(2021-11-30) Presenting At The Hybrid Identity Conference 2021

HIP 2021 starts tomorrow (Wednesday, December 1st)!

You can catch me going LIVE at #HIP2021 on December 2nd (Thursday) at 10:30am – 11:30am EST (16:30pm – 17:30pm CET) as I join in on the conversation about the hybrid identity world with my session, “Resurrecting After A Ransomware Attack – Be Secure, And Prepared!”!

You can still register for FREE using the following link:

https://www.accelevents.com/e/hipconf2021?aff=jorgedap

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

(2014-11-25) Troubleshooting Issues With Lingering Objects And Solving It

The following resources can help you troubleshoot issues with lingering objects:

• (2005-11-24) What Happens When The Disconnection Of A DC Exceeds The Tombstone Lifetime?
• (2006-05-08) Lingering Objects
• (2012-07-19) Active Directory Replication Status Tool
• Information about lingering objects in a Windows Server Active Directory forest
• Lingering objects prevent Active Directory replication from occurring
• Information about lingering objects in a Windows Server Active Directory forest
• Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
• Troubleshooting AD Replication error 8606: "Insufficient attributes were given to create an object"
• Clean that Active Directory forest of lingering objects
• Troubleshooting replication with ReplDiag.exe [part 1 of 4]
• Cleaning lingering objects across the forest with ReplDiag.exe [Part 2 of 4]
• Why does ReplDiag.exe error out with the message that the topology isn’t stable? [Part 3 of 4]
• Can I clean one partition at a time with ReplDiag, and other tips [Part 4 of 4]
• Remove Lingering Objects that cause AD Replication error 8606 and friends

–

Tools:

• REPLDIAG – Active Directory Utilities (Current Versions)
• https://connect.microsoft.com/directory/non-feedback (make sure to logon with a Microsoft Account, Join the AD Health Program, and download from: Lingering Object Liquidator)

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-06-22) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 4)

In the past I explained in multiple posts how to restore the SYSVOL on a DC when it is replicated through either NTFRS or DFS-R. Those procedures (including screen dumps) can be found through the following links:

• Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)
• Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)
• Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)

In this post I will explain another method that is also available to restore the SYSVOL in an authoritative and non-authoritative way when it is replicated through DFS-R. The information posted here will be based upon the following Microsoft KB article:

• How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)

In addition to what the KB article already mentions, this post will contain additional information such as PowerShell command lines used and screen dumps.

–

SYSVOL Replicated Through DFS-R – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps (preferably on the RWDC with the PDC FSMO role!):

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE";"msDFSR-Options"=1}
  (this disables the replicated folder on this target and marks the target as primary, or in other words authoritative)
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

Event ID 4008 in the DFS Replication Event Log appears:

Event ID 2010 in the DFS Replication Event Log appears:

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
  (this re-enables the replicated folder on this target)
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4602 in the DFS Replication Event Log appears:

–

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RWDC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RWDC, use the following steps:

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
  (this disables the replicated folder on this target)
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

Event ID 4008 in the DFS Replication Event Log appears:

Event ID 2010 in the DFS Replication Event Log appears:

As an optional steps, you can specify a specific replication (sourcing) partner for the SYSVOL

• Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols
  
  • Value name: Parent Computer
    
  • Value type: REG_SZ
    
  • Value data: <FQDN of RWDC to source from>
    

REMARK: If you do not use this method to specify the source computer, any Active Directory replication partner that has the SYSVOL replicated folder in the NORMAL state could end up being used as the source.

–

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
  (this re-enables the replicated folder on this target)
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4614 in the DFS Replication Event Log appears:

Event ID 4604 in the DFS Replication Event Log appears:

–

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RODC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RODC, use the following steps:

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
  (this disables the replicated folder on this target)
  (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)
  

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

• REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

Event ID 4008 in the DFS Replication Event Log appears:

Event ID 2010 in the DFS Replication Event Log appears:

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
  (this re-enables the replicated folder on this target)
  (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)
  

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

• REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q
  

Within a PowerShell command prompt

• Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  
• Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *
  

Within a DOS command prompt

• DFSRDIAG POLLAD
  

Event ID 4614 in the DFS Replication Event Log appears:

Event ID 4604 in the DFS Replication Event Log appears:

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)

This post focuses on restoring the SYSVOL when replicated through the DFS-R mechanism. For the previous posts see here and here.

SYSVOL Replicated Through DFS-R – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps:

• Start the Registry Editor
  
• Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
  
• Create a key called "Restore" (only time only)
  
• Create a string value called "SYSVOL" (only time only)
  
• For the string value called "SYSVOL" assign the value of authoritative
  
• Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
  
• Create a key called "SystemStateRestore" (only time only)
  
• Create a string value called "LastRestoreId" (only time only)
  
• For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
  
• Stop the DFSR Service
  
• Start the DFSR Service
  

From the command-line the same can be achieved through:

• REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "authoritative" /f
  
• [1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
  
• NET STOP DFSR
  
• NET START DFSR
  

[1] When a backup application performs a system state restore, it must indicate that it has done so by setting the LastRestoreId registry value. The LastRestoreId is a GUID that is formatted as 00000000-0000-0000-0000-000000000000. The GUID has to be different each time a restore is requested. For example, if you have the LastRestoreId set as 10000000-0000-0000-0000-000000000000, for the next restore you have to set it to a different GUID, such as 20000000-0000-0000-0000-000000000000. For more information about setting LastRestoreId, see Registry Keys and Values for Backup and Restore.

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

Event ID 2110

Event ID 4106

Event ID 4108

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore – Steps To Take

To perform a non-authoritative restore of the SYSVOL when using DFS-R, use the following steps:

• Start the Registry Editor
  
• Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
  
• Create a key called "Restore" (only time only)
  
• Create a string value called "SYSVOL" (only time only)
  
• For the string value called "SYSVOL" assign the value of non-authoritative
  
• Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
  
• Create a key called "SystemStateRestore" (only time only)
  
• Create a string value called "LastRestoreId" (only time only)
  
• For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
  
• Stop the DFSR Service
  
• Start the DFSR Service
  

From the command-line the same can be achieved through:

• REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "non-authoritative" /f
  
• [1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
  
• NET STOP DFSR
  
• NET START DFSR
  

[1] When a backup application performs a system state restore, it must indicate that it has done so by setting the LastRestoreId registry value. The LastRestoreId is a GUID that is formatted as 00000000-0000-0000-0000-000000000000. The GUID has to be different each time a restore is requested. For example, if you have the LastRestoreId set as 10000000-0000-0000-0000-000000000000, for the next restore you have to set it to a different GUID, such as 20000000-0000-0000-0000-000000000000. For more information about setting LastRestoreId, see Registry Keys and Values for Backup and Restore.

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

Event ID 2110

Event ID 4110

Event ID 4102

Event ID 4604

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)

This post focuses on restoring the SYSVOL when replicated through the NTFRS mechanism. For the previous post see here and for the next post see here.

SYSVOL Replicated Through NTFRS – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using NTFRS, use the following steps:

• Start the Registry Editor
  
• Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
  
• Double-click on "BurFlags"
  
• Assign it a value of D4 (hex) or 212 (dec)
  
• Stop the NTFRS Service
  
• Start the NTFRS Service
  

From the command-line the same can be achieved through:

• REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 212 /f
  
• NET STOP NTFRS
  
• NET START NTFRS
  

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13566

Event ID 13553

Event ID 13554

Event ID 13516

SYSVOL Replicated Through NTFRS – Non-Authoritative Restore – Steps To Take

To perform a non-authoritative restore of the SYSVOL when using NTFRS, use the following steps:

• Start the Registry Editor
  
• Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
  
• Double-click on "BurFlags"
  
• Assign it a value of D2 (hex) or 210 (dec)
  
• Stop the NTFRS Service
  
• Start the NTFRS Service
  

From the command-line the same can be achieved through:

• REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 210 /f
  
• NET STOP NTFRS
  
• NET START NTFRS
  

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13565

Event ID 13520

Event ID 13553

Event ID 13554

Event ID 13516

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)

The SYSVOL contains logon scripts and GPOs for a particular AD domain. It replicates to all RWDCs and RODCs. When, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with "Windows Server 2003" or lower, then the SYSVOL will use NTFRS as its replication mechanism. At a later stage when you increase the DFL to at least "Windows Server 2008", you can migrate the replication of the SYSVOL from NTFRS to DFS-R. The process for doing that is explained in the SYSVOL Replication Migration Guide: FRS to DFS Replication (Web Based) or SYSVOL Replication Migration Guide: FRS to DFS Replication (Word Doc).

If you need to migrate OTHER DFS NameSpaces from NTFRS to DFS-R then look at DFS Operations Guide: Migrating from FRS to DFS Replication and FRS to DFSR Migration Tool Released.

However, when, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with at least "Windows Server 2008", then the SYSVOL will use DFS-R as its replication mechanism right away and no migration is needed to migration the replication of the SYSVOL from NTFRS to DFS-R.

The use of DFS-R, compared to NTFRS, is way better in terms of performance and stability. DFS-R also works better with RODCs than NTFRS. When the SYSVOL on an RODC is adjusted locally, the changes will remain and will not replicate out because the RODC does not support Outbound Replication to any DC. Over time, if you do this too often you will get inconsistencies. To resolve these consistencies you may need to do a non-authoritative restore of the SYSVOL when replicated by NTFRS. If the same occured on the RODC and DFS-R is being used as the replication mechanism for the SYSVOL, then the local change would be detected and reverted as if nothing had happen. This makes sure the SYSVOL contents remains consistent on RODCs. For other differences see The Case for Migrating SYSVOL to DFSR.

The availability of the SYSVOL is very important for users, because if it is not available on a certain DC (RWDC or RODC), both users and computers cannot log on using that DC.

For both replication mechanisms I will explain how to do an authoritative restore or a non-authoritative restore of the SYSVOL using either replication mechanism.

Authoritative Restore

With an authoritative restore, the data that’s being restored is leading compared to all other versions of that same data on onther DCs. Taking that into account, when doing an authoritative restore on a RWDC, one should not forget that all other RWDCs and RODCs must do a non-authoritative restore.

Non-Authoritative Restore

With a non-authoritative restore, the data that’s being restored or that is in place is not leading compared to all other versions of that same data on onther DCs. To get the most recent data, the DC for which a non-authoritative restore was done must get the most recent data from another DC.

For the post on restoring the SYSVOL when replicated through the NTFRS mechanism see here.

For the post on restoring the SYSVOL when replicated through the DFS-R mechanism see here.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2006-03-08) Backup And Restore Of Active Directory

The procedure to backup AD or DCs has always been (and as for now will always be) to use a VALID system state of a DC. However, times are changing and all kinds of new technologies and ideas are being used. Although I’m DO NOT promote the use of unsupported backup/restore mechanisms I’m going to mention a procedure here that allows you to use one of the unsupported methods. The main reason for this is that the information is publicaly available from Microsoft (Running Domain Controllers in Virtual Server 2005 – http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en) but it is INCOMPLETE and will people will hurt themselves if done incorrectly!

DISCLAIMER:

• You are responsible on your own when using this procedure
• This posting is provided "AS IS" with no warranties and confers no rights!
• Always test before implementing/using tools/procedures!

 

BEST and SUPPORTED way for backup/restore of AD/DCs

• Supported backup/restore mechanisms/tools
• Using (at least) system state backups

More information:

• Backing Up Active Directory Components
  • http://technet2.microsoft.com/WindowsServer/en/Library/27efdda8-2766-4d28-b1d0-daeef7ba5b3c1033.mspx
• Performing a Nonauthoritative Restore of a Domain Controller
  • http://technet2.microsoft.com/WindowsServer/en/Library/f3bfb611-dcbe-4365-8f1d-3321916aeb631033.mspx
• Performing an Authoritative Restore of Active Directory Objects
  • http://technet2.microsoft.com/WindowsServer/en/Library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx

 

FAST and UNSUPPORTED ways for backup/restore of AD/DCs

• Disk images (cloning)
• Virtual machine images
• Breaking RAID 1 (mirroring) configurations

 

Dangers of NOT using supported AD aware backup/restore mechanisms

• USN rollbacks in AD and in the SYSVOL
• Inconsistent data in AD and in the SYSVOL
• Effects:
  • Other DCs know more about a certain DC then the DC itself

Risk mitigation

• Use ONLY SUPPORTED backup/restore mechanisms!!!
• Follow instructions in "Running Domain Controllers in Virtual Server 2005"
• Implement hotfixes: MS-KBQ885875 (W2K) & MS-KBQ875495 (W2K3) (also included in W2K3 SP1)

 

So let’s take a look at WHAT are USN rollbacks (in AD).

The following example environment where nothing is wrong.

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!! (everything is OK voor ROOTDC001, ROOTDC002 and CHLDDC001)

 

The following example environment where something IS wrong because a non- AD aware restore solution has been used

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!!. As you can see the ROOTDC001 and CHLDDC001 know more about ROOTDC002 than ROOTDC002 itself and THAT is wrong!

 

How to detect and recover from a USN rollback in Windows 2000 Server

• http://support.microsoft.com/?id=885875

How to detect and recover from a USN rollback in Windows Server 2003

• http://support.microsoft.com/?id=875495

 

So what do MS-KBQ885875/MS-KBQ875495 really do?

• Detect USN rollbacks in AD, NOT in the SYSVOL
• USN Rollback detection NOT guaranteed for 100%!!!
• Pauses the NETLOGON service WHEN USN rollback in AD is detected!
• Disables inbound and outbound AD replication (event ID 1113/1115), NOT SYSVOL replication,  WHEN USN rollback in AD is detected!
• Logs event IDs 2095 and 2103 in the directory services event log
• BOTH HOTFIXES also provide:
  • Supported recovery option that mimics a system state restore

 

That recovery option has the following requirements!

• Hotfixes installed/implemented PRIOR to the failure
• Use ONLY images WITHIN the “tombstone lifetime” timeframe
• Use ONLY images that have NEVER been booted after creation (this is VERY IMPORTANT. If it has been booted into normal DC mode, it is useless and you need to start over!!!)
• Make sure the SAME DC is NOT running elsewhere
• Follow requirements and instructions mentioned in:
  • MS-KBQ885875 & MS-KBQ875495
  • "Running Domain Controllers in Virtual Server 2005"

Procedure for using the recovery option:

• “Restore” the image
• !!! Boot into DSRM !!! (not connected to the network)
• Note the value of “DSA Previous Restore Count”
  (HKLMSystemCurrentControlSetServicesNTDSParameters) (Not visible? –> Assume value of 0)
• Add the entry “Database restored from backup” (DWORD) with a value of 1
  (HKLMSystemCurrentControlSetServicesNTDSParameters) (This triggers the actions needed for AD right after a system state restore!)
• Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup)
  (This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
  (also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets – http://support.microsoft.com/?id=290762)
• Boot into normal DC mode (not connected to the network)
• Check the value of “DSA Previous Restore Count”
  (HKLMSystemCurrentControlSetServicesNTDSParameters) (New value = old value + 1)
• In the DS event log check for event ID 1109
• In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
• In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
• Connect to the network again
• Check the health of the DC (AD & SYSVOL)
  • DCDIAG /D /C /V
  • NETDIAG /DEBUG /V
  • GPOTOOL.EXE /CHECKACL /VERBOSE
  • REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
• DONE!

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————