You are here

Active Directory recovery story

shroman's picture

Active Directory recovery story

Preface

Every good administrator has a recovery plan. Every good windows AD administrator have got a valid backup of active directory database (backup made not later then your AD tombstone lifetime

[default value: 60 days, Win2k3SP1 180 days, maybe you’ve set some custom value

MS links

To determine the tombstone lifetime for the forest

1. On the Start menu, click Run, type adsiedit.msc, and then click OK.

2. In the console tree, double-click Configuration [DomainControllerName], CN=Configuration,DC=[ForestRootDomain], CN=Services, and CN=Windows NT.

3. Right-click CN=Directory Service, and then click Properties.

4. In the Attribute column, click tombstoneLifetime.

5. Note the value in the Value column. If the value is , the default value is in effect as follows:

• On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.

• On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.

]) and ASR disk fresh enough to recover you system. Why do you obviously need such a thing, AD is a redundant structure with no single point of failure, at this point we are considering AD that contains at least 2 DCs, but is that true? To answer that question you need to understand how the AD works. Lets look at the origin of AD, before AD structure we’ve had PDC (Primary Domain Controller) and a BDC (Backup Domain Controller) for a purpose redundancy. So in those days in case of PDC failure we need to promote BDC to serve all the requests, and that was it. Now when we can have any number of DC (Domain Controllers) we should not worry about our DC crashing as long as at least one domain controller is alive and able to replicate its AD copy to a new shiny server.

In reality all the roles familiar from the world of NT servers are still there, there is PDC emulator and some other roles, required for AD functionality. These roles are called FSMO roles. FSMO (Flexible Single Master Operation) roles are:

•Schema master

•Domain naming master

•RID master

•PDC emulator

•Infrastructure daemon

So what happens if your AD structure FSMO role holding server will fail? The answer is NOTHING here we have redundancy and there are no difficulties in transferring FSMO roles between DCs, in case you cannot transfer FSMO Roles

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

• Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

• Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.

• Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

• Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.

• PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

Active Directory Schema snap-in

Active Directory Domains and Trusts snap-in

Active Directory Users and Computers snap-in

role a normal way you can always seize the role.

If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.

Existing article link.

Looks like there are no problems! Nope we’ve forgot about one major component of AD – GC (Global Catalog) this a dedicated DC that stores read-only copies of all forest AD partitions. So what is important about GC? The answer is – it is the most important component of Windows Server environment, every DC in directory need to have access to GC server to perform any structural changes of AD including addition of users and GPO. And that’s the problem …. what to do if you structure has only one single GC server available? That’s our single point of failure. So an obvious decision is to create an additional GC for redundancy, that’s a good idea.

But there are some minor stuff you should now about creating a second and every next GC server. Setting a tick in an “Active directory sites and services” mcc applet is not enough to create a GC. The global catalog will be enabled only after all the existing forest members would replicate with the newly created GC. And it can take time, and so the time passes and you are living with one GC.

How the horrible things happen ….

The introduction is over, troubles are here.

The server, the only GC failed, RAID5 system volume failed one member drive failed and multiple bad stripes occurred. Nothing left of the system volume, the latest AD backup is beyond the tombstone lifetime. You might say so what …. Well the problem is that no one is able to logon, Enterprise admin is unable to logon to any of the domain controllers, only local domain administrator accounts are valid. At this point you’re faced with server with no chance of logon. The last chance is to use ADRM (Active Directory Restore Mode) hopefully you remember the password but what to do next how to logon???

Tags: