Deleted the active directory database files

  • Thread starter Thread starter DrLovely
  • Start date Start date
D

DrLovely

1. If I've deleted the active directory database files from the domain
controller and I don't have a backup, can I just reinstall NT server
2000 again in the same boot partition to restore a new database for
the domain controller?

2. In a separate situation:

If I have a Windows 2000 domain controller, and I want to downgrade it
to a regular server, can I just reinstall Windows NT 2000 advanced
server in the same boot partition and choose "server" instead of
domain controller during setup?

Any help is welcome!
 
1. If I've deleted the active directory database files from the domain
controller and I don't have a backup, can I just reinstall NT server 2000
again in the same boot partition to restore a new database for the domain
controller?
Click to expand...

Well, that's a pretty impressive mistake to make!!! You'd have to be in
offline mode, or have purposefully played with the permissions on that file
and then rebooted!!!

Anyway, if you don't have a backup you have to either dcpromo /forceremoval
and then metadata cleanup or format, install and metadata cleanup (not
necessarily in that order ;-).

restore a new database for the domain controller
Click to expand...

No, because you said you don't have a backup?!?!?!

If I have a Windows 2000 domain controller, and I want to downgrade it to
a regular server, can I just reinstall Windows NT 2000 advanced server in
the same boot partition and choose "server" instead of domain controller
during setup?
Click to expand...

No, that's the NT4 way. You simply need to run DCPROMO again and demote the
DC.

Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
and demote it first.
 
Well, that's a pretty impressive mistake to make!!! You'd have to be in
offline mode, or have purposefully played with the permissions on that file
and then rebooted!!!

Anyway, if you don't have a backup you have to either dcpromo /forceremoval
and then metadata cleanup or format, install and metadata cleanup (not
necessarily in that order ;-).
Click to expand...

I understand that "metadata cleanup" involves Ntdsutil.exe, but...

When you give "format, install, and metadata cleanup" as an option, do
you mean "format" the the system partition disk? Or is the format
step part of another nt utility?

One more thing: I'm already doing a naughty thing and running a
development web server on this corrupt DC. When running dcpromo to
demote, it states it will remove all the user accounts, among other
scary things. Do you think the IIS service and it's components will
still attempt to look for an AD account or will they automatically
look for comparable accounts in the SAM? Would dcpromo most likely
cause catastrophe to my well running web server on this DC?

I have backups of the physical files for web, and IIS config, but I'd
really like to have the AD functionality "restored" / "reinstalled"
without hassle.
 
I understand that "metadata cleanup" involves Ntdsutil.exe, but...

When you give "format, install, and metadata cleanup" as an option, do
you mean "format" the the system partition disk? Or is the format
step part of another nt utility?
Click to expand...

If that is what PT meant (and I believe so) then the metadata
cleanup would ONLY be necessary if this were not the last
DC in the domain, OR if it were a domain with OTHER domains
in the forest.

Deleting a DC without telling the other DCs, or deleting a Domain
without telling the DCs of the remaining Domains requires the
metadata cleanup.
One more thing: I'm already doing a naughty thing and running a
development web server on this corrupt DC.
Click to expand...

You need to be very careful running NTDSUtil if you
care about any of this domain or forest. (Truthfully,
When running dcpromo to
demote, it states it will remove all the user accounts, among other
scary things.
Click to expand...

Yes, all of the Domain user accounts if this is the
last DC.

If this is the last DC, you already lost all of the accounts
in that Domain.
Do you think the IIS service and it's components will
still attempt to look for an AD account or will they automatically
look for comparable accounts in the SAM?
Click to expand...

No, it will not. The accounts will be missing/invalid
if they are not where they used to be.

There is NO relationship between a domain account
and a server/workstation account of the same name.
(I.E., they are two different accounts.)

You will need to reconfigure IIS to use a machine account
(once this is a server) or to use a domain account if any
still exist.

Would dcpromo most likely
cause catastrophe to my well running web server on this DC?
Click to expand...

Catastrophic? No.

Fixable trouble? Possibly -- see above.
I have backups of the physical files for web, and IIS config, but I'd
really like to have the AD functionality "restored" / "reinstalled"
without hassle.
Click to expand...

If this is the last DC, then you either have a System State
Backup (to restore the AD) or you have LOST THE ENTIRE
domain forever.

In that case you can just remove the very sick DC and start
the (new) domain over with new users.

And only demote it (DCPromo) if you either have another
DC or you do not need the domain.

Delete last DC, lose domain.
 
On Sat, 16 Apr 2005 19:52:47 -0500, "Herb Martin"

GO TO the very end of this message for my new text...

If that is what PT meant (and I believe so) then the metadata
cleanup would ONLY be necessary if this were not the last
DC in the domain, OR if it were a domain with OTHER domains
in the forest.

Deleting a DC without telling the other DCs, or deleting a Domain
without telling the DCs of the remaining Domains requires the
metadata cleanup.


You need to be very careful running NTDSUtil if you
care about any of this domain or forest. (Truthfully,


Yes, all of the Domain user accounts if this is the
last DC.

If this is the last DC, you already lost all of the accounts
in that Domain.


No, it will not. The accounts will be missing/invalid
if they are not where they used to be.

There is NO relationship between a domain account
and a server/workstation account of the same name.
(I.E., they are two different accounts.)

You will need to reconfigure IIS to use a machine account
(once this is a server) or to use a domain account if any
still exist.



Catastrophic? No.

Fixable trouble? Possibly -- see above.


If this is the last DC, then you either have a System State
Backup (to restore the AD) or you have LOST THE ENTIRE
domain forever.

In that case you can just remove the very sick DC and start
the (new) domain over with new users.


And only demote it (DCPromo) if you either have another
DC or you do not need the domain.

Delete last DC, lose domain.
Click to expand...

Thank you very much for your time. Just one more thing:

1. IF I demote this DC to a member server and do whatever to clean-up,
what account can I use to log in with when it reboots? I'm supposing
it creates a SAM db with a new admin user account and password?

2. Upon getting the server to "member server" status and logging in
locally as admin, what kind of trouble could I have in "reinstalling"
AD? Should it be a breeze?

Any help is appreciated!
 
Thank you very much for your time. Just one more thing:
1. IF I demote this DC to a member server and do whatever to clean-up,
what account can I use to log in with when it reboots? I'm supposing
it creates a SAM db with a new admin user account and password?
Click to expand...

As it becomes a Server (non-DC) it will ask you for the
new Administrator password you wish to use.

The opposite of what it does when DCPromo is used
to make a new DC.
2. Upon getting the server to "member server" status and logging in
locally as admin, what kind of trouble could I have in "reinstalling"
AD? Should it be a breeze?
Click to expand...

Should be as easy as ever.

DNS is the main thing that most people mess up -- it is
actually fairly unusual for someone to screw up the AD
itself (directly.)
 
As it becomes a Server (non-DC) it will ask you for the
new Administrator password you wish to use.

The opposite of what it does when DCPromo is used
to make a new DC.


Should be as easy as ever.

DNS is the main thing that most people mess up -- it is
actually fairly unusual for someone to screw up the AD
itself (directly.)
Click to expand...

If DNS services are totally inaccessible, will AD survive? What
happens if I cannot resolve the host.domainname. with the DNS while
attempting to use the AD system? Will it broadcast or use an
alternative?
 
If DNS services are totally inaccessible, will AD survive?
Click to expand...

Yes, but survive isn't a lot to ask.

If there is only one DC then it will survive indefinitely,
but it will be problematic (at best) to use it.

You will get authentication and replication (with multiple
DCs) problems.

Give it long enough (60 days) and all but one of the
DCs will be worthless (as DCs).
What
happens if I cannot resolve the host.domainname. with the DNS while
attempting to use the AD system? Will it broadcast or use an
alternative?
Click to expand...

No, most things will not use alternatives that are
reliable (or even if they work, performance goes
way down to the point that even logging on becomes
irritating.)
 
Back
Top