Disaster recovery, accidentally deleted computer object for the primary domain controller

  • Thread starter Thread starter Phil
  • Start date Start date
P

Phil

Hi,

Whilst using the 'Active Directory users and Computers' utility on the
PDC to delete some old redundant computer object entries, the computer
object for the PDC itself was accidentally deleted. I verified this by
checking directly in the directory using an LDAP browser, as now all
of the AD management tools report error ("The target principal name is
incorrect."). We have only a single PDC with no other domain
controllers, replicating servers, etc. It is a very simple network
with mostly WinXP clients

Is there any possibility tool or procedure that can recreate the
computer object for itself, the PDC? We have a systemstate backup, it
is a few months old but better than nothing, although I am keen to try
any ideas before rebooting this machine in case it comes back up in a
worse state.

Thanks in advance for any suggestions,
Phil
 
Hi Jorge, thanks for this speedy suggestion. Am I right in
understanding this procedure requires a second domain controller? It
describes:

dcdiag /s:localhost /repairmachineaccount

and says:

"If this action is successful, Dcdiag creates a machine account for
the server on another domain controller in the domain, and then
replicates over the change, using the credentials provided (or the
logged on user's credentials). The domain controller can now perform
Directory Service replication."

We only have a single domain controller, the broken one. Would the PDC
let me create a new domain controller whilst it is in this broken
condition do you think?

Thanks,
Phil
 
Hi,

I tried to dcpromo a new domain controller into this domain but
without success. It was pretty optimistic to try, but I did anyway.
During the AD installation when prompted for network credentials I
supply valid accounts on the domain but they are rejected with "Logon
Failure: The target account name is incorrect" (This is a different
error than if I provide knowingly bad credentials: unknown user, or
password is not correct). This is when specifying the NetBIOS name for
the domain. When trying with the AD name for the domain I get a DNS
error "The specified domain either does not exist or could not be
contacted".

Unless there are any other ideas on how to recover this broken PDC
I'll try the old systemstate backup. Though being naturally sceptical
I'm concerned this still might not work, in which case I may need to
consider alternatives such as creating a new domain controller and
migrating users into, which I would prefer to avoid having been there
once before...

Phil

I will give it a try. This is Windows 2000 Server sp4.

Thanks,
Phil

I have never tried that....
Click to expand...
Try it first in a test environment to see what happens...
Click to expand...
what is the OS by the way?

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
Click to expand...
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
Click to expand...
BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------------­---------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------------­---------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
---------------------------------------------------------------------------­---------------
#################################################
#################################################
news:[email protected]...
Click to expand...
Hi Jorge, thanks for this speedy suggestion. Am I right in
understanding this procedure requires a second domain controller? It
describes:
dcdiag /s:localhost /repairmachineaccount
and says:
"If this action is successful, Dcdiag creates a machine account for
the server on another domain controller in the domain, and then
replicates over the change, using the credentials provided (or the
logged on user's credentials). The domain controller can now perform
Directory Service replication."
We only have a single domain controller, the broken one. Would the PDC
let me create a new domain controller whilst it is in this broken
condition do you think?
Thanks,
Phil
On Aug 9, 6:07 pm, "Jorge de Almeida Pinto [MVP - DS]"
try:http://support.microsoft.com/kb/257288
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server -DirectoryServices
BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------------­---------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------------­---------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
---------------------------------------------------------------------------­---------------
#################################################
#################################################
---------------------------------------------------------------------------­---------------"Phil"

Hi,
Whilst using the 'Active Directory users and Computers' utility onthe
PDC to delete some old redundant computer object entries, the computer
object for the PDC itself was accidentally deleted. I verified this by
checking directly in the directory using an LDAP browser, as now all
of the AD management tools report error ("The target principal name is
incorrect."). We have only a single PDC with no other domain
controllers, replicating servers, etc. It is a very simple network
with mostly WinXP clients
Is there any possibility tool or procedure that can recreate the
computer object for itself, the PDC? We have a systemstate backup, it
is a few months old but better than nothing, although I am keen totry
any ideas before rebooting this machine in case it comes back up in a
worse state.
Thanks in advance for any suggestions,
Phil- Hide quoted text -
Click to expand...
Click to expand...

- Show quoted text -
Click to expand...
 
I tried to proceed with the ntbackup restore of the systemstate, but I
cannot even log into Directory Services Restore Mode. The expected
password is not accepted at login. I have tried the known password,
and then reset the password using setpwd.exe from safe mode, then with
the great bootable CD from http://home.eunet.no/pnordahl/ntpasswd.
Both reported success changing the password but still I can't login.

I can log in as Adminstrator to safe mode and normal mode without
problems, but I cannot run the ntbackup restore from here.

I thought about using ntbkup to extract the backup contents to disk,
boot linux, mount the NTFS volume and manually restore the backed up
files, but I'm even less skeptical this could work.

Phil
 
I got into Directory Services Restore Mode by using the bootable CD
but setting a *blank* machine Administrator password instead of a real
password (this is mentioned in the docs). And the ntbackup restore
worked. Interestingly the net effect of the restore is that it merged
the old systemstate with my existing systemstate, so whereas I was
expecting to lose machine, user and DNS entries made since the backup,
in fact I still have everything.

Phil
 
Back
Top