He didn't answer so heres the ifo anyway!
RESTORING A DOMAIN CONTROLLER THROUGH REINSTALLATION AND SUBSEQUENT
RESTORE FROM BACKUP
Origin/Author : ROBIN MCCLUNEY
Approved by :
Date Approved :
Capgemini UK plc
77-79 Cross Street
Sale
Cheshire
M33 7HG
Phone +44 (0)161 969 3611
Fax +44 (0)161 973 9016
Contents
1. Introduction. 2
2. Restore from backup media 2
2.1 To restore from backup media 2
3. Verify Active Directory restore 3
3.1 To verify Active Directory restore 3
APPENDICES 4
Appendix A: Appendix Title 4
Appendix B: Document Control 5
THIS DOCUMENT CONTAINS 6 PAGES INCLUDING TITLE PAGE
Disclaimer
Please add the relevant disclaimer according to the use of this
document, as set out by Contract services
http://intranet/newintranet/core_services/documents/legal/12658.doc or
remove this section from the document
© Capgemini UK plc 2004
1. Introduction.
If you cannot restart a domain controller in Directory Services Restore
Mode, you can restore it through reinstallation of the operating
system, and subsequently restore Active Directory from backup.
In order for the restore operation to succeed, Windows Server 2003 must
be reinstalled to the same drive letter and with at least the same
amount of physical drive space. After you reinstall Windows Server
2003, perform a non-authoritative restore of the system state and the
system disk.
The domain controller being restored needs to have a previous backup
taken with Backup utility.
Task Requirements
The following tool is required to perform the procedures for this task:
Backup.exe
To complete this task, perform the following procedures:
Install Windows 2003
Restore from backup media
Verify Active Directory restore.
To complete this task, perform the following procedures:
2. Restore from backup media
To restore the server, use a good backup containing the system state or
the system state and system disk.
To restore from backup, you must log on locally to the domain
controller or Remote Desktop must be enabled on the remote domain
controller so that you can connect remotely. To enable Remote Desktop,
right-click My Computer, click Properties, and then click the Remote
tab.
Administrative credentials
To perform this procedure, you must provide the Administrator password
for Directory Services Restore Mode.
2.1 To restore from backup media
1. Start the computer in Directory Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point
to AllPrograms, point to Accessories, point to System Tools, and then
click Backup.
This procedure provides steps for restoring from backup in Wizard Mode.
By default, the Always Start in Wizard Mode check box is selected in
the Backup or Restore Wizard. If the Welcome to the Backup Utility
Advanced Mode page appears, click Wizard Mode to open the Backup or
Restore Wizard.
3. On the Welcome to the Backup or Restore Wizard page, click Next.
4. Click Restore files and settings, and then click Next.
5. Select the files that you want to restore, and then click Next.
6. On the Completing the Backup or Restore Wizard page, click Advanced.
7. In Restore files to, click Original Location, and then click Next.
8. Click Leave existing files (Recommended), and then click Next.
9. In Advanced Restore Options, select the following check boxes, and
then click Next:
· Restore security settings
· Restore junction points, but not the folders and file data they
reference
· Preserve existing volume mount points
10. For a primary restore of SYSVOL, also select the following check
box: When restoring replicated data sets, mark the restored data as the
primary data for all replicas
A primary restore is required only if the domain controller that you
are restoring is the only domain controller in the domain. A primary
restore is required on the first domain controller that is being
restored in a domain if you are restoring the entire domain or forest.
11. Click Finish.
12. When the restore process is complete, click Close, and then do one
of the following:
If you do not need to authoritatively restore any objects, click Yes to
restart the computer. The system will restart and replicate any new
information that is received since the last backup with its replication
partners.
If you need to authoritatively restore any objects or if you need to
create an LDAP Data Interchange Format (LDIF) file to restore
back-links on this domain controller, click No to remain in Directory
Services Restore Mode. For information about how to proceed with
authoritative restore, see performing an Authoritative Restore of
Active Directory Objects.
3. Verify Active Directory restore
After the restore is completed, use this procedure to restart the
server and perform basic verification.
Administrative Credentials
To perform Active Directory restore verification, you must be a member
of the Domain Admins group.
3.1 To verify Active Directory restore
· After the restore operation completes, restart the computer in
Start Windows Normally mode. Active Directory and Certificate Services
automatically detect that they have been recovered from a backup. They
perform an integrity check and re-index the database.
· After you are able to log on to the system, browse Active
Directory. Verify that all of the User objects and Group objects that
were present in the directory prior to backup are restored. Similarly,
verify that files that were members of a File Replication service (FRS)
replica set and certificates that were issued by the Certificate
Services are present.
APPENDICES
Appendix A: Appendix Title
Times New Roman 11pt font is used.
The preceding page uses a boxed title page to indicate where the
appendices begin. In documents with large appendices, a boxed title
page may be used to precede each appendix.
Appendix B: Document Control
Version History
Version Date Comments
0.1 Tuesday, 31 May 2005 First draft prepared by Robin McCluney based
on CGREP_L.DOT (3.1)
Document Distribution
Name Location Responsibility Action / Information
Document Reviewed By
Name Location Responsibility
Source File Location
PC asset - directory - Word 6.0
RESTORING A DOMAIN CONTROLLER THROUGH REINSTALLATION
Origin/Author : ROBIN MCCLUNEY
Approved by :
Date Approved :
Capgemini UK plc
77-79 Cross Street
Sale
Cheshire
M33 7HG
Phone +44 (0)161 969 3611
Fax +44 (0)161 973 9016
Contents
1. Introduction 2
2. Clean up server metadata 3
2.1 To clean up server metadata. 3
3. Delete a Server object from a site 4
3.1 To delete a server object from a site 4
4. Delete a Computer object from the Domain Controllers OU. 4
4.1 To delete a Computer object from the Domain Controllers
organizational unit (OU) 5
5. Verify DNS registration and functionality 5
5.1 To verify DNS registration and functionality 5
6. Verify communication with other domain controllers 5
6.1 To verify communication with other domain controllers 6
7. Verify the availability of the operations masters 6
7.1 To verify the availability of the operations masters 6
8. Install Active Directory 7
8.1 To install Active Directory 7
APPENDICES 8
Appendix A: Appendix Title 8
Appendix B: Document Control 9
THIS DOCUMENT CONTAINS 10 PAGES INCLUDING TITLE PAGE
Disclaimer
Please add the relevant disclaimer according to the use of this
document, as set out by Contract services
http://intranet/newintranet/core_services/documents/legal/12658.doc or
remove this section from the document
© Capgemini UK plc 2004
1. Introduction
Restoring a domain controller through reinstallation is the same
process as creating a new domain controller. It does not involve
restoring from backup media. This method relies on Active Directory
replication to restore a domain controller to a working state, and it
is valid only if another healthy domain controller exists in the same
domain. This method is normally used on computers that function only as
a domain controller.
Restoring through reinstallation is the only method by which a domain
controller that is not part of the backup set can be restored. In
addition, you might choose to use this method instead of a
nonauthoritative restore because backup media is inaccessible or
because this method is more convenient. Restoring a domain controller
through reinstallation should not be a substitute for regular backup
routines.
This method of restoring a domain controller requires a complete
reinstallation of the operating system. It is recommended that before
you install the operating system, you format the entire system disk,
which will remove all information on the system disk. Ensure that any
important or relevant data is moved or backed up before you perform
these actions.
Bandwidth is the primary consideration for restoring a domain
controller through reinstallation. The bandwidth that is required is
directly proportional to the size of the Active Directory database and
the time in which the domain controller is required to be in a
functioning state. Ideally, the existing functional domain controller
should be located in the same Active Directory site as the replicating
domain controller (the new domain controller) to reduce the impact on
the network and the time that the reinstallation takes to complete.
Before you restore a domain controller through reinstallation, ensure
that hardware failure is not the cause of the problem. If faulty
hardware is not changed, restoring through reinstallation might not
solve the problems with the domain controller.
Task requirements
The following tools are required to perform the procedures for this
task:
· Ntdsutil.exe
· Netdiag.exe
· Dcdiag.exe
· Dcpromo.exe
To complete this task, perform the following procedures:
1. If you plan to give the newly reinstalled domain controller the same
name as the failed computer, use the following procedure to clean up
server metadata to remove the NTDS Settings object of the failed domain
controller: Clean up server metadata.
2. If you plan to give the new domain controller a different name, in
addition to cleaning up server metadata, perform the following
additional procedures:
a. Delete a server object from a site.
b. Delete a computer object from the Domain Controllers OU.
3. Install Windows Server 2003. It is assumed that you will perform a
fresh installation of Windows Server 2003. Prepare for installation of
the operating system by partitioning or reformatting your hard disk
drive, if necessary.
a. Verify DNS registration and functionality
b. Verify communication with other domain controllers
c. Verify the avalibility of the operations masters.
4. Install Active Directory. During the installation process,
replication occurs, which ensures that the domain controller has an
accurate and up-to-date copy of Active Directory. You have the option
to use the same information for this domain controller as the domain
controller that it is replacing: site placement, domain controller
name, and domain membership should remain the same. If you plan to
install the domain controller under a different name, see the document
Installing a domain controller in an existing domain.
