0

Good day,

for a recovery test we restored one (out of 5) domain controller and the needed servers. however we found out that the domain controller (wich hold the PDC-Emulator) was functioning in a failsafe mode. the quick work around was to delete all other domain controllers from the domain controller ou. after a reboot the dc was working fine.

So the domain controller checks if at least X domain controllers are online before start functioning. however i can't find what the number X should be.

hope someone here can clear this out.

Kind regards, Mark

Mark de bruin
  • 1
  • 1
  • As well as the advice to set `Repl Perform Initial Synchronizations` to 0 below, if you have a good backup available from a **non** FSMO role-holder, that should be preferred for a domain/forest recovery. Restoring from a non-FSMO DC backup should avoid the need for that reg key. You need to seize the FSMO roles anyway (to prevent another DC "grabbing" them). Also, if you're doing a domain recovery, there should be no other DCs on the network - it's recommended that the first restore is on an isolated network/with no physical cable attached. It's not clear whether that was your case. – LeeM May 18 '21 at 03:10

2 Answers2

2

Active Directory Forest Recovery - Perform initial recovery

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-perform-initial-recovery

If the restored domain controller hosts an operations master role, you may need to add the following registry entry to avoid AD DS being unavailable until it has completed replication of a writeable directory partition:

Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters  
Value: Repl Perform Initial Synchronizations

Create the entry with the data type REG_DWORD and a value of 0. After the forest is recovered completely, you can reset the value of this entry to 1, which requires a domain controller that restarts and holds operations master roles to have successful AD DS inbound and outbound replication with its known replica partners before it advertises itself as domain controller and starts providing services to clients.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

This should not happen, a single DC should be able to work on its own; there is no concept of "quorum" in Active Directory.

If one or more FSMO roles are missing you can have specific issues, but the DC or DCs should definitely be able to work.

If a single DC was started alone and wasn't able to bring up AD services, this must have been caused by some error; but the issue is definitely not in the number of online DCs.

Massimo
  • 70,200
  • 57
  • 200
  • 323