If you are one of the many businesses that have
Windows Server 2008, then you may have had the
unexpected pleasure of having a Domain Controller fail
on you. Now if you do not know what the domain
controller is then you are in for a treat. The domain
controller is only the most important computer within
your Windows Server 2008 domain. But, on the other hand,
you may have had a technician install this beast of a
computer. I put this lightly. The domain controller is a
power server but it does not have to be put on a very
powerful box. What you do need to do is make sure that
it is redundant. So, what should we do if the domain
controller does go down and we have another domain
controller? Well, first, I want to tip my hat to you.
Not many companies know the importance of having more
than one domain controller in their environment. Let's
digress a little. Why do you want to have multiple
domain controllers? See, the domain controller does
several different things. It has roles such as the
Schema master, Domain Naming Master, RID Master,
Infrastructure Master and PDC Emulator. These control
the overall environment. Let's go over some definitions.
Don't go to sleep on me. We will be getting to the good
stuff soon enough.
Schema Master
Now you are asking, what is a schema? The schema
is just a database. If you have used Excel or Access in
the past then you have been exposed to a database. The
schema is a database. Now the schema is composed of
Classes which are the Tables and Attributes which are
the fields. So, the Schema Master controls the updates
to the schema. So, you can say that this is relatively
important server. It only controls every entry that we
make into the Active Directory Domain Service utility
called ADUC which is short for Active Directory Users
and Computers. This role is located on the first domain
controller that is added to the Forest by default. There
is only one Schema Master per Forest. When you update
the schema which is known as extending the schema, you
need to be in the same Forest as this domain controller.
Domain Naming Master
So, what is the definition of a domain? A domain
is a logical grouping of computers where the domain
controller is the central repository for accounts,
security and policies. The Domain Naming Master is in
charge of keeping track of the adding and deletion of
more domains within the environment. This role is
located on the first domain controller that is added to
the Forest default. There is only one Domain Naming
Master in the Forest.
PDC Emulator
Remember the old Operating System know as Windows
NT 4.0. It was the predecessor to Windows Server 2008.
Well in the old days which is really little over 10
years, the main domain controller was known as the
Primary Domain Controller. So, that is where this role
comes into play. It takes the place of the Primary
Domain Controller. The main service that it controls is
time. If this puppy is not functioning right then you
whole environment will suffer. This role is located on
the first domain controller that is added to the Forest
by default. Now unlike the other roles, the PDC Emulator
is located in every domain in the Forest. But, there is
only one per domain. This is one of the most important
servers in the Domain.
RID Master
The unique identifier for a database is known as
the primary key. Well the primary key that provides
uniqueness within Active Directory Domain Services is
the SID which is known as the Security ID. The RID
Master controls the RID Pool for the domain. The RID is
the Relative Identifier. When we run out of RIDs then we
will not be able to add additional security principals
such as accounts. Here is a tip do not recover this
server. If you bring this server on at the same time as
another RID server then you will have a majorly messed
up domain. This role is located in every domain in the
forest but only one per domain.
Infrastructure Master
This is an odd animal. The main purpose of the
Infrastructure Master is tracking movement within the
domain. This needs some clarification. We are not
talking about Big Brother. Well, maybe. The
Infrastructure Master tracks the moving of an object
(account) from one OU (Organizational Unit) to another
or domain. Now the reason I call this an odd animal is
because it should not be on the same server as the
Global Catalog. Ok, I know we are about to go over the
threshold limit of the human mind. But, the Global
Catalog has a copy of every attribute in the Forest.
This will be covered in another article. Back the
Infrastructure Master, this role is also located in
every domain and there is only one per domain.
Whew, I know that is a lot to remember. But this
is important. See, remember our problem.... The domain
is down. If you only have one domain controller is
contains all of these roles. HELLO, can you see where we
are going with this. Make sure you have more than one
domain controller per domain. Ok, here is another topic.
Replication. No this is not cloning but similar. The
domain controllers in the Forest replicate there
information to each other. This introduces another term
multi-master replication. This just means that they have
the same settings as the other guys. Anyway, we come
into work and find that the #1 domain controller has bit
the dust. Don't panic we can fix this. Take a coffee
break and realign your thought process.
To the Rescue
So, we have a pretty bad situation. Users cannot
logon; email server is down, yada yada yada. So, here is
the good stuff. How do we get our domain back up and
functioning? Call me of course. Just kidding. This
article is here to instruct you on how to recover from
this disaster. Before can do this we need to use one of
two tools ADUC (Active Directory Users and Computers) or
ntdsutil. Of the tool tools, ntdsutil will allow us to
everything that we need to do. Ok, are you ready.....
Recovering From Disaster
Step 1. Go to the second domain controller (will
Call this Jupiter). Logon with administrative
credentials
Step 2. Bring up the command prompt. Type cmd at
the run command prompt or access it from the Accessories
menu under Programs on the menu
Step 3. Type ntdsutil at the command prompt and
press Enter
Step 4. Type roles at the ntdsutil prompt and
press Enter
Step 5. Type connections at the roles prompt and
press Enter
Step 6. Type connect to server Jupiter at the
connections prompt and press Enter. You will be
presented with a message saying you are connected and
using current credentials
Step 7. Type quit at the connections prompt and
press Enter. This will return you to the roles section
Step 8. Type seize Schema Master at the roles
prompt and press Enter. This will take over the Schema
Master role and give it to Jupiter.
Step 9. Type seize Naming Master at the roles
prompt and press Enter. This will take over the Domain
Naming Master role and give it to Jupiter
Step 10. Type seize PDC at the roles prompt and
press Enter. This will take over the PDC Emulator and
give it to Jupiter
Step 11. Type seize RID master at the roles prompt
and press Enter. This will take over the RID Master and
give it to Jupiter
Step 12. Type seize infrastructure master at the
roles prompt and press Enter
Right now you are probably saying that is a lot of
steps. We are complete with the first part. WHAT, there
is more? Hold on don't get antsy this will have take
only about 5 hours. Just kidding. This whole process
will take about 10-20 minutes. You will be the savior of
the network. All righty then, on to the next part. By
the way, the steps that are shown can be re-ordered when
it comes to seizing. The commands are not case sensitive
either.
Cleanup Time
Now in the beginning of the article, I pointed out
each of the different roles and their purpose. Well we
forcibly took over the roles. The other domain
controller is still offline but still theoretically has
those roles. If we were to bring that domain controller
up again there would be major confusion. Also, Active
Directory Domain Services does not know who to replicate
changes. The KCC (Knowledge Consistency Check) is
looking for the partner. The partner is no longer
available. We need to clean up this mess and quickly.
Step 13. Type quit at the roles prompt and press
Enter. This will take us back to the beginning.
Step 14. Type metadata cleanup at the ntdsutl
prompt and press Enter. This routine will get rid of the
SRV records lingering in DNS and also records of the
other domain controller in Active Directory Domain
Services database the Schema.
Step 15. Type select operation target at the
metadata cleanup prompt and press Enter. We need to
identify the downed domain controller.
Step 16. Type list sites at the select operation
target prompt and press Enter. This will list the sites
within the Forest
Step 17. Type the # associated with the Site which
the downed domain controller is part and press Enter.
This will select the site which has the records for the
downed domain controller
Step 18. Type list servers in the site at the
select operation target prompt and press Enter. This
will list the domain controllers that are in the Site
Step 19. Type the # associated with domain the
down domain controller and press Enter. This will select
the domain with the downed domain controller
Step 20. Type quit at the select operation target
and press Enter. This will take you back to the Metadata
Cleanup section
Step 21. Type remove selected server at the
metadata cleanup prompt and press Enter. This will
remove the records within Active Directory Domain
Services
Step 22. Type quit at the metadata cleanup prompt
and press Enter. Takes you back to the beginning of
ntdsutils
Step 23. Type quit at the ntdsutil prompt and
press Enter. Quits the ntdsutil utility
Step 24. Check ADUC, DNS etc. Ensure that you can
open ADUC. You may have to change focus of the domain
controller.
Step 25. Take old domain controller off line and
reinstall Windows Server 2008 and dcpromo it
Wow, what an ordeal. Just think if you did not
have another domain controller within your Forest. Do
yourself a favor and make sure you have more than one
domain controller in your environment. There is a lot
more that we can teach you. But, we will leave that for
another article. Right now, go get that cup of coffee,
high five your staff and relax. Your domain is back up
and running. Now go change some passwords and play Halo
at your desk. Oops, did I say that. See you later.
Michael W. Krout, MCSE, MCTS, MCITP, MCT is CEO
and Founder of Idea Dudes LLC. He has been a Microsoft
certified professional since 1999 and a trainer for over
22 years. He has authored videos and courses for
Microsoft and other companies.
Article Source:
http://EzineArticles.com/?expert=Michael_Krout
http://EzineArticles.com/?25-Easy-Steps-to-Recover-a-Downed-Domain-Controller-(Dont-Panic)&id=3674561
|