1

Let me preface this by saying I'm not a AD admin and our AD expert is on vacation -perfect timing- so pardon my ignorance.

I have a primary domain controller ADServer (has FSMO roles) that was two way replicated to a secondary domain controller TWDC. The domain/dhcp/dns got trashed on both servers and the only valid restore point I had was for the secondary controller (about 20 days back). I tried to do DSRM authoritative restore on the restored server but couldn't connect to domain services on primary. I have the network up and running on the secondary domain controller however the primary seems pretty trashed netlogon service won't start there are multiple error's in the log: DFS namespace service could not initialize the trusted domain controller, The procession of Group Policy failed, Active Directory Web Services could not change its advertising state, This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it, The DFS Replication service encountered an error communicating with partner TWDC for replication group Domain System Volume, Active Directory Domain Services was unable to establish a connection with the global catalog., This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

DCDIAG's

I'm looking for some guidance as to how to resolve this, my first initial instinct is to transfer the FSMO roles from the ADServer (primary) to the TWDC (Secondary), demote the primary controller, remove AD services, and repromo it back to the secondary.

Any advice is greatly appreciated, and sorely needed. Thanks

bumble_bee_tuna
  • 443
  • 11
  • 26
  • 1
    I feel your pain, but I would think something like this isn't well suited for SF, but rather MS support or a 3rd party consultant/VAR that can help in this emergency. I just think you won't end up with a simple Q&A but rather discussion needing screenshots or remote viewing. – TheCleaner Oct 05 '16 at 16:07
  • 1
    Why deal with the old, broken server at all? Why not just reimage it, and then add it back as a DC? If you do the cleanup properly, you can add it back with the same name and IP. – HopelessN00b Oct 05 '16 at 16:19
  • @TheCleaner Thanks for the reply. I agree however it's not a emergency per se the network is up and working and I will have 2 day down time (sat/sun) to resolve and have backups of both servers. I'm just looking for guidelines of what steps people would take given the situation. – bumble_bee_tuna Oct 05 '16 at 16:23
  • @HopelessN00b I would totally do that except the FSMO roles are on the OLD server so first I would have to attempt to transfer (don't know if it will work given current state) – bumble_bee_tuna Oct 05 '16 at 16:24
  • 2
    Alright, so, you need to be more clear about the current state of your Active Directory, but the basics are: 1) Get a functional, valid domain controller, if you don't have one already. If necessary, do so by doing a DSRM restore. 2) Transfer or seize FSMO roles to it. 3) Clean up AD by removing references to all broken domain controllers. (metadata cleanup) Get rid of the actual broken servers while you're at it. 4) Replace broken DCs with new, working ones. 5) Shift FSMO roles back to where you want them to be, if desired. – HopelessN00b Oct 05 '16 at 16:35
  • @HopelessN00b thanks for the reply that is right along the lines of what I was thinking. Can you tell me what information I should put in the question to make it more clear as to the DC state ? Also if I do DSRM on my secondary (healthy DC) should it be authoritative or non-authorative ? – bumble_bee_tuna Oct 05 '16 at 16:40
  • Well, you have two domain controllers - what state is each of them in? One seems to be messed up, and the state of the other one... is both broken and working, based on what you've said. Confusing. In any event, if your second domain controller is working, why would you do a restore on it at all? Why not just nuke the broken one, do a metadata clean up and replace it? (Whatever you do, though, if you have a working DC, take a proper backup of it before you do anything else.) – HopelessN00b Oct 05 '16 at 16:44
  • @HopelessN00b If you post your above comment (2up) as an answer I will mark it as such thanks – bumble_bee_tuna Oct 05 '16 at 19:24

1 Answers1

1

I'm not exactly clear on the the current state of your Active Directory, but the basics of restoring Active Directory to a good state are:

  1. Get a valid, functional domain controller, if you don't have one already. If necessary, do so by doing a DSRM restore.

  2. Transfer or seize FSMO roles to your functional domain controller.

  3. Clean up Active Directory by removing references to all broken domain controllers. This is commonly referred to as a metadata cleanup, and is done from the good domain controller. Get rid of the actual broken servers while you're at it.

  4. Replace broken domain controller(s) with new, working one(s). It's usually easiest to do this with a clean OS image that you join to the domain and promote to a domain controller.

  5. Shift FSMO roles back to where you want them to be, if desired.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209