| If you are one of the many businesses that have 
						Windows Server 2008, then you may have had the 
						unexpected pleasure of having a Domain Controller fail 
						on you. Now if you do not know what the domain 
						controller is then you are in for a treat. The domain 
						controller is only the most important computer within 
						your Windows Server 2008 domain. But, on the other hand, 
						you may have had a technician install this beast of a 
						computer. I put this lightly. The domain controller is a 
						power server but it does not have to be put on a very 
						powerful box. What you do need to do is make sure that 
						it is redundant. So, what should we do if the domain 
						controller does go down and we have another domain 
						controller? Well, first, I want to tip my hat to you. 
						Not many companies know the importance of having more 
						than one domain controller in their environment. Let's 
						digress a little. Why do you want to have multiple 
						domain controllers? See, the domain controller does 
						several different things. It has roles such as the 
						Schema master, Domain Naming Master, RID Master, 
						Infrastructure Master and PDC Emulator. These control 
						the overall environment. Let's go over some definitions. 
						Don't go to sleep on me. We will be getting to the good 
						stuff soon enough. Schema Master Now you are asking, what is a schema? The schema 
						is just a database. If you have used Excel or Access in 
						the past then you have been exposed to a database. The 
						schema is a database. Now the schema is composed of 
						Classes which are the Tables and Attributes which are 
						the fields. So, the Schema Master controls the updates 
						to the schema. So, you can say that this is relatively 
						important server. It only controls every entry that we 
						make into the Active Directory Domain Service utility 
						called ADUC which is short for Active Directory Users 
						and Computers. This role is located on the first domain 
						controller that is added to the Forest by default. There 
						is only one Schema Master per Forest. When you update 
						the schema which is known as extending the schema, you 
						need to be in the same Forest as this domain controller. Domain Naming Master So, what is the definition of a domain? A domain 
						is a logical grouping of computers where the domain 
						controller is the central repository for accounts, 
						security and policies. The Domain Naming Master is in 
						charge of keeping track of the adding and deletion of 
						more domains within the environment. This role is 
						located on the first domain controller that is added to 
						the Forest default. There is only one Domain Naming 
						Master in the Forest. PDC Emulator Remember the old Operating System know as Windows 
						NT 4.0. It was the predecessor to Windows Server 2008. 
						Well in the old days which is really little over 10 
						years, the main domain controller was known as the 
						Primary Domain Controller. So, that is where this role 
						comes into play. It takes the place of the Primary 
						Domain Controller. The main service that it controls is 
						time. If this puppy is not functioning right then you 
						whole environment will suffer. This role is located on 
						the first domain controller that is added to the Forest 
						by default. Now unlike the other roles, the PDC Emulator 
						is located in every domain in the Forest. But, there is 
						only one per domain. This is one of the most important 
						servers in the Domain. RID Master The unique identifier for a database is known as 
						the primary key. Well the primary key that provides 
						uniqueness within Active Directory Domain Services is 
						the SID which is known as the Security ID. The RID 
						Master controls the RID Pool for the domain. The RID is 
						the Relative Identifier. When we run out of RIDs then we 
						will not be able to add additional security principals 
						such as accounts. Here is a tip do not recover this 
						server. If you bring this server on at the same time as 
						another RID server then you will have a majorly messed 
						up domain. This role is located in every domain in the 
						forest but only one per domain. Infrastructure Master This is an odd animal. The main purpose of the 
						Infrastructure Master is tracking movement within the 
						domain. This needs some clarification. We are not 
						talking about Big Brother. Well, maybe. The 
						Infrastructure Master tracks the moving of an object 
						(account) from one OU (Organizational Unit) to another 
						or domain. Now the reason I call this an odd animal is 
						because it should not be on the same server as the 
						Global Catalog. Ok, I know we are about to go over the 
						threshold limit of the human mind. But, the Global 
						Catalog has a copy of every attribute in the Forest. 
						This will be covered in another article. Back the 
						Infrastructure Master, this role is also located in 
						every domain and there is only one per domain. Whew, I know that is a lot to remember. But this 
						is important. See, remember our problem.... The domain 
						is down. If you only have one domain controller is 
						contains all of these roles. HELLO, can you see where we 
						are going with this. Make sure you have more than one 
						domain controller per domain. Ok, here is another topic. 
