Disaster Recovery

[Chris W.]

Is it necessary to have a system drive and system state backup for every
domain controller to fully recover from disaster?

I have 2 root domain controllers and 2 child domain controllers. DC1 for
each domain holds all FSMO roles except the Infrastructure Master. Both
DC1's are also global catalogs. I am currently backing up the system drive
and system state for both DC1s. After restoring DC1 for the root domain I
get the following error:

Event ID 40961

The security system could not establish a secured connection with the server
ldap/servername. No protocol was available.

I cannot promote a second server to a domain controller because the domain
cannot be found.

 

[Ace Fekay [MVP]]

In

Is it necessary to have a system drive and system state backup for
every domain controller to fully recover from disaster?

I have 2 root domain controllers and 2 child domain controllers. DC1
for each domain holds all FSMO roles except the Infrastructure
Master. Both DC1's are also global catalogs. I am currently backing
up the system drive and system state for both DC1s. After restoring
DC1 for the root domain I get the following error:

Event ID 40961

The security system could not establish a secured connection with the
server ldap/servername. No protocol was available.

I cannot promote a second server to a domain controller because the
domain cannot be found.

A 40961 may be caused by something as simple as not having a reverse zone
created, but there are other factors that can cause it too:
http://www.eventid.net/display.asp?eventid=40961&source=

Usually when one gets a "domain not found" usually points to a DNS lookup
issue. Insure that you are only using the internal DNS servers and not ISP
addresses exist on any domain member. Configure a forwarder for efficient
Internet resolution, shown how to here:
http://support.microsoft.com/?id=300202.

Hope that helped.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Chris W.]

"Ace Fekay [MVP]"

In


A 40961 may be caused by something as simple as not having a reverse zone
created, but there are other factors that can cause it too:
http://www.eventid.net/display.asp?eventid=40961&source=

Usually when one gets a "domain not found" usually points to a DNS lookup
issue. Insure that you are only using the internal DNS servers and not ISP
addresses exist on any domain member. Configure a forwarder for efficient
Internet resolution, shown how to here:
http://support.microsoft.com/?id=300202.

Hope that helped.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

I can do an NSLOOKUP for the domain and it resolves the correct domain
controller. All SRV record for the domain controller exist. If I logon on to
the domain controller and run replmon I get "domain controller of the domain
name could not be contacted." Should I be able to restore the domain with
the 2 DC or will I have to backup all 4 DC's? Thanks for the reply.

Chris

 

[Ace Fekay [MVP]]

In

I can do an NSLOOKUP for the domain and it resolves the correct domain
controller. All SRV record for the domain controller exist. If I
logon on to the domain controller and run replmon I get "domain
controller of the domain name could not be contacted." Should I be
able to restore the domain with the 2 DC or will I have to backup all
4 DC's? Thanks for the reply.

Chris

Chris, is there a firewall or NAT between the DCs? You can still resolve if
those ports are opened in a firewall and even NAT, but if the ports are
closed for domain communication then it won';t work.

There's about 30 ports needed for domain communication and replication.

If using NAT, then there's no way domains will communicate thru a NAT
device.

If you can let us know the above, as well as let us know what DNS servers
your DCs are using, that would help us.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Chris W.]

"Ace Fekay [MVP]"

In

Chris, is there a firewall or NAT between the DCs? You can still resolve if
those ports are opened in a firewall and even NAT, but if the ports are
closed for domain communication then it won';t work.

There's about 30 ports needed for domain communication and replication.

If using NAT, then there's no way domains will communicate thru a NAT
device.

If you can let us know the above, as well as let us know what DNS servers
your DCs are using, that would help us.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

I found the problem. I was not doing a primary restore of the sysvol. So
each time I restored the domain controller it was waiting for the sysvol to
be replicated to it. Apparently when a domain controller is in this state
you can not authenticate to it. Thanks for the replies.

 

[Ace Fekay [MVP]]

In

I found the problem. I was not doing a primary restore of the sysvol.
So each time I restored the domain controller it was waiting for the
sysvol to be replicated to it. Apparently when a domain controller is
in this state you can not authenticate to it. Thanks for the replies.

Glad you figured it out!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory