Active Directory Restore Mode

R

Ron Hinds

W2K Server SP4. Active Directory became corrupt so it won't boot except in
"Active Directory Restore Mode". I read through the Help files which explain
two methods for restoring Active Directory - from a backup (which I don't
have - shame on me!), or by re-running the Active Directory Installation
Wizard and replicating from another Domain Controller (which I *do* have).
But, every time I try to run the Active Directory Installation Wizard, it
says it can't be run in Safe Mode! Is there any way around this Catch-22 or
do I just need to re-install W2K from scratch?
 
C

Cary Shultz [A.D. MVP]

Ron,

I might try the /forceremoval switch ( with dcpromo ) and if that does not
work then simply unplug the DC in question ( turn it off ) and then go to
the remaining DC that you have and run a metadata cleanup. This will remove
all reference to that 'corrupted' DC from your environment ( well, you might
have to use ADSIEdit and clean up DNS a little bit as well as Active
Directory Sites and Services ).

Now, the only problem left now is: what was on that DC ( meaning, was it
also a file server? a print server? a Certificate Server? a DNS server? a
DHCP server? you get the picture ). Is any of this going to cause a problem
( meaning, something that you can not restore from back up )?

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
R

Ron Hinds

Both machines were acting as DNS servers so that isn't a problem. The one
with the problem was also a SQL Server. But that database is backed up
constantly and is now up and running on the other DC. I saw something about
the metadata cleanup in the Help file and was planning to do that. What
about the FSMO roles? Do I need to make the remaining DC seize those too?
 
C

Cary Shultz

Ron,

Generally speaking, when you run dcpromo one of the things that it is
supposed to do is to transfer any of the five FSMO roles that the DC being
dcpromo'd might hold to another DC. However, I like to be the judge of
which DC gets which role ( naturally if you have only two DCs....... ). So,
I might go ahead and determine which DC holds which FSMO role(s) and then
transfer accordingly. There are several ways that you can determine which
DC holds which role. I like to use 'netdom query fsmo' but that requires
that you have the Support Tools installed ( which I suggest that everyone
do... ). You can also use the GUI ( Active Directory Users and Computers
for the three Domain-wide FSMO Roles, for example ) or any number of other
tools. And you will want to transfer the roles, normally speaking. You
only want to seize a role when the DC that holds that role will NEVER return
to the environment ( otherwise you will have two DCs that *think* that they
hold that one role....have fun!!! ). In your case I think that you will
need to seize. However, try to first transfer......IIRC, the seize function
tries to first transfer, and if that does not work, does the seize.

Make sure that the clients are getting the correct IP Address Lease
information ( read: update DHCP and the Options ).

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
R

Ron Hinds

Thanks Cary for your help. All is well again! I created an ERD. Now, what
should I be backing up and how often?
 
C

Cary Shultz

Ron,

One word comes to mind: System State! How often? Every night!

There are a few other things that you can do. I like to create a .ldf file
which has all of the user account objects and all of the group objects and
all of the computer account objects. It is more of a security blanket than
anything. If the poop hit the fan and your backup did not work ( you do
test your backup, right? ) then this .ldf file might come in handy. It
would be a saving grace in an otherwise bad situation. And for your GPOs
you might want to look at the GPMC.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
R

Ron Hinds

I'll do it!

I have another question: After transferring the FSMO roles to the second
server, I'm now seeing this message:

Unable to establish connection with global catalog.

It's in the Directory Service Event log every hour on that server. I
searched MSDN and found a KB article (842208), but it doesn't seem to relate
as no other error messages are showing up. Any ideas?
 
C

Cary Shultz

Ron,

I would guess that you would have to make the 'surviving' Domain Controller
a GC as well. I just looked through the entire history of this post and I
failed to mention that. Sorry. Sometimes I forget the 'obvious'.... ;-)

You do this in the Active Directory Sites and Services MMC. And, to avoid
any more delay, please find below the link to the MSKB Article that explains
how to do this:

http://support.microsoft.com/?id=313994

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HELP - Cannot add DC to existing domain... 2
Restore Active Directory using nt backup 2
Active Directory Backup & Restore 1
Active Directory Corruption . . 7
System State Restore Question 9
dcpromo active directory installation 4
Restore Active Directory 2
detect an Active Directory installation 2

Top