Assuming that at least two domain controllers were present in the domain to start with, what steps need to be taken to make Active Directory healthy after a domain controller crash?
-
How do you define "Crashed"? Did it just BSOD, or is it totally dead? – Mark Henderson Mar 14 '10 at 22:13
-
Totally dead. In my case, both the power supply and motherboard failed. – Nic Mar 15 '10 at 04:09
-
I found this article to be very useful aswell. http://funkytechguy.blogspot.co.za/2016/06/how-to-recover-from-domain-controller.html – Jun 01 '16 at 11:26
1 Answers
Step 0: Have at least two domain controllers.
If you only have one domain controller and it fails in such a way that you cannot recover it, then your domain no longer exists; your only option is to create a completely new domain. This is a painful process that involves recreating users, rejoining client computers and servers, and even recreating every security setting you ever used.
If the server is absolutely unrecoverable, such as due to hardware failure that cannot be easily repaired, then here is how to go about purging it from the domain completely. Once the FSMO roles have been seized, it is critical that the old server is never brought back online. Seriously consider wiping the harddrives to ensure that this can never happen.
Determine which servers were holding the FSMO (Flexible Single Master Operations) roles for the domain and forest. Microsoft has a great article on finding FSMO roles.
Any FSMO roles that were held by the crashed server should be seized on a healthy domain controller. Another Microsoft article for this one.
The "Infrastructure" FSMO role is special, and is actually specified for each application partition. If the crashed server held DNS, you will need to verify that the record in each application partition (DomainDnsZones, ForestDnsZones) has been updated. Better explanation here and official fix here.
Perform a metadata cleanup to remove remnants from Active Directory. Deleting extinct server metadata.
Inspect "Active Directory Users & Computers" and "Active Directory Sites & Services" to ensure that all entries for the extinct server have been removed.
Inspect DNS to find any static entries that were related to the extinct server, and either delete them, reassign them, or put a new server at the same address.
If the crashed server was an authorized DHCP server, check to see if it's still listed as an authorized server. If yes, you may need to use ADSI Edit to remove it from the list of DHCP roots.
(Edit 2010-03-14: Added Graeme's comment about step 0)

- 13,425
- 17
- 61
- 104
-
I had to find out all of this the hard way, so hopefully this can help somebody else who ends up in my position. – Nic Mar 14 '10 at 16:26
-
Sound like a crappy weekend, but thanks for sharing the great checklist. – Gomibushi Mar 14 '10 at 16:29
-
-
I think I might just print out this post and hang it in the server room. Thanks! – Matt Simmons Mar 14 '10 at 16:50
-
6+1, this is a great answer. You've covered pretty much everything. I would add a "Step 0" for those who haven't had to deal with this.... "Always have at least 2 DCs". It's scary how many environments are out there with only one. – ThatGraemeGuy Mar 14 '10 at 18:20
-
1+1 for the answer, and also an upvote to Graeme's comment - even if it's something that should be taken for granted it should also still be highlighted. – Maximus Minimus Mar 14 '10 at 19:19
-
Graeme, I hope you don't mind that I included your excellent suggestion at the start of my answer. Some people might not read the comments, and you're right that it should be strongly emphasized. – Nic Mar 14 '10 at 19:32
-
-
The link referenced above for **Microsoft has a great article on finding FSMO roles** is dead . I'm guessing this is the updated link: https://support.microsoft.com/en-us/help/324801/how-to-view-and-transfer-fsmo-roles-in-windows-server-2003 ? – Jeff Mergler Jun 01 '18 at 20:25