Restore Windows 2000 on Different Hardware

[Guest]

Hi Folks,

I need some help and suggestion. I want to restore my active directory on a
testbox in a lab. The production hardware is multiprocessor and RAID based
Dell Servers. The Lab Server is a PIII desktop. I tried to take some help
from a MS KB Article, Q263532.

The problem is that when I restore and repair the installation the OS starts
and comes up with an error about "AD Transaction" with a message to start in
DS mode. Even in DS mode its same.

Is there any way other I can get this done. I want to avoid installing my
Lab Box in a production environment to get the copy of AD.

Also I use Veritas Backup Exec for Backups.

Thanks
IK

 

[Pegasus \(MVP\)]

Hi Folks,

I need some help and suggestion. I want to restore my active directory on a
testbox in a lab. The production hardware is multiprocessor and RAID based
Dell Servers. The Lab Server is a PIII desktop. I tried to take some help
from a MS KB Article, Q263532.

The problem is that when I restore and repair the installation the OS starts
and comes up with an error about "AD Transaction" with a message to start in
DS mode. Even in DS mode its same.

Is there any way other I can get this done. I want to avoid installing my
Lab Box in a production environment to get the copy of AD.

Also I use Veritas Backup Exec for Backups.

Thanks
IK

Have you tried this method?
http://support.microsoft.com/default.aspx?scid=kb;en-us;824125

 

[gjb]

If all you want is the AD, an easier way may be to add the "lab" box as a
DC, let it replicate, then take a backup of that server, remove it as a DC,
then restore it in the lab.
Then just use NTDSUTIL to sieze all the FMSO roles. etc

G

 

[Jeff Qiu [MSFT]]

Hi IK,



Thanks for posting!



My name is Jeff and I understand your issue to be:

How to restore a Windows 2000 DC to a different hardware?



If I have misunderstood your issue please let me know.



Since the HAL is obviously different, you may need to do a repair of the
restored Windows like the following article:

824125 HOW TO: Replace the Motherboard on a Computer That Is Running Windows

http://support.microsoft.com/?id=824125



Actually, it is strongly recommended NOT to use that article Q263532 in this
situation.



As you may have noticed from the warning here:



Warning: The procedure that is described in this article is intended for
disaster recovery of a single domain when no other domain controllers are
available. This procedure is not intended as a means to move domain
controllers from old hardware operating systems to new hardware operating
systems in a multiple-domain environment. It is intended for use only when
disaster recovery is required. After you recover the domain controller, do
not keep the recovered domain controller in production. The purpose of this
recovery is to restore Active Directory functionality and to bring new
domain controllers online. After a new domain controller is online, demote
the recovered server, remove it from the domain, and then reinstall Windows.



The Q263532 is only applied when there is no other possible DC available and
is for emergency use only. After it is get online, you should clean install
another DC to replace it.



In your situation here, I suggest you clean install the Windows 2000 on that
powerful server and join it to this test DC domain. DCPROMO it and move all
FSMO roles in and install Services as needed. Demote that lab DC and join
that machine to workgroup to leave domain.



Here are some articles that may be helpful to you:



238369 HOW TO: Promote and Demote Domain Controllers in Windows 2000

http://support.microsoft.com/?id=238369



255690 HOW TO: View and Transfer FSMO Roles in the Graphical User Interface

http://support.microsoft.com/?id=255690



307304 HOW TO: Remove Active Directory with the Dcpromo Tool in Windows 2000

http://support.microsoft.com/?id=307304



216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain

http://support.microsoft.com/?id=216498



Hope this helps.



Please feel free to let me know if you have any further concerns or
questions regarding the issue.



Best Regards,



Jeff Qiu

Microsoft Online Partner Support

MCSE 2000, MCDBA, MCSA

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Hi Folks,

I need some help and suggestion. I want to restore my active directory on a

testbox in a lab. The production hardware is multiprocessor and RAID based

Dell Servers. The Lab Server is a PIII desktop. I tried to take some help

 

[Guest]

Thanks all for the help.

I tried the 824125 option. Well I think I will go the way of promoting my
box to DC, take the backup and then demote it. And again restore it from
backup.

I have another interesting question here. Once I have a replica of
Production Active Directory in the Lab, Can I restore the changes to the Lab
from time to time.

Thanks again and appreciate all the help.

IK

 

[Jeff Qiu [MSFT]]

Hi IK,

When we restore AD database, there are two kinds of restore when there are
more than 1 DC in the domain.

An authoritative restore or an unauthoritative restore.

During a typical file restore operation, Microsoft Windows Backup operates
in non-authoritative restore mode. In this mode, Windows Backup restores all
files, including Active Directory objects, with their original Update
Sequence Number (USN) or numbers. The Active Directory replication system
uses the USN to detect and replicate changes to Active Directory to all the
domain controllers on the network. All data that is restored
non-authoritatively appears to the Active Directory replication system as
old data. Old data is never replicated to any other domain controllers. The
Active Directory replication system updates the restored data with newer
data from other domain controllers. Performing an authoritative restore
resolves this issue.

Note Use an authoritative restore with extreme caution because of the effect
it may have on Active Directory. An authoritative restore must be performed
immediately after the computer has been restored from a previous backup,
before restarting the domain controller in normal mode.

An authoritative restore replicates all objects that are marked
authoritative to every domain controller hosting the naming contexts that
the objects are in. To perform an authoritative restore on the computer, you
must use the Ntdsutil.exe tool to make the necessary USN changes to the
Active Directory database.

There are certain parts of Active Directory that cannot or should not be
restored in an authoritative manner:

- You cannot authoritatively restore the schema.

- The configuration naming context is also very sensitive, because changes
will affect the whole forest. For example, it does not make sense to restore
connection objects. Connection objects should be recreated by the Knowledge
Consistency Checker (KCC) or manually. Restoring server and NTDS settings
objects makes sense when no destructive troubleshooting was done before. If
you are unsure, contact Microsoft Product Support Services for help:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

- In the domain context, do not restore any objects that deal with
relative identifier (RID) pools. This includes the subobject "Rid Set"
of domain controller computer accounts and the RidManager$ object in
the SYSTEM container.

- Another issue is that many distinguished name-type links may break
when you restore. This may affect objects that are used by the File
Replication Service (FRS). These exist underneath CN=File Replication
Service,CN=System,DC=<yourdomain> and CN=NTFRS Subscriptions,CN=<DC
computer account>.

- Attempts to authoritatively restore a complete naming context will
always include objects that can disrupt the proper functionality of
crucial parts of Active Directory. You should always try to
authoritatively restore a minimal set of objects.

- Finally, similar issues might exist for objects created by other
applications. These go beyond the scope of this article.

A system state restore replaces all new, deleted, or modified objects on the
domain controller that is being restored.

A system state restore of a naming context that contains two or more
replicas is an authoritative merge. In an authoritative merge, all objects
that are deleted or modified are rolled back to when the backup was made.
Objects that were created after the backup are replicated from naming
context replicas. An authoritative merge represents a merge of the state
that existed when the backup was made with new objects that were created
after the backup.

When you non-authoritatively restore a naming context that contains a single
replica, you actually perform an authoritative restore.

Perform an Authoritative Restore
--------------------------------

After the data has been restored, use Ntdsutil.exe to perform the
authoritative restore:


1. At a command prompt, type "ntdsutil" (without the quotation marks),
and then press ENTER.

2. Type "authoritative restore" (without the quotation marks) and then
press ENTER.

3. Type "restore database" (without the quotation marks), press ENTER,
click OK, and then click Yes.

Restore a Subtree
-----------------


In many cases you may not want to restore the entire database due to the
replication impact this would have on your domain or forest. The following
steps will allow you to authoritatively restore a subtree within a Forest.


1. Restart the domain controller.

2. When the Windows 2000 Startup menu is displayed, select Directory
Services Restore Mode, and then press ENTER.

3. At a command prompt, type "ntdsutil" (without the quotation marks),
and then press ENTER.

4. Type "authoritative restore" (without the quotation marks), and then
press ENTER.

5. Type "restore subtree "ou=<OU Name>,dc=<domain name>,dc=<xxx>""
(without the quotation marks), and then press ENTER, where <OU Name> is
the name of the organizational unit you want to restore, <domain name>
is the domain name the OU resides in, and <xxx> is the top level domain
name of the domain controller, such as com, org, or net.

6. Type "quit" (without the quotation marks), press ENTER, type "quit"
(without the quotation marks), and then press ENTER.

7. Type "exit" (without the quotation marks), and then press ENTER.

8. Restart the domain controller.


REFERENCES
==========

For additional information about restoring the system state to a domain
controller from a previous backup, click the article number below
to view the article in the Microsoft Knowledge Base:



KBLink:240363.KB.EN-US: HOW TO: Use the Backup Program to Back Up and
Restore the System State in Windows 2000
http://support.microsoft.com/?id=240363

For additional information about the impact of performing an authoritative
restore, click the article number below
to view the article in the Microsoft Knowledge Base:

KBLink:216243.KB.EN-US: Authoritative Restore of Active Directory and
Impact on Trusts and Computer Accounts
http://support.microsoft.com/?id=216243

KBLink:248132.KB.EN-US: Recover a Deleted Domain Controller Computer
Account
http://support.microsoft.com/?id=248132

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2000, MCDBA, MCSA
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.