a 3rd party product to restore my server image and it corrupt the Active directory replication and both DC could not talk to each other perfectly.

is there any best practice to do a domain controller using disk imaging technology ?

any kind of comment would be appreciated.

thanks.

Comments 2 CommentsJump to latest comment

marcogsp's picture

Your post reminded me that I needed to add some info to another post I commented on.

https://www-secure.symantec.com/connect/forums/rec...

You might find the info here useful and also discover why your previous attempt at recovering a domain controller was so troublesome

marcogsp's picture

I’ve gathered some resources that will help you to understand the implications of restoring domain controllers.

Finding FSMO Holders

http://support.microsoft.com/kb/234790

Transfer FSMO roles in Windows Server 2003

http://support.microsoft.com/kb/324801

Using NTSDUTIL to transfer or seize FSMO roles

http://support.microsoft.com/kb/255504

Transfer FSMO roles in Graphical Interface

http://support.microsoft.com/kb/255690/

NTSUTIL Metadata Cleanup (2 links)

http://technet.microsoft.com/en-us/library/cc73637...

http://support.microsoft.com/kb/216498

Definitely set up your test lab off your production network.  The hardware can be workstation class and you only need an inexpensive switch or hub.  You
could even do this in a virtual environment, but make sure it doesn’t have access to your production network.

Restore two DCs to your lab from BESR images using the Restore Anyware option.  If you only have one DC, then build another server in the lab, join it to the lab domain, and promote it to a domain controller.  Once your lab DC’s are operational, capture BESR images of them and store them on an external hard disk or some other convenient medium for your lab.  This will save time in rebuilding your lab, and you will feel free to make mistakes and learn from them. 

Now practice transferring FSMO roles as well as taking FSMO holders off line and seizing the roles.  Remember there are five rolls to work with.  Also practice setting Global Catalog roles, (right click properties on NTDS settings for the server under Active Directory Sites and Services….Sites…Default-First-ite-Name…Servers….)  Also in NTDS settings, right click the Automatically generated connection in the right pane and click on Replicate Now.  Do this for each server and it will force replication of any changes you make to the AD.  As for Global Catalog roles, the server must be able to contact the Schema Master in order for this role to be set.  Without a
GC, authenticating will be troublesome, so that is why it is important to know how to seize the FSMO roles when a role holder is dead.

Once you are comfortable with that, try transferring all the FSMO roles to one DC and then pretend that the other DC has died.  Restore you previous image of
the “dead” DC but power down the good DC before rebooting the recovered DC.  You are now simulating connecting a recovered DC to a non production network in
order to demote it to an ordinary member server.  You should also practice having just the good DC on the lab network and forcibly demoting and removing the
“dead” DC from the domain.  The metadata also needs to be cleaned up.  All this is outlined in the links above.  You can then attach the recovered DC to the
lab network, join it to the domain and then run dcpromo to make it a domain controller again.  Afterward you can transfer FSMO roles again and set  Global
Catalog roles to your liking.