root forest AD DC crashed

[Krishna]

I have two domain controller sitting at two different locations. First DC/AD
was root forest server which crashed. I reinstalled. Now, how can I make
this as root forest?

Thanks
Kris

 

[Yusuf Dikmenoglu]

Hi,

I have two domain controller sitting at two different locations.
First DC/AD was root forest server which crashed. I reinstalled. Now,
how can I make this as root forest?

after the crash, did you move the FSMO Roles to the second DC
about the root domain ?
If not, you must be size the roles, now to your rebuild DC:
http://support.microsoft.com/kb/255504/en-us

But first, clean up your AD about the crashed DC
http://support.microsoft.com/kb/216498/en-us

Activate in "Sites and Services" the DCs to GCs.

 

[Jorge de Almeida Pinto [MVP]]

do those two DCs belong to the same domain?

if yes.....

seize FSMO roles to the remaining DC
make sure the remaining DC is also a GC
make sure the remaining DC also hosts DNS
make sure to cleanup the AD metadata of the crashed DC

OR restore a backup of the crashed which was created before the crash

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Krishna]

* No I haven't moved FSMO Roles to second DC.
* Hard drive failed so I had to start from scratch. I rebuilt with root
forest.

For seizing FSMO roles should I initiate from rebuild server?
Unlike my other AD/DC which shows automatically generated name under Sites
and Services, NTDS settings, this shows nothing. It doesn't even list my
other server.

 

[Krishna]

do those two DCs belong to the same domain?
NO

 

[Jorge de Almeida Pinto [MVP]]

so, let me summarize this....

you have 2 domains...
each domain has only 1 DC?
the DC in the forest root domain died?
you have no backup for the DC in the forest root domain that died?

if ALL = yes.... then your forest died as you cannot rebuild the forest root
domain from scratch and just "attach" the other domain to it

only option = rebuild full forest

create a new forest and migrate everything from the remaining DC to the new
forest

TIP: always have at least 2 DCs per domain and always backup at least 2 DCs
from each domain if you have more then 2 DCs in each domain

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Krishna]

Jorge, yes for all was correct.
Since our shop is more of Novell we don't have many DC's.

New forest is created when I rebuild my First DC/Forest root server.
Please explain what tools to use for migration from my second domain and
what options to choose.

Thanks

 

[Krishna]

My second domain/dc was also in a forest of its own and my first domain/dc
was root forest though. I hope I'm making sense here.
Even though I have used same naming convention, second domain cannot see
root forest right? Why? ('coz of unique identifier?)

 

[Jorge de Almeida Pinto [MVP]]

although giving it the same name you cannot attach the child domain to
it.... it is another forest root domain.

the way to migrate would be to use ADMT...

Migration high level steps are:
* Make sure the AD has been configured (sites, subnets, replication, OUs,
GPOs, delegations, DNS, WINS, DHCP, etc.)
* Setup name resolution (WINS or DNS) between source and target
domain/forest
* Setup trusts (if an external trust is configured and sidhistory is used,
disable sid filtering)
* Install and configure migration tooling
* Migrate groups, user accounts with passwords and group memberships (with
sidhistory)
* Migrate clients from the source domain to the target domain, translate
security on the client, and translate profiles (at this moment users start
logging on with their new AD account on the migrated clients that have been
migrated previously to the w2k3 domain)
* Migrate mailboxes if needed
* Migrate servers to the new domain or migrate data to new servers
* Translate security (Re-ACL) of the data/resources from source security
principals to target security principals (replace the security descriptors
from the old domain with the security descriptors from the new domain )
* Cleanup temporary configurations
* Cleanup sidhistory (recommended!). sIDHistory is used to access resources
while those resources still have security descriptors from the old domain.
As soon as all data (file, folders, mailboxes, etc.) have been re-ACL-ed
sIDHistory can be cleaned. Sidhistory should only be used temporary for
migration purposes!
* Remove trusts
* Decommission old domain(s)

a suggestion from me would be:
Don't have two domains in the forest which one DC only for each domain, but
instead have 1 domain with 2 DCs if that is OK for you

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Krishna]

Jorge,
Let me ask you this then,
How do I setup (best configuration) two servers doing dns and dhcp at two
different local locations ie., siteA server will do DNS/DHCP for siteA and
same setup with siteB. Also having WINS, would it help for XP users to view
either site's computer names in explorer (or how to achieve)?

domain.com (siteA server?)
sitea.domain.com (siteA server?)
siteb.domain.com (siteB server?)

Sole purpose of these servers are for dns/dhcp/wins only.

 

[Jorge de Almeida Pinto [MVP]]

what you want is not that difficult to acchieve and by far not needed to
have two domains.
Remember that an AD domain can span multiple sites and it is not a rule to
create a domain for each site...

As I understand it you want to acchieve the following:
* DNS/WINS/DHCP services at both locations

To make things more clear let's invent some names....
Location A -> physical location A
Location B -> physical location B
Site A -> AD site for location A
Site B -> AD site for location B
DC1 -> domain controller 1 (with DNS, WINS, DHCP)
DC2 -> domain controller 2 (with DNS, WINS, DHCP)

REMARK: these names are just for this message so that things are more clear.

For location A install a fresh W2K3 server with SP1. In this case its name
will be DC1
Also install DNS, WINS and DHCP
Give DC1 it own IP address
As preferred DNS for DC1 enter the IP of DC1
As alternate DNS for DC1 enter the IP of DC2
As WINS server enter the IP of DC1

For location B install a fresh W2K3 server with SP1. In this case its name
will be DC2
Also install DNS, WINS and DHCP
Give DC2 it own IP address
As preferred DNS for DC2 enter the IP of DC2
As alternate DNS for DC2 enter the IP of DC1
As WINS server enter the IP of DC2

Promote DC1 from a stand-alone server to a DC and have it configure DNS for
you during DCPROMO.
Create a new AD forest and a new AD domain
For the DNS name of the AD domain you could choose something like
COMPANY.LOCAL (or something similar)
For the NetBIOS name of the AD domain you could choose something like
COMPANY (it is best this is the same as the most left part of the DNS name
of the AD domain)
Make the DC also a GC (afterwards)
For AD configure the following stuff:
Create a site for location A --> e.g. Site A (or rename the default one)
Create a site for location B --> e.g. Site B
Site A and Site B should be linked by the Default IP Site link (you can
rename as you wish or you can leave it as is)
Create AD subnet definitions for subnets within location A and assign those
to Site A
Create AD subnet definitions for subnets within location B and assign those
to Site B
DC1 should be in Site A

Promote DC2 from a stand-alone server to a DC and have it configure DNS for
you during DCPROMO.
Use an EXISTING forest and an EXISTING domain!!!
Make the DC also a GC (afterwards)
DC2 should be in Site B

For DNS yo are ready to go

For WINS:
* On DC1 configure DC2 as a push/pull replication partner
* On DC2 configure DC1 as a push/pull replication partner

For DHCP:
* On DC1 configure the necessary DHCP scopes for location A to distribute
IPs and DHCP options like DNS Name (e.g. COMPANY.LOCAL), like Default
Gateway, like DNS servers (1st= IP DC1 and 2nd = IP DC2), like WINS servers
(1st= IP DC1 and 2nd = IP DC2)
* On DC2 configure the necessary DHCP scopes for location B to distribute
IPs and DHCP options like DNS Name (e.g. COMPANY.LOCAL), like Default
Gateway, like DNS servers (1st= IP DC2 and 2nd = IP DC1), like WINS servers
(1st= IP DC2 and 2nd = IP DC1)
* Create a user account in AD for DHCP, just a simple user account, nothing
special. Configure DHCP to use that account for the registrations in DNS
when using DDNS

Perform additional configuration as necessary!

To prevent rebuilding this again in the future. Fully backup both servers
using a supported backup mechanism and tool! (No images!!!) If a third party
backup and restore tool is expensive just use NTBACKUP to backup to tape or
to file. If you backup to file make sure the backup are also stored on
ANOTHER server!

From the orphaned domain, migrate everything needed (users, groups,
computers, etc.) to the new domain

This should help you on your way. Good luck!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx