- Cannot restore DC in isolated Subnet for the purpose of creating test environment
- Posted by jmwallace74 on February 27th, 2004
I have been trying to restore our root domain controller(Windows 2000) in a
totally isolated network. The network has no connection to our production
network or even the internet. The reason we want to do this is for testing
purposes, while having an exact copy of our domain(s).
We transfered all 5 forest and domain FSMO roles to this one server backed
it up, and then restored it to identical hardware in this isolated network.
The server will come up and I can login as a user that is combined
Enterprise, Domain, and Schema master administrators. We use Brightstore 9
and have followed CA's instructions for restoring a DC. The problem is that
the server does not belive it's a Domain Cintroller at all. So we cannot
add other DC's or run DC Promo or add servers to the domin in the test
enviroment. I can create accounts(users and computers) as the system has
the RID master FSMO role as well as all others, including Schema master,
Domain naming master, Rid master, PDC Emulater and Infrastructure master.
The server bein restored is a Global Catalog server as well. Other symptons
are the sysvol and netlogon folder do not get automatically shared. the
user and computers and Sites tools do not initially run correctly until I
point then to the server name, and then they seem to function correctly.
The server is a DNS server, WINS server and DHCP server in production as
well as in the test enviroment. The server has its same IP address as in
production network. On server startup the Directory Service log files do
say that it is unable to contact a Global catalog server even though this
server is one.
Anyone have any ideas????
--
John Wallace
jmwallace74@hotmail.com
http://www.jmwallace.net
- Posted by Al Mulnick on February 27th, 2004
"The problem is that
the server does not believe it's a Domain Cintroller at all."
Doesn't believe it's a DC?!? Why not? Could be that your DNS is different?
Could be your restoration method (what steps did you take during the
restore?)
There's a restoration document available from Microsoft. Have you read it?
"jmwallace74" <jmwallace74@hotmail.com> wrote in message
news:%23SJqo3U$DHA.3256@TK2MSFTNGP09.phx.gbl...
- Posted by jmwallace74 on February 27th, 2004
"Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in
news:OwEkr1W$DHA.1288@TK2MSFTNGP10.phx.gbl:
Why it dosen't think its a DC would be the $64,000 question. Well, at
least it will not run the FSMO role PDC Emulator, which it had when it
was backed up.
Here is the output from DCDIAG /V
*****************************************
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine OH01DC01, is a DC.
* Connecting to directory service on server OH01DC01.
* Collecting site info.
* Identifying all servers.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: OH01\OH01DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... OH01DC01 passed test Connectivity
Doing primary tests
Testing server: OH01\OH01DC01
Starting test: Replications
* Replications Check
......................... OH01DC01 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=relizon,DC=net
* Security Permissions Check for
CN=Configuration,DC=relizon,DC=net
* Security Permissions Check for
DC=relizon,DC=net
......................... OH01DC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... OH01DC01 passed test NetLogons
Starting test: Advertising
Fatal Error
sGetDcName (OH01DC01) call failed, error 1355
The Locator could not find the server.
......................... OH01DC01 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net
Role Domain Owner = CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net
Role PDC Owner = CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net
Role Rid Owner = CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net
......................... OH01DC01 passed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 3606 to 1073741823
* OH01DC01.relizon.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3106 to 3605
* rIDNextRID: 3107
* rIDPreviousAllocationPool is 3106 to 3605
......................... OH01DC01 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/OH01DC01.relizon.net/relizon.net
* SPN found :LDAP/OH01DC01.relizon.net
* SPN found :LDAP/OH01DC01
* SPN found :LDAP/OH01DC01.relizon.net/RZNET
* SPN found :LDAP/5e725537-79c7-4438-a8ce-774ae6d2e63f.
_msdcs.relizon.net
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e725537-79c7-
4438-a8ce-774ae6d2e63f/relizon.net
* SPN found :HOST/OH01DC01.relizon.net/relizon.net
* SPN found :HOST/OH01DC01.relizon.net
* SPN found :HOST/OH01DC01
* SPN found :HOST/OH01DC01.relizon.net/RZNET
* SPN found :GC/OH01DC01.relizon.net/relizon.net
......................... OH01DC01 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
......................... OH01DC01 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
OH01DC01 is in domain DC=relizon,DC=net
Checking for CN=OH01DC01,OU=Domain Controllers,DC=relizon,DC=net
in domain DC=relizon,DC=net on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=OH01DC01,CN=Servers,CN=OH01,CN=Sites,C N=Configuration,DC=reli
zon,DC=net in domain CN=Configuration,DC=relizon,DC=net on 1 servers
Object is up-to-date on all servers.
......................... OH01DC01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
An Warning Event occured. EventID: 0x800034FE
Time Generated: 02/27/2004 15:17:33
Event String: File Replication Service is scanning the data
in
the system volume. Computer OH01DC01 cannot
become a domain controller until this process is
complete. The system volume will then be shared
as SYSVOL.
To check for the SYSVOL share, at the command
prompt, type:
net share
When File Replication Service completes the
scanning process, the SYSVOL share will appear.
The initialization of the system volume can take
some time. The time is dependent on the amount of
data in the system volume.
......................... OH01DC01 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC0000466
Time Generated: 02/27/2004 15:43:26
Event String: Unable to establish connection with global
catalog.
An Information Event occured. EventID: 0x40000617
Time Generated: 02/27/2004 15:46:33
(Event String could not be retrieved)
An Information Event occured. EventID: 0x4000062A
Time Generated: 02/27/2004 15:46:33
(Event String could not be retrieved)
An Information Event occured. EventID: 0x40000456
Time Generated: 02/27/2004 15:46:33
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000466
Time Generated: 02/27/2004 15:46:33
Event String: Unable to establish connection with global
catalog.
......................... OH01DC01 failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... OH01DC01 passed test systemlog
Running enterprise tests on : relizon.net
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope
provided by the command line arguments provided.
Skipping site OH01, this site is outside the scope provided by
the
command line arguments provided.
......................... relizon.net passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are
down.
PDC Name: \\OH01DC01.relizon.net
Locator Flags: 0xe00001f9
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... relizon.net failed test FsmoCheck
************************************************** *******************
http://support.microsoft.com/default...b;EN-US;240363
and the CA restore (We run Brightstore) See at this link:
http://support.cai.com/techbases/basb9/basb9_1004.html
--
John Wallace
jmwallace74@hotmail.com
http://www.jmwallace.net
- Posted by Al Mulnick on February 28th, 2004
What steps did you follow?
What is your production topology and what did you do about this: "failed
test kccevent" ?
No real reason to seize the roles from the perpspective that he owns them
now anyway. But I don't see where the sysvol came up (may have missed it,
I'm only one cup of coffee into it 
but having knowledge of the production
topology would be useful here. Also, knowing if it ever came up fully would
be useful.
Al
"jmwallace74" <jmwallace74@hotmail.com> wrote in message
news:%2337A1QX$DHA.2180@TK2MSFTNGP09.phx.gbl...
- Posted by jmwallace74 on March 1st, 2004
What Steps did I follow? (For restoring).
0. To get a AD test environment setup in a seperated network we followed
these steps.
1. Took identical hardware and installed fresh copy of Windows 2000 on
it, as a stand alone server (Workgroup). Setup Server with C
OS and
Sysvol), DNTDS data) and ENT DS Logs) partitions just as in
production.
2. Booted this server to AD Restore mode.
3. restored All C: and System state.
4. Rebooted server in regular mode.
At first boot notice the sysvol is not shared. I don't know why.
Production topology, The server we are trying to restore is root Domain
Controller server with running DNS, WINS, Global Catalog, Domain Naming
Master, Schema master, PDC Emulator, Infrastructure Master, RID master.
There are two other DC's in the Root Domain. They are all Global Catalogs
to avoid the Infrastructure Master conflict. This root domain is empty of
all except administration accounts. DNS and WINS is served from all Root
Domain Servers. We have one child domain with 3 Domain Controllers and
they are all Global catalogs too. 4 DC (2 from each domain) are in Site A
while, Site B has the other 2 DC's (1 each from each Domain). The server
we are restoring is is in Site A. We cannet restore a second DC server in
the test environment because of lack of identical hardware.
In an attempt to get this first DC server to work in the test
envoronment, I have deleted AD Server accounts that don't exist in the
Root Domain test environment (Only two others which are Domain
Controllers), Deleted and recreated the Root DNS Zone, to make sure only
the server restored is listed in DNS as a DC.
What did I do about the failed KCCEVENT?
The server being restored is a global catalog server and still reports
that it is in the test enviroment. What else should I be doing?
The reson we are setting up this non-connected network, is to test going
from Windows 2000 to Windows 2003 onthe AD controllers and going from
Exchange 5.5 to Exchange 2003. We are trying to duplicate our live
network in a test environment
Any ideas would be appreciated.
Thanks for your help.
"Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in
news:#WRbVvg$DHA.684@tk2msftngp13.phx.gbl:
--
John Wallace
jmwallace74@hotmail.com
http://www.jmwallace.net
- Posted by Jack Wang [MSFT] on March 1st, 2004
Hi John,
Thank you for posting here and sorry for the inconvenience.
Please rebuild the DC and use the NTBakup tool to backup and restore again.
I think there may be some issues in the backup or restore process. When you
choose to back up the system state on a domain controller, the following
items are included:
- Active Directory (NTDS)
- The boot files
- The COM+ class registration database
- The registry
- The system volume (SYSVOL)
When you back up a member server or domain controller with Certificate
Server installed, the following additional item is also included:
- Certificate Server
If the issue still exists, please send the Event Viewer logs to me so that
I could find more information about the error.
Step 1: Click Start, click Run, and then type "eventvwr" (without the
quotation
marks), click OK.
Step 2: Right-click Application and select Save Log File As.
Step 3: Save it Application.evt.
Step 4: Repeat step 1 to 3 to save the Security and System event to
Security.evt
and System.evt.
Step 5: Delete all the Application, Security and System log in the Event
Viewer.
Step 6: Restart the computer. When the issue occurs, save the new
Application, Security and System log to three new files and send them to me
at jackwa@microsoft.com.
Windows 2000 Backup can back up and restore Active Directory on Windows
2000 domain controllers. You can perform a backup operation while the
domain controller is online. You can perform a restore operation only when
the domain controller is booted into Directory Services Restore mode (by
pressing the F8 key when the server is booting).
How to Back Up the System State on a Domain Controller
------------------------------------------------------
1. Click Start, point to Programs, point to Accessories, point to
System Tools, and then click Backup.
2. Click the Backup tab.
3. Click to select the System State check box. (All of the components
to be backed up are listed in the right pane. You cannot individually
select each item.) NOTE: During the system state backup, you must
select to back up the Winnt\Sysvol folder. You must also select this
option during the restore operation to have a working sysvol after the
recovery.
The following information applies only to domain controllers. You can
restore member servers the same way, but in normal mode.
If any of the following conditions are not met, the system state is not
restored. Backup attempts to restore the system state, but does not succeed.
- The drive letter on which the %SystemRoot% folder is located must be
the same as when it was backed up.
- The %SystemRoot% folder must be the same folder as when it was backed
up.
- If sysvol or other Active Directory databases were located on another
volume, they must exist and have the same drive letters also. The size
of the volume does not matter.
How to Restore the System State on a Domain Controller
------------------------------------------------------
1. To restore the system state on a domain controller, first start the
computer in Directory Services Restore Mode. To do so, restart the
computer and press the F8 key when you see the Boot menu.
2. Choose Directory Services Restore Mode.
3. Choose the Windows 2000 installation you are going to recover, and
then press ENTER.
4. At the logon prompt, supply the Directory Services Restore mode
credentials you supplied during the Dcpromo.exe process.
5. Click OK to acknowledge that you are using Safe mode.
6. Click Start, point to Programs, point to Accessories, point to
System Tools, and then click Backup.
7. Click the Restore tab.
8. Click the appropriate backup media and the system state to restore.
NOTE: During the restore operation, the Winnt\Sysvol folder must also
be selected to be restored to have a working sysvol after the recovery
process. Be sure that the advanced option to restore "junction points
and data" is also selected prior to the restore. This ensures that
sysvol junction points are re-created.
9. In the "Restore Files to" box, click Original Location. NOTE: When
you choose to restore a file to an alternative location or to a single
file, not all system state data is restored. These options are used
mostly for boot files or registry keys.
10. Click Start Restore.
11. After the restore process is finished, restart the computer.
Hope this helps!
Sincerely,
Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
Microsoft Partner Support
Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: Cannot restore DC in isolated Subnet for the purpose of creating
test environment
| From: jmwallace74 <jmwallace74@hotmail.com>
| User-Agent: Xnews/5.04.25
| Message-ID: <#SJqo3U$DHA.3256@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.windows.server.active_directory
| Date: Fri, 27 Feb 2004 08:22:33 -0800
| NNTP-Posting-Host: oh01ux20.relizon.com 65.118.143.195
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.active_directory:1 1221
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
| I have been trying to restore our root domain controller(Windows 2000) in
a
| totally isolated network. The network has no connection to our production
| network or even the internet. The reason we want to do this is for
testing
| purposes, while having an exact copy of our domain(s).
|
| We transfered all 5 forest and domain FSMO roles to this one server
backed
| it up, and then restored it to identical hardware in this isolated
network.
| The server will come up and I can login as a user that is combined
| Enterprise, Domain, and Schema master administrators. We use Brightstore
9
| and have followed CA's instructions for restoring a DC. The problem is
that
| the server does not belive it's a Domain Cintroller at all. So we cannot
| add other DC's or run DC Promo or add servers to the domin in the test
| enviroment. I can create accounts(users and computers) as the system has
| the RID master FSMO role as well as all others, including Schema master,
| Domain naming master, Rid master, PDC Emulater and Infrastructure master.
| The server bein restored is a Global Catalog server as well. Other
symptons
| are the sysvol and netlogon folder do not get automatically shared. the
| user and computers and Sites tools do not initially run correctly until I
| point then to the server name, and then they seem to function correctly.
| The server is a DNS server, WINS server and DHCP server in production as
| well as in the test enviroment. The server has its same IP address as in
| production network. On server startup the Directory Service log files do
| say that it is unable to contact a Global catalog server even though this
| server is one.
|
| Anyone have any ideas????
|
|
|
|
| --
| John Wallace
| jmwallace74@hotmail.com
| http://www.jmwallace.net
|
- Posted by jmwallace74 on March 1st, 2004
I've followed those steps in doing the backup and restore.
1. I do the generic install of the server to start.
2. I restart the server in Directory Services restore mode.
3. I restore from a previous backup. I restore only C: and System State.
In advanced options I overwrite everything, restore security and restore
Junction points.
C: is where OS and Sysvol is at.
D: is where the AD database is at
E: is where the AD Log files are at.
After restore Sysvol folder is created and contains data. AD data and AD
logs are created. I reboot the server.
The best I can determin is that even though the server is set to be a
Global Catalog Server, when we retore it in the test environment with a
seperated disconnected network, its still looking for other servers and
will not start the GC function. The System in the production network
passes DCDIAG and claims to be a GC.
I'm sending you this and the log files in an Email as your requested.
jackwa@online.microsoft.com (Jack Wang [MSFT]) wrote in
news:QO1Yft5$DHA.3552@cpmsftngxa06.phx.gbl:
--
John Wallace
jmwallace74@hotmail.com
http://www.jmwallace.net
- Posted by Jack Wang [MSFT] on March 4th, 2004
Hi John,
Thank you for letting me know the detailed information!
By default, when the DC is restored, it will try to sync AD information
from other DCs. After that, the sysvol folder will be shared. So, this is a
normal behavior which called a non-authoritative mode restore. Since there
is no other DCs in your network, the FRS replication could not be finished
and the sysvol folder will not be shared and the issue occurs. So, you may
need to set the restore as a authoritative mode restore. Then, it will not
need to sync the information with other DCs and the issue should be solved.
The FRS BurFlags registry key controls this behavior.
FRS is a multi-threaded, multi-master replication engine that Windows 2000
domain controllers use to replicate system policies and logon scripts for
Windows 2000 and earlier-version clients. In Microsoft Windows NT, the
LanMan Replication (LMREP) service handled replication. FRS replaced LMREP
in Windows 2000. You can also use FRS to replicate content between Windows
2000 servers that host the same fault-tolerant Distributed File System
(DFS) roots or child node replicas.
When you deploy Windows-based domain
controllers or member servers that use FRS to replicate files in SYSVOL
or DFS
shares, you may have to restore or reinitialize individual members of a
replica
set if replication has stopped or is inconsistent. In some scenarios,
you may
have to rebuild the whole replica set from scratch.
The FRS BurFlags registry key is used to perform authoritative or
non-authoritative restores on FRS members of DFS or SYSVOL replica sets.
Note: System state backups of Windows member servers and domain
controllers do not include the FRS database that maintains a mapping of
files
that are held in local FRS trees and a master list of FRS files.
Restoring FRS Replicas
----------------------
The global BurFlags registry key contains REG_DWORD values, and is
located in the following location in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NtFrs\Parameters\Backup
/Restore\Process at Startup
The most common values for the BurFlags registry key are:
- D2, also known as a non-authoritative mode restore
- D4, also known as an authoritative mode restore
You can also perform BurFlags restores at the same time as you restore
data from backup or from any other known good source, and then restart the
service.
Non-authoritative Restore
Non-authoritative restores are the most common way to reinitialize
individual members of FRS replica sets that are having difficulty. These
difficulties may include:
- Assertions in the FRS service
- Corruption of the local jet database
- Journal wrap errors
- FRS replication failures
Attempt non-authoritative restores only after you discover FRS
dependencies and you understand and resolve the root cause.
Members who are non-authoritatively restored must have inbound connections
from operational upstream partners where
you are performing Active Directory and FRS replication. In a large
replica set
that has at least one known good replica member, you can recover all the
remaining replica members by using a non-authoritative mode restore if
you
reinitialize the computers in direct replication partner order.
If you
determine that you must complete a non-authoritative restore to return
a member
back into service, save as much state from that member and from the
direct
replication partner in the direction that replication is not working.
This
permits you to review the problem later. You can obtain state
information from
the FRS and System logs in the Event Viewer.
Note: You can configure the FRS logs to record detailed debugging entries.
To perform a non-authoritative restore, stop the FRS service, configure
the BurFlags registry key, and then restart the FRS service. To do so:
1. Click "Start", and then click "Run".
2. In the "Open" box, type "cmd" (without the quotation marks) and then
press ENTER.
3. In the "Command" box, type "net stop ntfrs" (without the quotation
marks).
4. Click "Start", and then click "Run".
5. In the "Open" box, type "regedit" (without the quotation marks) and
then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NtFrs\Parameters\Ba
ckup/Restore\Process at Startup
7. In the right pane, double-click "BurFlags".
8. In the "Edit DWORD Value" dialog box, type "D2" (without the
quotation marks) and then click "OK".
9. Quit Registry Editor, and then switch to the "Command" box.
10. In the "Command" box, type "net start ntfrs" (without the quotation
marks).
11. Quit the "Command" box.
When the FRS service restarts, the following actions
occur:
- The value for BurFlags registry key returns to 0.
- Files in the reinitialized FRS folders are moved to a <Pre-existing>
folder.
- The FRS database is rebuilt.
- The member performs an initial join of the replica set from an
upstream partner or from the computer that is specified in the Replica
Set Parent registry key if a parent has been specified for SYSVOL
replica sets.
- The reinitialized computer performs a full replication of the
affected replica sets when the relevant replication schedule begins.
Note: The placement of files in the
<Pre-existing> folder on reinitialized members is a
safeguard in FRS designed to prevent accidental data loss. Any files
destined
for the replica that exist only in the local
<Pre-existing> folder and did not replicate in after
the initial replication may then be copied to the appropriate folder.
When
outbound replication has occurred, delete files in the
<Pre-existing> folder to free up additional drive
space.
Authoritative FRS Restore
Use authoritative restores only as a final option, such as in the
case of directory collisions.
For example, you may require an
authoritative restore if you must recover an FRS replica set where
replication
has completely stopped and requires a rebuild from scratch.
The
following list of requirements must be met when before you perform an
authoritative FRS restore:
1. The FRS service must be disabled on all downstream partners (direct
and transitive) for the reinitialized replica sets before you restart
the FRS service when the authoritative restore has been configured to
occur.
2. Events 13553 and 13516 have been logged in the FRS event log. These
events indicate that the membership to the replica set has been
established on the computer that is configured for the authoritative
restore.
3. The computer that is configured for the authoritative
restore is configured to be authoritative for all the data that you
want to
replicate to replica set members. This is not the case if you are
performing a
join on an empty directory.
4. All other partners in the replica set must be reinitialized with a
non-authoritative restore.
To complete an authoritative restore, stop the FRS service,
configure the
BurFlags
registry key, and then restart the FRS service. To do so:
1. Click "Start", and then click "Run".
2. In the "Open" box, type "cmd" (without the quotation marks) and then
press ENTER.
3. In the "Command" box, type "net stop ntfrs" (without the quotation
marks).
4. Click "Start", and then click "Run".
5. In the "Open" box, type "regedit" (without the quotation marks) and
then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NtFrs\Parameters\Ba
ckup/Restore\Process at Startup
7. In the right pane, double click "BurFlags".
8. In the "Edit DWORD Value" dialog box, type "D4" (without the
quotation marks) and then click "OK".
9. Quit Registry Editor, and then switch to the "Command" box.
10. In the "Command" box, type "net start ntfrs" (without the quotation
marks).
11. Quit the "Command" box.
When the FRS service is restarted, the following actions
occur:
- The value for the BurFlags registry key is set back to 0.
- Files in the reinitialized FRS replicated directories remain
unchanged and become authoritative on direct replication, and through
transitive replication, indirect replication partners.
- The FRS database is rebuilt based on current file inventory.
For more information, please refer to the following article.
263532 How to perform a disaster recovery restoration of Active Directory
on a
http://support.microsoft.com/?id=263532
Let me know how this works out!
Sincerely,
Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
Microsoft Partner Support
Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: RE: Cannot restore DC in isolated Subnet for the purpose of
creating test environment
| From: jmwallace74 <jmwallace74@hotmail.com>
| References: <#SJqo3U$DHA.3256@TK2MSFTNGP09.phx.gbl>
<QO1Yft5$DHA.3552@cpmsftngxa06.phx.gbl>
| User-Agent: Xnews/5.04.25
| Message-ID: <eUhg6E9$DHA.3220@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.windows.server.active_directory
| Date: Mon, 01 Mar 2004 13:07:37 -0800
| NNTP-Posting-Host: oh01ux20.relizon.com 65.118.143.195
| Lines: 1
| Path:
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTN GXA05.phx.gbl!TK2MSFTNGP08
phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.active_directory:1 1346
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
|
| I've followed those steps in doing the backup and restore.
| 1. I do the generic install of the server to start.
| 2. I restart the server in Directory Services restore mode.
| 3. I restore from a previous backup. I restore only C: and System State.
| In advanced options I overwrite everything, restore security and restore
| Junction points.