5. Verifying Active Directory installation.
2. Clean up server metadata
You perform the metadata cleanup process by using Ntdsutil.exe, a
command-line tool that is automatically installed on all domain
controllers. Metadata cleanup removes data from Active Directory that
identifies a domain controller to the replication system. On a domain
controller that is running Windows Server 2003 with Service Pack 1
(SP1), metadata cleanup also removes File replication service (FRS)
connections and attempts to transfer or seize any operations master
roles that the retired domain controller holds. These additional
processes are performed automatically. To complete this procedure you
must be a member of the Enterprise administrators group.
2.1 To clean up server metadata.
· Open a command prompt. Type the following command, and then press
ENTER: ntdsutil
· At the At the ntdsutil: prompt, type: metadata cleanup
· Perform metadata cleanup as follows:
o If you are performing metadata cleanup by using the version of
Ntdsutil.exe that is included with Windows Server 2003 SP1, at the
metadata cleanup: prompt, type: remove selected serverServerName
· Or
o remove selected serverServerName1onServerName2
Note: ServerName, ServerName1, The distinguished name of the domain
controller whose metadata you want to remove, in the form
cn=ServerName,cn=Servers,cn=SiteName,
cn=Sites,cn=Configuration,dc=ForestRootDomain
Note: ServerName2, The DNS name of the domain controller to which you
want to connect and from which you want to remove server metadata
If you are performing metadata cleanup by using the version of
Ntdsutil.exe that is included with Windows Server 2003 with no service
pack, perform metadata cleanup as follows:
1. At the metadata cleanup: prompt, type: connection
2. At the server connections: prompt, type: connect to serverServer
3. At the server connections: prompt, type: quit
4. At the metadata cleanup: prompt, type: slect operation target
5. At the select operation target: prompt, type: list sites (A numbered
list of sites appears)
6. At the select operation target: prompt, type: select siteSite number
7. At the select operations tartget: prompt, type: list domains in
site. A number list of domains in the selected site appears.
8. At the select operation target: prompt, type: select
domainDomainNumber.
9. At the select operation target: prompt, type: list servers in site,
A numbered list of servers in a domain and site appears.
10. At the select operation tartget: prompt, type: select
serverServerNumber
11. At the select operation target: prompt, type: quit
12. At the metadata cleanup: prompt, type: remove selected server.
· Server, The DNS name of a domain controller that you want to
connect to
· SiteNumber, The number associated with the site of the server that
you want to clean up that appears in the list.
· DomainNumber, The number associated with the domain of the server
that you want to clean up that appears in the list
· ServerNumber, The number associated with the server that you want
to clean up that appears in the list.
3. Delete a Server object from a site
When no Child objects are visible below the Server object in Active
Directory Sites and Services, you can remove the Server object.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins
group
3.1 To delete a server object from a site
· Open Active Directory Sites and Services.
· Expand the Sites container, and then expand the site from which you
want to delete a Server object.
· If no Child objects appear below the Server object, right-click the
Server object, and then click Delete.
· Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want
to delete, either replication on the domain controller on which you are
viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly
decommissioned.
· Click Yes to confirm your choice.
4. Delete a Computer object from the Domain Controllers OU.
You can use this procedure to delete the Computer object for a failed
domain controller. If a domain controller fails and you cannot use the
Dcpromo command to remove Active Directory, you must forcefully remove
Active Directory and then clean up server metadata. When you perform
Dcpromo normally, server metadata, the Computer object, and the Server
object for the domain controller are deleted automatically. After you
forcefully remove Active Directory, you must clean up server metadata
for the failed domain controller and then delete the Server object and
Computer object manually.
To perform this procedure, you must be a member of the Domain Admins
group in the domain of the domain controller that you are removing.
4.1 To delete a Computer object from the Domain Controllers
organizational unit (OU)
· Open Active Directory Users and Computers.
· Click the Domain Controllers OU.
· In the details pane, right-click the Computer object that is
associated with the failed domain controller, click Delete, and then
click Yes.
5. Verify DNS registration and functionality
This procedure verifies that DNS is functioning so that other domain
controllers can be located.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins
group in Active Directory.
5.1 To verify DNS registration and functionality
· Open a command prompt
· Type the following command and then press ENTER: netdiag /test:dns
· For a more detailed response from this command, add /v to the end
of the command.
· If DNS is functioning, the last line of the response is DNS
Test.....: Passed. The verbose option lists specific information about
what was tested. This information can help with troubleshooting if the
test fails.
If the test fails, do not attempt any additional steps until you
determine and fix the problem that prevents proper DNS functionality.
6. Verify communication with other domain controllers
This procedure verifies that domain controllers can be located.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users
group in Active Directory.
6.1 To verify communication with other domain controllers
· Open a command prompt.
· Type the following command and then press ENTER: netdiag
/test:dsgetdc
· For a more detailed response from this command, add /v to the end
of the command.
· If domain controllers are successfully located, the last line of
the response is DC discovery test........: Passed. The verbose option
lists the specific domain controllers that are located.
· If the test fails, do not attempt any additional steps until you
determine and fix the problem that prevents communication with other
domain controllers.
7. Verify the availability of the operations masters
This procedure verifies that the operations masters can be located and
that they are online and responding.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users
group in Active Directory.
You can use these tests prior to installing Active Directory as well as
afterward. To perform the test prior to installing Active Directory,
you must use the /s option to indicate the name of a domain controller
to use. You do not need the /s option to perform the test after
installing Active Directory. The test automatically runs on the local
domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this
test after installing Active Directory, omit the /s option. For a more
detailed response from this command, you can use the verbose option by
adding /v to the end of the command to see the detailed response.
7.1 To verify the availability of the operations masters
· Open a command prompt
· Type the following command to ensure that the operations masters
can be located and then press ENTER: dcdiag
/s:domaincontroller/test:knowsofroleholders /verbose
· Where domaincontroller is the name of a domain controller in the
domain in which you want to add the new domain controller. The verbose
option provides a detailed list of the operations masters that were
tested. Near the bottom of the screen, a message confirms that the test
succeeded. If you use the verbose option, look carefully at the bottom
part of the displayed output. The test confirmation message appears
immediately after the list of operations masters. Press ENTER.
· Type the following command to ensure that the operations masters
are functioning properly and are available on the network: dcdiag
/s:domaincontroller/test:fsmocheck. Where domaincontroller is the name
of a domain controller in the domain in which you want to add the new
domain controller. The verbose option provides a detailed list of the
operations masters that were tested. Near the bottom of your screen, a
message confirms that the test succeeded. Press ENTER. If these tests
fail, do not attempt any additional steps until you determine and fix
the problem that prevents locating operations masters and verifying
that they are functioning properly.
8. Install Active Directory
Use the Active Directory Installation Wizard to install Active
Directory on a member server in your domain to create an additional
domain controller in an existing domain.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins
group.
8.1 To install Active Directory
1. Click Start, click Run, type dcpromo and then press ENTER.
2. The Active Directory Installation Wizard appears. At the Welcome
screen, click Next.
3. For Domain Controller Type, select Additional domain controller for
an existing domain. Click Next.
4. For Network Credentials, enter the user name, password, and domain
for the user account that has permission to add this new domain
controller to the domain. Click Next.
5. Enter the name of the domain that you want the new domain controller
to host. Click Next.
6. For Database and Log Locations, enter the paths for the locations of
the directory database (Ntds.dit) and the log files. For better
performance, store the database and log files on separate physical disk
drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate
the system volume (SYSVOL). Click Next.
8. Under Directory Services Restore Mode Administrator Password, enter
the password that you want to use when you need to start Directory
Services Restore Mode. Click Next.
9. The Summary screen displays a list of the items you chose. Verify
that the information is correct, and then click Next to proceed with
the installation.
10. The wizard proceeds to install Active Directory. When it finishes,
the wizard displays a summary screen listing the domain and site in
which the new domain controller is a member. Verify that this
information is correct. Click Finish to close the wizard.
11. Click Restart to restart the domain controller.
12. Let the domain controller restart. If any message indicates that
one or more services has failed to start, restart the domain controller
one more time. If the initial replication cycles have not had enough
time to complete during the first restart on a new domain controller,
some services may be unable to start successfully. If the message
appears during additional restarts, examine the event logs in Event
Viewer to determine the cause of the problem.
APPENDICES
Appendix A: Appendix Title
Times New Roman 11pt font is used.
The preceding page uses a boxed title page to indicate where the
appendices begin. In documents with large appendices, a boxed title
page may be used to precede each appendix.
Appendix B: Document Control
Version History
Version Date Comments
0.1 Tuesday, 31 May 2005 First draft prepared by Robin McCluney based
on CGREP_L.DOT (3.1)
Document Distribution
Name Location Responsibility Action / Information
Document Reviewed By
Name Location Responsibility
Source File Location
PC asset - directory - Word 6.0