						Replication. No this is not cloning but similar. The 
						domain controllers in the Forest replicate there 
						information to each other. This introduces another term 
						multi-master replication. This just means that they have 
						the same settings as the other guys. Anyway, we come 
						into work and find that the #1 domain controller has bit 
						the dust. Don't panic we can fix this. Take a coffee 
						break and realign your thought process. To the Rescue So, we have a pretty bad situation. Users cannot 
						logon; email server is down, yada yada yada. So, here is 
						the good stuff. How do we get our domain back up and 
						functioning? Call me of course. Just kidding. This 
						article is here to instruct you on how to recover from 
						this disaster. Before can do this we need to use one of 
						two tools ADUC (Active Directory Users and Computers) or 
						ntdsutil. Of the tool tools, ntdsutil will allow us to 
						everything that we need to do. Ok, are you ready..... Recovering From Disaster Step 1. Go to the second domain controller (will 
						Call this Jupiter). Logon with administrative 
						credentials Step 2. Bring up the command prompt. Type cmd at 
						the run command prompt or access it from the Accessories 
						menu under Programs on the menu Step 3. Type ntdsutil at the command prompt and 
						press Enter Step 4. Type roles at the ntdsutil prompt and 
						press Enter Step 5. Type connections at the roles prompt and 
						press Enter Step 6. Type connect to server Jupiter at the 
						connections prompt and press Enter. You will be 
						presented with a message saying you are connected and 
						using current credentials Step 7. Type quit at the connections prompt and 
						press Enter. This will return you to the roles section Step 8. Type seize Schema Master at the roles 
						prompt and press Enter. This will take over the Schema 
						Master role and give it to Jupiter. Step 9. Type seize Naming Master at the roles 
						prompt and press Enter. This will take over the Domain 
						Naming Master role and give it to Jupiter Step 10. Type seize PDC at the roles prompt and 
						press Enter. This will take over the PDC Emulator and 
						give it to Jupiter Step 11. Type seize RID master at the roles prompt 
						and press Enter. This will take over the RID Master and 
						give it to Jupiter Step 12. Type seize infrastructure master at the 
						roles prompt and press Enter Right now you are probably saying that is a lot of 
						steps. We are complete with the first part. WHAT, there 
						is more? Hold on don't get antsy this will have take 
						only about 5 hours. Just kidding. This whole process 
						will take about 10-20 minutes. You will be the savior of 
						the network. All righty then, on to the next part. By 
						the way, the steps that are shown can be re-ordered when 
						it comes to seizing. The commands are not case sensitive 
						either. Cleanup Time Now in the beginning of the article, I pointed out 
						each of the different roles and their purpose. Well we 
						forcibly took over the roles. The other domain 
						controller is still offline but still theoretically has 
						those roles. If we were to bring that domain controller 
						up again there would be major confusion. Also, Active 
						Directory Domain Services does not know who to replicate 
						changes. The KCC (Knowledge Consistency Check) is 
						looking for the partner. The partner is no longer 
						available. We need to clean up this mess and quickly. Step 13. Type quit at the roles prompt and press 
						Enter. This will take us back to the beginning. Step 14. Type metadata cleanup at the ntdsutl 
						prompt and press Enter. This routine will get rid of the 
						SRV records lingering in DNS and also records of the 
						other domain controller in Active Directory Domain 
						Services database the Schema. Step 15. Type select operation target at the 
						metadata cleanup prompt and press Enter. We need to 
						identify the downed domain controller. Step 16. Type list sites at the select operation 
						target prompt and press Enter. This will list the sites 
						within the Forest Step 17. Type the # associated with the Site which 
						the downed domain controller is part and press Enter. 
						This will select the site which has the records for the 
						downed domain controller Step 18. Type list servers in the site at the 
						select operation target prompt and press Enter. This 
						will list the domain controllers that are in the Site Step 19. Type the # associated with domain the 
						down domain controller and press Enter. This will select 
						the domain with the downed domain controller Step 20. Type quit at the select operation target 
						and press Enter. This will take you back to the Metadata 
						Cleanup section Step 21. Type remove selected server at the 
						metadata cleanup prompt and press Enter. This will 
						remove the records within Active Directory Domain 
						Services Step 22. Type quit at the metadata cleanup prompt 
						and press Enter. Takes you back to the beginning of 
						ntdsutils Step 23. Type quit at the ntdsutil prompt and 
						press Enter. Quits the ntdsutil utility Step 24. Check ADUC, DNS etc. Ensure that you can 
						open ADUC. You may have to change focus of the domain 
						controller. Step 25. Take old domain controller off line and 
						reinstall Windows Server 2008 and dcpromo it Wow, what an ordeal. Just think if you did not 
						have another domain controller within your Forest. Do 
						yourself a favor and make sure you have more than one 
						domain controller in your environment. There is a lot 
						more that we can teach you. But, we will leave that for 
						another article. Right now, go get that cup of coffee, 
						high five your staff and relax. Your domain is back up 
						and running. Now go change some passwords and play Halo 
						at your desk. Oops, did I say that. See you later. Michael W. Krout, MCSE, MCTS, MCITP, MCT is CEO 
						and Founder of Idea Dudes LLC. He has been a Microsoft 
						certified professional since 1999 and a trainer for over 
						22 years. He has authored videos and courses for 
						Microsoft and other companies. Article Source:
						
						http://EzineArticles.com/?expert=Michael_Krout http://EzineArticles.com/?25-Easy-Steps-to-Recover-a-Downed-Domain-Controller-(Dont-Panic)&id=3674561
 |