| C: is where OS and Sysvol is at.
| D: is where the AD database is at
| E: is where the AD Log files are at.
|
| After restore Sysvol folder is created and contains data. AD data and AD
| logs are created. I reboot the server.
|
| The best I can determin is that even though the server is set to be a
| Global Catalog Server, when we retore it in the test environment with a
| seperated disconnected network, its still looking for other servers and
| will not start the GC function. The System in the production network
| passes DCDIAG and claims to be a GC.
| I'm sending you this and the log files in an Email as your requested.
|
|
|
| jackwa@online.microsoft.com (Jack Wang [MSFT]) wrote in
| news:QO1Yft5$DHA.3552@cpmsftngxa06.phx.gbl:
|
| > Hi John,
| >
| > Thank you for posting here and sorry for the inconvenience.
| >
| > Please rebuild the DC and use the NTBakup tool to backup and restore
| > again. I think there may be some issues in the backup or restore
| > process. When you choose to back up the system state on a domain
| > controller, the following items are included:
| >
| > - Active Directory (NTDS)
| >
| > - The boot files
| >
| > - The COM+ class registration database
| >
| > - The registry
| >
| > - The system volume (SYSVOL)
| >
| > When you back up a member server or domain controller with Certificate
| > Server installed, the following additional item is also included:
| >
| > - Certificate Server
| >
| > If the issue still exists, please send the Event Viewer logs to me so
| > that I could find more information about the error.
| >
| > Step 1: Click Start, click Run, and then type "eventvwr" (without the
| > quotation
| > marks), click OK.
| >
| > Step 2: Right-click Application and select Save Log File As.
| >
| > Step 3: Save it Application.evt.
| >
| > Step 4: Repeat step 1 to 3 to save the Security and System event to
| > Security.evt
| > and System.evt.
| >
| > Step 5: Delete all the Application, Security and System log in the
| > Event Viewer.
| >
| > Step 6: Restart the computer. When the issue occurs, save the new
| > Application, Security and System log to three new files and send them
| > to me at jackwa@microsoft.com.
| >
| > Windows 2000 Backup can back up and restore Active Directory on
| > Windows 2000 domain controllers. You can perform a backup operation
| > while the domain controller is online. You can perform a restore
| > operation only when the domain controller is booted into Directory
| > Services Restore mode (by pressing the F8 key when the server is
| > booting).
| >
| > How to Back Up the System State on a Domain Controller
| > ------------------------------------------------------
| >
| > 1. Click Start, point to Programs, point to Accessories, point to
| > System Tools, and then click Backup.
| >
| > 2. Click the Backup tab.
| >
| > 3. Click to select the System State check box. (All of the components
| > to be backed up are listed in the right pane. You cannot
| > individually select each item.) NOTE: During the system state
| > backup, you must select to back up the Winnt\Sysvol folder. You
| > must also select this option during the restore operation to have a
| > working sysvol after the recovery.
| >
| > The following information applies only to domain controllers. You can
| > restore member servers the same way, but in normal mode.
| >
| > If any of the following conditions are not met, the system state is
| > not restored. Backup attempts to restore the system state, but does
| > not succeed.
| >
| > - The drive letter on which the %SystemRoot% folder is located must be
| > the same as when it was backed up.
| >
| > - The %SystemRoot% folder must be the same folder as when it was
| > backed
| > up.
| >
| > - If sysvol or other Active Directory databases were located on
| > another
| > volume, they must exist and have the same drive letters also. The
| > size of the volume does not matter.
| >
| >
| > How to Restore the System State on a Domain Controller
| > ------------------------------------------------------
| >
| > 1. To restore the system state on a domain controller, first start the
| > computer in Directory Services Restore Mode. To do so, restart the
| > computer and press the F8 key when you see the Boot menu.
| >
| > 2. Choose Directory Services Restore Mode.
| >
| > 3. Choose the Windows 2000 installation you are going to recover, and
| > then press ENTER.
| >
| > 4. At the logon prompt, supply the Directory Services Restore mode
| > credentials you supplied during the Dcpromo.exe process.
| >
| > 5. Click OK to acknowledge that you are using Safe mode.
| >
| > 6. Click Start, point to Programs, point to Accessories, point to
| > System Tools, and then click Backup.
| >
| > 7. Click the Restore tab.
| >
| > 8. Click the appropriate backup media and the system state to restore.
| > NOTE: During the restore operation, the Winnt\Sysvol folder must
| > also be selected to be restored to have a working sysvol after the
| > recovery process. Be sure that the advanced option to restore
| > "junction points and data" is also selected prior to the restore.
| > This ensures that sysvol junction points are re-created.
| >
| > 9. In the "Restore Files to" box, click Original Location. NOTE: When
| > you choose to restore a file to an alternative location or to a
| > single file, not all system state data is restored. These options
| > are used mostly for boot files or registry keys.
| >
| > 10. Click Start Restore.
| >
| > 11. After the restore process is finished, restart the computer.
| >
| > Hope this helps!
| >
| > Sincerely,
| > Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
| > Microsoft Partner Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ================================================== ===
| > When responding to posts, please "Reply to Group" via
| > your newsreader so that others may learn and benefit
| > from your issue.
| > ================================================== ===
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights. --------------------
| >| Subject: Cannot restore DC in isolated Subnet for the purpose of
| >| creating
| > test environment
| >| From: jmwallace74 <jmwallace74@hotmail.com>
| >| User-Agent: Xnews/5.04.25
| >| Message-ID: <#SJqo3U$DHA.3256@TK2MSFTNGP09.phx.gbl>
| >| Newsgroups: microsoft.public.windows.server.active_directory
| >| Date: Fri, 27 Feb 2004 08:22:33 -0800
| >| NNTP-Posting-Host: oh01ux20.relizon.com 65.118.143.195
| >| Lines: 1
| >| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP09.phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.windows.server.active_directory:1 1221
| >| X-Tomcat-NG: microsoft.public.windows.server.active_directory
| >|
| >| I have been trying to restore our root domain controller(Windows
| >| 2000) in
| > a
| >| totally isolated network. The network has no connection to our
| >| production network or even the internet. The reason we want to do
| >| this is for
| > testing
| >| purposes, while having an exact copy of our domain(s).
| >|
| >| We transfered all 5 forest and domain FSMO roles to this one server
| > backed
| >| it up, and then restored it to identical hardware in this isolated
| > network.
| >| The server will come up and I can login as a user that is combined
| >| Enterprise, Domain, and Schema master administrators. We use
| >| Brightstore
| > 9
| >| and have followed CA's instructions for restoring a DC. The problem
| >| is
| > that
| >| the server does not belive it's a Domain Cintroller at all. So we
| >| cannot add other DC's or run DC Promo or add servers to the domin in
| >| the test enviroment. I can create accounts(users and computers) as
| >| the system has the RID master FSMO role as well as all others,
| >| including Schema master, Domain naming master, Rid master, PDC
| >| Emulater and Infrastructure master. The server bein restored is a
| >| Global Catalog server as well. Other
| > symptons
| >| are the sysvol and netlogon folder do not get automatically shared.
| >| the user and computers and Sites tools do not initially run correctly
| >| until I point then to the server name, and then they seem to function
| >| correctly. The server is a DNS server, WINS server and DHCP server in
| >| production as well as in the test enviroment. The server has its same
| >| IP address as in production network. On server startup the Directory
| >| Service log files do say that it is unable to contact a Global
| >| catalog server even though this server is one.
| >|
| >| Anyone have any ideas????
| >|
| >|
| >|
| >|
| >| --
| >| John Wallace
| >| jmwallace74@hotmail.com
| >| http://www.jmwallace.net
| >|
| >
| >
|
|
|
| --
| John Wallace
| jmwallace74@hotmail.com
| http://www.jmwallace.net
|
