cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Disaster recovery restore of a Active Directory domain

Ronald_Wind
Level 2

‎01-20-2010 11:48 PM

We are testing and documenting the disaster recovery process of our environment. Only we are experiencing a few problems which we are not able to fix so far. Our situation is as follows:
-         Backup server with Backup Exec 12.5
-         Windows 2008 Standard Server as domain controller containing all the FSMO roles. Further the server only contains the DNS Server role
 
We have tried a disaster recovery restore by following these steps:
-         Installation of same Windows version, same NTFS partitions and same computer name (FQDN). Also tried same IP-configuration (same result)
o        Note: Only installed on different hardware
-         Restoring a full system backup of the domain controller
o        Including partitions, System State and  Shadow Copy
o        Restoring over existing files
o        Marked this server as primary arbitrator for the domain
 
The full system backup restore’s without any problems and the computers boots nicely. All the required services for the domain are running:
-         Active Directory Domain Services
-         DNS Server
-         File Replication Service
-         Intersite Messaging
-         Kerberos Key Distribution Center
 
When I try to start the “Active Directory Users and Computers” management console I get the following error message:
“Naming Information cannot be located for the following reason:
The server is not operational.”
 
When I check the Event Viewer of Windows it displays 1 warning and 1 error message’s after booting the system which should point me in the right direction but I just can’t figure it out. Hope one of you guys could give me some advice because I’m kind of stuck.
 
Further I got three questions:
  1. Is it necessary to have the same IP-configuration? (Because it looks like a DNS issue)
  2. Is it necessary to have the DHCP Server service running?
  3. Is it necessary to have the Certificate Authority installed on the first Domain Controller you restore?
 
Below are the events of the Event Viewer:
 
Source:            Kerberos-Key-Distribution-Center                     Event ID: 29
Warning Message: “The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certuil.exe or enroll for a new KDC certificate.
 
Source: Directory-Services-SAM                                  Event ID: 16651
Error Message: “The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is “The requested FSMO operation failed. The current FSMO holder could not be contacted””
                                                                   
0 Kudos
6 REPLIES 6

Stix
Level 4

‎01-21-2010 02:53 AM

Have you only got one DNS server?  As side note, this is really bad practice...you should have at least 2.

Make sure the NIC is putting to the right DNS server.

DHCP won't matter.

Try

netdiag /v >netdiag.txt 
dcdiag /v >dcdiag.txt

and check the results.
0 Kudos

Ronald_Wind
Level 2

‎01-21-2010 04:43 AM

I manually started the DNS server service on the restored server. Further I pointed the NIC to its own address for the DNS server and registered the address in DNS. After this I started Dcdiag en Netdiag.
 
Here are the most important results:
 
Dcdiag.exe
The directory service on “COMPUTERNAME” has not finished initializing. In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server’s writable domain. It must also obtain Rid information from the Rid FSMO holder.
The directory service has not signalled the event which lets other services know that it is ready to accept requests. Services such as the Key Distribution Center, Intersite Messaging Service and Netlogon will not consider this system as an eligible domain controller.
 
Netdiag.exe
Domain member ship:
[WARNING] The system volume has not been completely replicated to the local machine. This machine is not working properly as DC.
 
I thought that by selecting “Mark this server as the primary arbitrator for replication” I configured it so that it doesn’t look for replicationpartners after the restore
0 Kudos

Stix
Level 4

‎01-21-2010 06:22 PM

Can you force the roles onto the server again?  

Also, is the netlogon share available? 
0 Kudos

Luke_Cassar
Level 5

‎01-21-2010 07:06 PM

You will need to seize the FSMO roles if the DC you restored does not hold all of the roles in the real network.

I have done the same thing as you are trying.. it took a bit of piddling around but I got it working in the end.

Some articles I found handy doing this procedure were:
http://support.microsoft.com/kb/249694/en-us - in particular:

o   Click Start, and then click Run, type regedit, and then press ENTER.

o   Locate the following registry subkey:

o   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets

o   Expand Replica Sets, identify the subkey that refers to the replica set DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

o   Then find the subkey of the Cumulative Replica Sets subkey that matches the name of the subkey from the previous step.

o   Expand Cumulative Replica Sets, click the subkey that represents the Sysvol replica set, double-click BurFlags.

o   In the Edit DWORD Value dialog box, type D4, and then click OK.

http://support.microsoft.com/kb/255690/en-us - Seizing the roles is detailed in this article. I believe I had to seize all of the roles.. even the ones the server held anyway.

Lastly were these two beauties which detailed (I believe) removing other domain controllers properly from your test network so you dont have failed replication:

http://technet.microsoft.com/en-us/library/cc785849%28WS.10%29.aspx
http://support.microsoft.com/kb/833783

If these articles dont help, let me know what is going on and I will try dig up more notes (I kept a lot of notes about this topic for once in my life!) so there should be something useful in there for you.

Cheers.
0 Kudos

Dev_T
Level 6

‎01-21-2010 10:54 PM

Hello,

Change the DNS suffix of the Domain controller...og to computer properties...computer name...change..More...change the DNS suffix...
0 Kudos

Ronald_Wind
Level 2

‎01-22-2010 01:25 AM

Thnx guys for your replies..

I don't have the time today to check if this works but I will report back next week... Hopefully this will fix my issue's
0 Kudos