How to recover domain when the primary domain controller failes and there are member domain controllers

<!--[if gte mso 9]><xml> Normal 0 false false false MicrosoftInternetExplorer4 </xml><![endif]--><!--[if gte mso 9]><xml> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> How to recover domain when the primary domain controller failes and there are member domain controllers

Many of us have probably dabbled in setting up our own domain and forest for development purposes. For me - a domain is a must - I have my development environment that is heavily used to model development projects for clents - and I have my family - me, my wife, and 7 children with their own computers.

So, we have a fairly detailed setup on the home front - but the following applies to ANY environment in which your primary domain controller gives up the ghost - and you do not have an image backup of the PDC.

Foremost - clarity: In an Active Directory forest, where you have several domain controllers, but one primary domain controller (PDC) - you may think that you must RESTORE or recover this PDC to salvage the domain. In other words, if the PDC fails - is all lost? Nope, not at all. Unless you do not have backup domain controllers. If you do not - then reading the rest of this is moot - but if you do, then read on.

When you promote additional servers on your domain, and make them member DC's in the same forest, then your domain details are available to you - and you simply need to transfer the Operation Master role to another DC - but before doing that - there are the FSMO's - yea, something hardly anyone knows about: FSMO = Flexible Single Master Operation - something your PDC or master of operations - manages. If a PDC - and Global Catalog for that matter - goes offline, a backup DC will generally pickup and juggle traffic for the PDC. But what happens if the PDC crashes altogether, and you need to basically assign a member backup DC the PDC role?

FSMO must be transferred to a backup DC before that DC can assume the Master of Operations role. This is done at the command-line level, and you must be careful before you make this call - ONLY do this if you are sure you cannot recover the original PDC because once you do this - you cannot laterr recover the PDC and bring it online. It cannot be added back into the forest at all.

So, the FSMO roles and how we transfer these. In a word, you cannot simply transfer the FSMO roles because the PDC is off line and not available to authorize the transfer. However, you 'can' SEIZE the FSMO roles from the original PDC - even with the machine offl line.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

Open a CMD prompt on the backup DC you want to perform this on. At the command-line prompt, type Ntdsutil and press <Enter>.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil
ntdsutil:

At this prompt, type roles and press <Enter>:

ntdsutil: roles
fsmo maintenance:

Now type connections and press <Enter>:

fsmo maintenance: connections
server connections:

Now type connect to servername <serverName> where <serverName> is the name of the backup DC you are working on, and press <Enter>:

server connections: connect to servername hamddc02

Connected to hamdc02 using credentials of locally logged on user.
server connections:

At the server connections prompt type q and press <Enter>:

server connections: q
fsmo maintenance:

Now we are going to SEIZE the FSMO roles we want. NOTE: Out of the 5 FSMO roles, we are NOT going to seize the Infrastructure Master. We do not want to put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest. For now, we'll seize the following:

Seize domain naming master
Seize PDC
Seize RID master
Seize schema master

We do this by typig the line shown above. For example, to seize the domain naming master, type seize domain naming master and press <Enter>

You will receive a Windows dialog prompting to confirm this move - click <Yes> and then you'll see the attempt to safely transfer the FSMO role, a failure message, and then it will seize the role, assigning it to the backup DC you specified when you connected to the server above.

Once you have completed this for the 4 roles, type Quit to exit the utility, then Exit to return to Windows.

From the Start menu, select Run and enter dsa.msc and press <Enter>.

On the domain that is displayed, right click and select Operations Masters. You should now see that this backup domain controller (HAMDC02 in this case) is not the Operations master.

From here you simply re-create the failed domain controller, and promote it - joining it to this existing forest.

Hopefully others will find this useful

• Navigation

  • Knowledge Base Home
  • All Articles
  • Glossary

• Categories

  • Networking (3)
  • News (1)
  • SAP 2007b (1)
  • SAP 8.8 (1)