Disaster Recovery AD

[gordon]

I have been doing disaster recovery testing in a test
environment in a worst-case scenario where all servers are
destroyed and I need to recover two of our three domains
(1 parent, 2 child) from backup. I am using like equipment
for the DCs (multiple DCs per domain), all are SP4. After
recovering the root DC, I seized all FSMO roles. Then
using ntdsutil, metadata cleanup, I removed the other
domain controllers except for one DC in the Staff child
domain (Q216498). After the authoritative restore of the
KSD root domain DC is completed, I get errors in File
Replication Service event viewer:
Event id: 13566
File Replication Service is scanning the data in the
system volume. Comuter DWSRV111 cannot become a domain
controller until the process is complete. . .

The netdiag Global results say:
Domain Membership test . . . . Failed
[Warning] The system volume has not been completely
replicated to the local machine. This machine is not
working properly as a DC.

I did an non-authoritative restore of one DC in the Staff
child domain. These two do not replicate properly and
there was no change in the results of the testing (both
DCs are not functioning as DCs)

What can I do to get AD and these DCs restored?
Thanks.

 

[Mark Ramey [MSFT]]

Gordon,

If you check for the sysvol and netlogon shares are they present? Run net
share at a command prompt.

The most likely problem is that when you restore a machine from backup
several things happen. One is the Rid set will be invalidated to prevent any
duplicate Rids being issued. Another thing is that the sysvol content
(policies and scripts folders) will be relocated into a NTFRS_Pre-existing
folder. Until it is able to source and perform a MD5 checksum comparison
with a replication partner they never get moved out of the pre existing
folder. Hence the sysvol and netlogon are not going to share out.

There are 2 things you can do to overcome this. One is to move the policies
and scripts folder out of the pre existing folder to their normal location
under the domain name. Then cycle the FRS service and the netlogon service
and they should share out normally. Second thing to do is that when you
restore the system state do not use the wizard. Select the Restore tab in
ntbackup. Do the advanced options and you will see a screen that has a
selection for "When restoring replicated data sets, mark the restored data
as the primary data for all replicas." What this will do is set the policies
and scripts folder to authoritative for the domain and the folders will not
move automatically into the pre existing folder. If other DC's are on the
domain they would source from this machine that was restored and all have
the same data.

Hope this helps


--
Mark Ramey [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights

I have been doing disaster recovery testing in a test
environment in a worst-case scenario where all servers are
destroyed and I need to recover two of our three domains
(1 parent, 2 child) from backup. I am using like equipment
for the DCs (multiple DCs per domain), all are SP4. After
recovering the root DC, I seized all FSMO roles. Then
using ntdsutil, metadata cleanup, I removed the other
domain controllers except for one DC in the Staff child
domain (Q216498). After the authoritative restore of the
KSD root domain DC is completed, I get errors in File
Replication Service event viewer:
Event id: 13566
File Replication Service is scanning the data in the
system volume. Comuter DWSRV111 cannot become a domain
controller until the process is complete. . .

The netdiag Global results say:
Domain Membership test . . . . Failed
[Warning] The system volume has not been completely
replicated to the local machine. This machine is not
working properly as a DC.

I did an non-authoritative restore of one DC in the Staff
child domain. These two do not replicate properly and
there was no change in the results of the testing (both
DCs are not functioning as DCs)

What can I do to get AD and these DCs restored?
Thanks.

 

[gordon]

Hi Mark,
Thanks for the reply. When I run net share, the sysvol and
netlogon do not appear. I followed your first suggestion,
copied the policies and scripts folders into the proper
places, then restarted the FRS and netlogon services.

I have error messages in the event logs for FRS.
FRS: . . . is scanning the data in the system volume.
Computer cannot become a DC until this is complete . . .

Any additional thoughts?
Thanks,
Gordon

-----Original Message-----
Gordon,

If you check for the sysvol and netlogon shares are they present? Run net
share at a command prompt.

The most likely problem is that when you restore a machine from backup
several things happen. One is the Rid set will be invalidated to prevent any
duplicate Rids being issued. Another thing is that the sysvol content
(policies and scripts folders) will be relocated into a NTFRS_Pre-existing
folder. Until it is able to source and perform a MD5 checksum comparison
with a replication partner they never get moved out of the pre existing
folder. Hence the sysvol and netlogon are not going to share out.

There are 2 things you can do to overcome this. One is to move the policies
and scripts folder out of the pre existing folder to their normal location
under the domain name. Then cycle the FRS service and the netlogon service
and they should share out normally. Second thing to do is that when you
restore the system state do not use the wizard. Select the Restore tab in
ntbackup. Do the advanced options and you will see a screen that has a
selection for "When restoring replicated data sets, mark the restored data
as the primary data for all replicas." What this will do is set the policies
and scripts folder to authoritative for the domain and the folders will not
move automatically into the pre existing folder. If other DC's are on the
domain they would source from this machine that was restored and all have
the same data.

Hope this helps


--
Mark Ramey [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights

I have been doing disaster recovery testing in a test
environment in a worst-case scenario where all servers are
destroyed and I need to recover two of our three domains
(1 parent, 2 child) from backup. I am using like equipment
for the DCs (multiple DCs per domain), all are SP4. After
recovering the root DC, I seized all FSMO roles. Then
using ntdsutil, metadata cleanup, I removed the other
domain controllers except for one DC in the Staff child
domain (Q216498). After the authoritative restore of the
KSD root domain DC is completed, I get errors in File
Replication Service event viewer:
Event id: 13566
File Replication Service is scanning the data in the
system volume. Comuter DWSRV111 cannot become a domain
controller until the process is complete. . .

The netdiag Global results say:
Domain Membership test . . . . Failed
[Warning] The system volume has not been completely
replicated to the local machine. This machine is not
working properly as a DC.

I did an non-authoritative restore of one DC in the Staff
child domain. These two do not replicate properly and
there was no change in the results of the testing (both
DCs are not functioning as DCs)

What can I do to get AD and these DCs restored?
Thanks.

.