My AD Issues - Restoring my active directory

[Guest]

Lately I have been having some AD issues. I have noticed that there are some
duplicate machine names within the AD and also some servers that the AD
thinks are domain controllers, when they are not. My CIO has given me some
instructions what what I should do. They also stated that I should backup my
AD incase something goes wrong. Well I have figured out how to backup and
restore my AD using Windows Backup. I have tested this on one test server
and it seems to work just fine. Though I do have some questions.

Just as a quick background, I have two domain controllers in the root and I
have two child domain controllers. The root, or forest, domain controllers
are my DNS servers. All machines in the child domain point to these two
forest controllers. These two forest controllers are the only machines in
the root domain. Everything else resides in the child domain.

I have setup some daily backup jobs to backup the AD. Here are my questions:

1) What happens if I go into the ADSIedit (as instructed) delete what i
have been instructed to, but then find out that I need to restore my AD. Say
the server crashes or anything else. Do I simply rebuild this machine, make
it a domain controller (dcpromo) and then restore my AD from my windows
backup?

2) If I do #1, will the restore of the AD be replicated to the my other
child domain controller, or will the existing (the second) domain controller
not accept those changes?

3) Should I take one of my child domain controllers off-line, then make the
changes in ADSIedit?

4) If I do #3, what happens when I bring the off-line child domain
controller back on-line?

5) If I do #3, and I end up needing to rebuild the child domain controller,
restore my AD from the windows backup, what happens when I bring the off-line
child domain controller back on-line?

6) By making changes in ADSIedit on the child domain controllers, will this
affect the forest controllers at all?

7) If by making changes in ADSIedit on the child domain controllers does
affect the forest conrtollers, then if I had to restore my child domain AD,
would I need to do anything on the forest controllers?


I would like to go ahead and follow the instructions that I have been given,
and I am going to pose these questions to my CIO as well, but my main concern
is, I dont want the AD to crash and then be out of service for a week while I
rebuild the AD and imput all of the user information and bring the machine
and servers back onto the domain. Just trying to CYA as much as possible.
Any help and advice would be appreciated...

 

[Greg Robb]

Let's start with the question of backing up your Domain Controllers. Do
this OFTEN! It may seem to be a lot of work, but will be a lot less than
rebuilding active directory from scratch! You can back up active directory
simply by running NTBACKUP and performing a system state backup.

As for cleaning up the other computers that no longer exist you will need
to go through a process known as metadata cleanup and the steps can be
found here:.

216498 How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?id=216498

After reading over this article it should give you all the steps necessary
but please post any questions you have before proceeding or call into MS
Support as these utilities can make active directory unusable if used
incorrectly!


Best regards,
Gregory Robb [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[Andrei Ungureanu]

and also this is a good article
http://www.microsoft.com/windows2000/docs/disaster.doc


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

Let's start with the question of backing up your Domain Controllers. Do
this OFTEN! It may seem to be a lot of work, but will be a lot less than
rebuilding active directory from scratch! You can back up active
directory
simply by running NTBACKUP and performing a system state backup.

As for cleaning up the other computers that no longer exist you will need
to go through a process known as metadata cleanup and the steps can be
found here:.

216498 How to remove data in Active Directory after an unsuccessful domain
controller demotion
http://support.microsoft.com/?id=216498

After reading over this article it should give you all the steps necessary
but please post any questions you have before proceeding or call into MS
Support as these utilities can make active directory unusable if used
incorrectly!


Best regards,
Gregory Robb [MSFT]

This posting is provided "AS IS" with no warranties, and confers no
rights.


--------------------

Thread-Topic: My AD Issues - Restoring my active directory
thread-index: AcTNo3Y7aYOo1vWQSDS7khOh701GCg==
X-WBNR-Posting-Host: 204.2.20.76
From: "=?Utf-8?B?U2NvdHRXV2ViYg==?="

Subject: My AD Issues - Restoring my active directory
Date: Thu, 18 Nov 2004 11:19:02 -0800
Lines: 50
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.win2000.active_directory:94118
X-Tomcat-NG: microsoft.public.win2000.active_directory

Lately I have been having some AD issues. I have noticed that there are some
duplicate machine names within the AD and also some servers that the AD
thinks are domain controllers, when they are not. My CIO has given me some
instructions what what I should do. They also stated that I should backup my
AD incase something goes wrong. Well I have figured out how to backup and
restore my AD using Windows Backup. I have tested this on one test server
and it seems to work just fine. Though I do have some questions.

Just as a quick background, I have two domain controllers in the root and I
have two child domain controllers. The root, or forest, domain controllers
are my DNS servers. All machines in the child domain point to these two
forest controllers. These two forest controllers are the only machines in
the root domain. Everything else resides in the child domain.

I have setup some daily backup jobs to backup the AD. Here are my questions:

1) What happens if I go into the ADSIedit (as instructed) delete what i
have been instructed to, but then find out that I need to restore my AD. Say
the server crashes or anything else. Do I simply rebuild this machine, make
it a domain controller (dcpromo) and then restore my AD from my windows
backup?

2) If I do #1, will the restore of the AD be replicated to the my other
child domain controller, or will the existing (the second) domain controller
not accept those changes?

3) Should I take one of my child domain controllers off-line, then make the
changes in ADSIedit?

4) If I do #3, what happens when I bring the off-line child domain
controller back on-line?

5) If I do #3, and I end up needing to rebuild the child domain controller,
restore my AD from the windows backup, what happens when I bring the off-line
child domain controller back on-line?

6) By making changes in ADSIedit on the child domain controllers, will this
affect the forest controllers at all?

7) If by making changes in ADSIedit on the child domain controllers does
affect the forest conrtollers, then if I had to restore my child domain AD,
would I need to do anything on the forest controllers?


I would like to go ahead and follow the instructions that I have been given,
and I am going to pose these questions to my CIO as well, but my main concern
is, I dont want the AD to crash and then be out of service for a week while I
rebuild the AD and imput all of the user information and bring the machine
and servers back onto the domain. Just trying to CYA as much as possible.
Any help and advice would be appreciated...

 

[Guest]

Thanks for the information. I will go over it. We probably wont do anything
until after the holidays, assuming nothing dies before then. But I will be
sure to come back with any more questions or and update at least.