(2014-07-28) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 2)
Posted by Jorge on 2014-07-28
PART 1 is here.
WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!
All the objects related to the RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in any way are still available on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ itself, but are either deleted or not up-to-date on the rest of the RWDCs in the AD forest (think about configuration partition and the read-only child AD domain partition on GCs). To make sure those objects are either updated or undeleted, I have to increase the version of all those objects on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ as it is authoritative for those objects.
The list of objects is:
- Server Object: CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
- NTDS Settings Object: CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
- All connection objects
- RWDC computer account: CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
- RWDC Rid Set Object: CN=RID Set,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
- DFSR Settings Object: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
- SYSVOL Subscriber Object: CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
- SYSVOL Subscription Object: CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
- DFSR Membership Object: CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
REMARK: If you are not DFS-R yet for SYSVOL replication, then you need to think about ALL NTFRS objects for that RWDC!
When thinking about authoritative restore of the objects above, you can think about increasing the version of every single object individually, or can increase the version of a complete subtree. I preferred to increase the version of the complete subtree as that was less work and achieved the same end result. So I will be only restoring the yellow marked objects as all child objects will have their version increased automatically.
Remember, in this scenario I do not need to restore anything, I just want to increase the version of the objects so during AD replication their version wins and updates or restores the same objects on the other RWDCs. To do this you need to either restart ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in DSRM or just stop the AD service (preferred!) on it. It is not needed to increase the version with the default of 100000. In this case I just increase the version with 25. For all the steps see below.
Figure 1: Stopping The Active Directory Domain Services (NTDS) Service And All Depended Services
Figure 2: Authoritatively Restoring (Increasing The Version Of) The DFSR Membership Object And Any Leaf Objects
Figure 3: Authoritatively Restoring (Increasing The Version Of) The RWDC computer account And Any Leaf Objects
Figure 4: Authoritatively Restoring (Increasing The Version Of) The Server Object And Any Leaf Objects
In figure 2, 3 and 4 you see NTDSUTIL created both TXT and LDF files. You can find those files in the folder where NTDSUTIL was started. The TXT files just tell you for which objects the authoritative restore was done and the LDF files have the objects with the forward links that correspond with any backlink on the authoritative restored objects. When performing authoritative restores, restoring links between objects and make sure AD replication resolves any inconsistencies it is very important to import all the LDF files against a RWDC for the partition the LDF contains objects for. In this case all LDF files can be imported against ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Of course not to forget, before importing the LDF files, start the AD service again! Wait a minute or so to make sure all other dependent services have started too. Oh, and do not worry about any errors regarding object class violations. The import of the LDF files first deletes the values and then repopulates the value. When trying to delete a value of a mandatory attribute, you get this error.
Figure 5: Starting The Active Directory Domain Services (NTDS) Service And Importing All LDF Files
PART 3 continues here.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
This entry was posted on 2014-07-28 at 23:00 and is filed under Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.