Mike H. - Another Geek In Need...

WebLog
  Home  |   Contact  |   Syndication    |   Login
  58 Posts | 6 Stories | 216 Comments | 293 Trackbacks

News

Archives

Post Categories

Image Galleries

Development

Favorite Blogs

Hosting

User Groups

How to recover domain when the primary domain controller failes and there are member domain controllers

Many of us have probably dabbled in setting up our own domain and forest for development purposes. For me - a domain is a must - I have my development environment that is heavily used to model development projects for clents - and I have my family - me, my wife, and 7 children with their own computers.

So, we have a fairly detailed setup on the home front - but the following applies to ANY environment in which your primary domain controller gives up the ghost - and you do not have an image backup of the PDC.

Foremost - clarity: In an Active Directory forest, where you have several domain controllers, but one primary domain controller (PDC) - you may think that you must RESTORE or recover this PDC to salvage the domain. In other words, if the PDC fails - is all lost? Nope, not at all. Unless you do not have backup domain controllers. If you do not - then reading the rest of this is moot - but if you do, then read on.

When you promote additional servers on your domain, and make them member DC's in the same forest, then your domain details are available to you - and you simply need to transfer the Operation Master role to another DC - but before doing that - there are the FSMO's - yea, something hardly anyone knows about: FSMO = Flexible Single Master Operation - something your PDC or master of operations - manages. If a PDC - and Global Catalog for that matter - goes offline, a backup DC will generally pickup and juggle traffic for the PDC. But what happens if the PDC crashes altogether, and you need to basically assign a member backup DC the PDC role?

FSMO must be transferred to a backup DC before that DC can assume the Master of Operations role. This is done at the command-line level, and you must be careful before you make this call - ONLY do this if you are sure you cannot recover the original PDC because once you do this - you cannot laterr recover the PDC and bring it online. It cannot be added back into the forest at all.

So, the FSMO roles and how we transfer these. In a word, you cannot simply transfer the FSMO roles because the PDC is off line and not available to authorize the transfer. However, you 'can' SEIZE the FSMO roles from the original PDC - even with the machine offl line.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Open a CMD prompt on the backup DC you want to perform this on. At the command-line prompt, type Ntdsutil and press <Enter>.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil
ntdsutil:

At this prompt, type roles and press <Enter>:

ntdsutil: roles
fsmo maintenance:

Now type connections and press <Enter>:

fsmo maintenance: connections
server connections:

Now type connect to servername <serverName> where <serverName> is the name of the backup DC you are working on, and press <Enter>:

server connections: connect to servername hamddc02

Connected to hamdc02 using credentials of locally logged on user.
server connections:

At the server connections prompt type q and press <Enter>:

server connections: q
fsmo maintenance:

Now we are going to SEIZE the FSMO roles we want. NOTE: Out of the 5 FSMO roles, we are NOT going to seize the Infrastructure Master. We do not want to put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest. For now, we'll seize the following:

Seize domain naming master
Seize PDC
Seize RID master
Seize schema master

We do this by typig the line shown above. For example, to seize the domain naming master, type seize domain naming master and press <Enter>

You will receive a Windows dialog prompting to confirm this move - click <Yes> and then you'll see the attempt to safely transfer the FSMO role, a failure message, and then it will seize the role, assigning it to the backup DC you specified when you connected to the server above.

Once you have completed this for the 4 roles, type Quit to exit the utility, then Exit to return to Windows.

From the Start menu, select Run and enter dsa.msc and press <Enter>.

On the domain that is displayed, right click and select Operations Masters. You should now see that this backup domain controller (HAMDC02 in this case) is not the Operations master.

From here you simply re-create the failed domain controller, and promote it - joining it to this existing forest.

Hopefully others will find this useful.

posted on Sunday, April 15, 2007 11:05 AM

Feedback

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/23/2007 3:49 AM Michael
I like this Article, Thanks so much~!

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 5/2/2007 5:06 AM rajkumar
good document

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 9/3/2007 3:47 PM Jamil
lost and canceled by 1n1.co.uk, how do I recover it

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 9/3/2007 5:58 PM MikeH
Hi Jamil,

Without knowing more of what the issue is, I'm not sure I can help at all - I'm not sure what you mean by lost and cancelled.

Regards...

MikeH...

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 10/16/2007 1:14 AM Arbind kumar Singh
how to transfer five roles primary domain failed

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 10/30/2007 7:36 AM Sonali
wow .. It's nice Steps.....Perfect Solution...
I really like it... Thanks so much....

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 10/31/2007 1:55 AM Rukmal
"From here you simply re-create the failed domain controller, and promote it "

What do you mean? We are doing this to the additional domain controller ,right? so how to promote it again. andhow to re-create failed domain ?

Thanks


# re: How to recover domain when the primary domain controller failes and there are member domain controllers 10/31/2007 3:43 AM MikeH
Hi Rukmal,

That last line is referring to the setup of the OS that failed. The assumption is that it is the only other machine still available to be a domain controller - and it'll have to be re-configured and re-joined as a DC in the forest.

If, for example, the failed DC came back to life, after you had walked through the transfer of everything, and the Ops Master? And you simply wanted to bring it back on-line? This would fail. The machine has to be promoted all over again, and then joined as a member server.

Hope that helps..

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 11/3/2007 12:52 PM Sachin Sharma
Its really thankful information

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 12/21/2007 4:14 AM Popolou
Hey,

As with most things in life, you only begin to to listen up when it matters. And this was the case for us recently.

Could i just add to the excellent write up, the following points for any person in the same boat: -

1. The seize command is a rather heavy handed route to undertake and only should happen as a last resort if the usual transfer is not possible. Don't be alarmed though if you need to go down this road. If the DC is limping till it gives up the ghost, try and transfer the roles without delay. In other words, if there is a chance to transfer then, do it otherwise fall back on seizing them.

2. The issue of never returning the same DC back into the AD had concerened me the most especially as it's written everywhere yet with no good explanation as to why. The main reason for it is that the AD will be competing with the downed server for the handling of the RID pool in particular. If this was to occur, any newly created items within AD will not get unique identifiers and start to cause unknown complications when calling on these ID's leading up to an unstable and very confused AD.

3. However, the above rule would only happen if the downed DC was not freshly rebuilt before returning to the domain. If the server _is_ the same one that left, then you can never bring it back into AD and promote it. However, if it's the same server physically yet was formatted and repartitioned with a fresh OS then its not technically the same server as the GUID of the new machine will be different. That's what is referred to when instructed never to bring it back - the GUID. So, when rebuilding you can even use the same netbios/dns name as the original since AD will hand it a new GUID on entry to the directory.

4. This then means that when removing the server (or rebuilding it from a crash) there will still be remnants of it within AD. You will then need to do a metadata cleanup via ntdsutil. To ensure that all records of the original server have been removed from AD, use the DcDiag /v command.

5. If you need to determine which servers are handling each of the 5 FSMO roles, use the "Netdom query FSMO /domain" command available from either the windows 2000 support tools or within the standard 2003 server.

Thanks again!

Pop

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 1/23/2008 2:44 AM nawal
please send,

how to recover domain controller

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 2/19/2008 7:32 AM JOY
Very Good Article....

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 3/23/2008 1:24 AM mike tagle
This article is very nice!

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/2/2008 6:37 PM Zubair
I followed all the steps, (really great article) but what does this last line mean "From here you simply re-create the failed domain controller, and promote it - joining it to this existing forest."

I have installed a new machine called it HAMDC02 join to forest using additional domain controller (becasue original PDC is nomore) and follwed all the steps for seizing roles to this new machine, who is running the roles now if not HAMDC02?

Please help?

Tahnks

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/2/2008 6:57 PM MikeH
Fair question Zubair... Basically that means you take a clean new server - or the old one - after it has been renamed, and possibly run NewSID on it - and you re-join it to the domain.

The predicate is that you cannot join the older failed machine w/the same SSID/name.

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/7/2008 4:30 PM Zubair
Thanks, but my question is which server is acting as Schema, Domain Naming, PDC and RID Master.

I have an exchange server installed and after this repair I want to extend schema, usinng additional exchange.

Thanks again!


# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/7/2008 6:25 PM MikeH
Hi Zubair,

The 'member' server that was a member domain controller when the PDC failed - is the machine you would be working on.

Following the steps I outlined, you seize all of these roles as outlined - and this 'member' server becomes the new PDC/RID Master/Schema master of operations.

HTH's...

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/15/2008 10:32 AM Liam
Hi,
I just want to make sure of the FSMO transfer before I go ahead and follow your steps.
If I transfer the FSMO roles via ntdsutil to the BDC except for the Infrastructure Master, am I able to get the FSMO back to the original PDC once I have rebuilt the OS and re-installed all the necessary services to that machine??
I basically have a PDC with a failing disk and need to rebuild the machine.
Is that what we are looking at here?
thank you
P.S. - this is the most logical technical article I have read in years.

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/15/2008 11:19 AM MikeH
Hi Liam... Good question.

In short, the answer is yes.

Remember, the member server that is going to seize everything will effectively become the new PDC/Master of Operations.

With that said, if you want to rebuild the failing machine, be sure to completely rebuild - meaning a re-installation / re-SID effectively - of the OS - so it "IS" new to the domain. If you seize all of these roles from the failing PDC to a member server, that failing PDC cannot take them back - you would essentially have to join it to the domain as a member server, then seize the roles back to the newly joined server.

Does that help?

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/15/2008 2:17 PM Liam
Yes!
One last thing..since I do not make the BDC (going to PDC) the infrastructure master I can basically take that role back to the "new" PDC when I re-install the services. Then seize the FSMO roles back to the "new" PDC when everything is up and running and joined to the domain again, correct?


# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/15/2008 2:43 PM MikeH
That would be correct, yes.

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 4/26/2008 3:18 PM dotnetnoob
Just a slight correction...you have in step 3 the syntax:

server connections: connect to servername hamddc02

On server 2003 R2, the correct syntax is "server" not "servername"

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 5/25/2008 3:33 PM adly
Hi

i would like to thank all of you for this wonderfull description, explanation, and modern conversation about this problem.



# re: How to recover domain when the primary domain controller failes and there are member domain controllers 7/3/2008 7:34 AM Fernando
I have the same problem.
My server PDC had a problem of hardware. I made transfer the roles for the server BDC. Now I wanted to put it back as PDC. How do I restore this machine?

Thanks.

# re: How to recover domain when the primary domain controller failes and there are member domain controllers 7/3/2008 11:10 AM MikeH
Hi Fernando... The predicate in seizing the roles from the original PDC are that it cannot be the PDC again. In order to introduce it back into the mix, you must reload it - and at the very least, run NewSID on it (you can Google that easily enough) and create a new SID / Name pair for the machine - join it back as a member server - and you can then seize the roles back to the newly joined machine - making it the PDC once again.

HTH's...

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: 
Please add 3 and 3 and type the answer here: