Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Backup And Restore’ Category

(2014-11-25) Troubleshooting Issues With Lingering Objects And Solving It

Posted by Jorge on 2014-11-25


The following resources can help you troubleshoot issues with lingering objects:

Tools:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisements

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Lingering Objects, Replication | Leave a Comment »

(2011-06-22) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 4)

Posted by Jorge on 2011-06-22


In the past I explained in multiple posts how to restore the SYSVOL on a DC when it is replicated through either NTFRS or DFS-R. Those procedures (including screen dumps) can be found through the following links:

In this post I will explain another method that is also available to restore the SYSVOL in an authoritative and non-authoritative way when it is replicated through DFS-R. The information posted here will be based upon the following Microsoft KB article:

In addition to what the KB article already mentions, this post will contain additional information such as PowerShell command lines used and screen dumps.

SYSVOL Replicated Through DFS-R – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps (preferably on the RWDC with the PDC FSMO role!):

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE";"msDFSR-Options"=1}
    (this disables the replicated folder on this target and marks the target as primary, or in other words authoritative)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC1,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4602 in the DFS Replication Event Log appears:

image

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RWDC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RWDC, use the following steps:

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
    (this disables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

As an optional steps, you can specify a specific replication (sourcing) partner for the SYSVOL

  • Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols
    • Value name: Parent Computer
    • Value type: REG_SZ
    • Value data: <FQDN of RWDC to source from>

REMARK: If you do not use this method to specify the source computer, any Active Directory replication partner that has the SYSVOL replicated folder in the NORMAL state could end up being used as the source.

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRWDC2,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4614 in the DFS Replication Event Log appears:

image

Event ID 4604 in the DFS Replication Event Log appears:

image

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore On RODC – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R on a RODC, use the following steps:

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="FALSE"}
    (this disables the replicated folder on this target)
    (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)

image

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

  • REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4114 in the DFS Replication Event Log appears (after the first occurrence, this event will be repeated every 5 minutes):

image

Event ID 4008 in the DFS Replication Event Log appears:

image

Event ID 2010 in the DFS Replication Event Log appears:

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Set-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -Replace @{"msDFSR-Enabled"="TRUE"}
    (this re-enables the replicated folder on this target)
    (execute this either on the RODC with sufficient permissions AND make sure you can access the Active Directory Web Service (ADWS) (tcp:9389) on the RWDC (through referral by RODC) from the RODC, OR execute this on the RWDC with sufficient access permissions)

image

You then either wait until the change that originated on an RWDC reaches the RODC, or you force inbound AD replication on the RODC. Within a DOS command prompt

  • REPADMIN /SYNCALL R2FSRODC5.ADDMZ.LAN /A /d /q

image

Within a PowerShell command prompt

  • Import-Module ActiveDirectory (only if not already done previously within the same PowerShell command prompt window)
  • Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=R2FSRODC5,OU=Domain Controllers,DC=ADDMZ,DC=LAN" -properties *

image

Within a DOS command prompt

  • DFSRDIAG POLLAD

image

Event ID 4614 in the DFS Replication Event Log appears:

image

Event ID 4604 in the DFS Replication Event Log appears:

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Blog Post Series | 3 Comments »

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)

Posted by Jorge on 2010-08-12


This post focuses on restoring the SYSVOL when replicated through the DFS-R mechanism. For the previous posts see here and here.

SYSVOL Replicated Through DFS-R – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps:

  • Start the Registry Editor
  • Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
  • Create a key called "Restore" (only time only)
  • Create a string value called "SYSVOL" (only time only)
  • For the string value called "SYSVOL" assign the value of authoritative
  • Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
  • Create a key called "SystemStateRestore" (only time only)
  • Create a string value called "LastRestoreId" (only time only)
  • For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
  • Stop the DFSR Service
  • Start the DFSR Service

From the command-line the same can be achieved through:

  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "authoritative" /f
  • [1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
  • NET STOP DFSR
  • NET START DFSR

[1] When a backup application performs a system state restore, it must indicate that it has done so by setting the LastRestoreId registry value. The LastRestoreId is a GUID that is formatted as 00000000-0000-0000-0000-000000000000. The GUID has to be different each time a restore is requested. For example, if you have the LastRestoreId set as 10000000-0000-0000-0000-000000000000, for the next restore you have to set it to a different GUID, such as 20000000-0000-0000-0000-000000000000. For more information about setting LastRestoreId, see Registry Keys and Values for Backup and Restore.

image

image

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

image

Event ID 2110

image

Event ID 4106

image

Event ID 4108

image

SYSVOL Replicated Through DFS-R – Non-Authoritative Restore – Steps To Take

To perform a non-authoritative restore of the SYSVOL when using DFS-R, use the following steps:

  • Start the Registry Editor
  • Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
  • Create a key called "Restore" (only time only)
  • Create a string value called "SYSVOL" (only time only)
  • For the string value called "SYSVOL" assign the value of non-authoritative
  • Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
  • Create a key called "SystemStateRestore" (only time only)
  • Create a string value called "LastRestoreId" (only time only)
  • For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
  • Stop the DFSR Service
  • Start the DFSR Service

From the command-line the same can be achieved through:

  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "non-authoritative" /f
  • [1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
  • NET STOP DFSR
  • NET START DFSR

[1] When a backup application performs a system state restore, it must indicate that it has done so by setting the LastRestoreId registry value. The LastRestoreId is a GUID that is formatted as 00000000-0000-0000-0000-000000000000. The GUID has to be different each time a restore is requested. For example, if you have the LastRestoreId set as 10000000-0000-0000-0000-000000000000, for the next restore you have to set it to a different GUID, such as 20000000-0000-0000-0000-000000000000. For more information about setting LastRestoreId, see Registry Keys and Values for Backup and Restore.

image

image

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

image

Event ID 2110

image

Event ID 4110

image

Event ID 4102

image

Event ID 4604

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Blog Post Series | 13 Comments »

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)

Posted by Jorge on 2010-08-12


This post focuses on restoring the SYSVOL when replicated through the NTFRS mechanism. For the previous post see here and for the next post see here.

SYSVOL Replicated Through NTFRS – Authoritative Restore – Steps To Take

To perform an authoritative restore of the SYSVOL when using NTFRS, use the following steps:

  • Start the Registry Editor
  • Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
  • Double-click on "BurFlags"
  • Assign it a value of D4 (hex) or 212 (dec)
  • Stop the NTFRS Service
  • Start the NTFRS Service

From the command-line the same can be achieved through:

  • REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 212 /f
  • NET STOP NTFRS
  • NET START NTFRS

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

image

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13566

image

Event ID 13553

image

Event ID 13554

image

Event ID 13516

image

SYSVOL Replicated Through NTFRS – Non-Authoritative Restore – Steps To Take

To perform a non-authoritative restore of the SYSVOL when using NTFRS, use the following steps:

  • Start the Registry Editor
  • Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
  • Double-click on "BurFlags"
  • Assign it a value of D2 (hex) or 210 (dec)
  • Stop the NTFRS Service
  • Start the NTFRS Service

From the command-line the same can be achieved through:

  • REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 210 /f
  • NET STOP NTFRS
  • NET START NTFRS

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

image

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13565

image

Event ID 13520

image

Event ID 13553

image

Event ID 13554

image

Event ID 13516

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Blog Post Series | 3 Comments »

(2010-08-12) Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)

Posted by Jorge on 2010-08-12


The SYSVOL contains logon scripts and GPOs for a particular AD domain. It replicates to all RWDCs and RODCs. When, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with "Windows Server 2003" or lower, then the SYSVOL will use NTFRS as its replication mechanism. At a later stage when you increase the DFL to at least "Windows Server 2008", you can migrate the replication of the SYSVOL from NTFRS to DFS-R. The process for doing that is explained in the SYSVOL Replication Migration Guide: FRS to DFS Replication (Web Based) or SYSVOL Replication Migration Guide: FRS to DFS Replication (Word Doc).

If you need to migrate OTHER DFS NameSpaces from NTFRS to DFS-R then look at DFS Operations Guide: Migrating from FRS to DFS Replication and FRS to DFSR Migration Tool Released.

However, when, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with at least "Windows Server 2008", then the SYSVOL will use DFS-R as its replication mechanism right away and no migration is needed to migration the replication of the SYSVOL from NTFRS to DFS-R.

The use of DFS-R, compared to NTFRS, is way better in terms of performance and stability. DFS-R also works better with RODCs than NTFRS. When the SYSVOL on an RODC is adjusted locally, the changes will remain and will not replicate out because the RODC does not support Outbound Replication to any DC. Over time, if you do this too often you will get inconsistencies. To resolve these consistencies you may need to do a non-authoritative restore of the SYSVOL when replicated by NTFRS. If the same occured on the RODC and DFS-R is being used as the replication mechanism for the SYSVOL, then the local change would be detected and reverted as if nothing had happen. This makes sure the SYSVOL contents remains consistent on RODCs. For other differences see The Case for Migrating SYSVOL to DFSR.

The availability of the SYSVOL is very important for users, because if it is not available on a certain DC (RWDC or RODC), both users and computers cannot log on using that DC.

For both replication mechanisms I will explain how to do an authoritative restore or a non-authoritative restore of the SYSVOL using either replication mechanism.

Authoritative Restore

With an authoritative restore, the data that’s being restored is leading compared to all other versions of that same data on onther DCs. Taking that into account, when doing an authoritative restore on a RWDC, one should not forget that all other RWDCs and RODCs must do a non-authoritative restore.

Non-Authoritative Restore

With a non-authoritative restore, the data that’s being restored or that is in place is not leading compared to all other versions of that same data on onther DCs. To get the most recent data, the DC for which a non-authoritative restore was done must get the most recent data from another DC.

For the post on restoring the SYSVOL when replicated through the NTFRS mechanism see here.

For the post on restoring the SYSVOL when replicated through the DFS-R mechanism see here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Blog Post Series | 4 Comments »

(2006-03-08) Backup And Restore Of Active Directory

Posted by Jorge on 2006-03-08


The procedure to backup AD or DCs has always been (and as for now will always be) to use a VALID system state of a DC. However, times are changing and all kinds of new technologies and ideas are being used. Although I’m DO NOT promote the use of unsupported backup/restore mechanisms I’m going to mention a procedure here that allows you to use one of the unsupported methods. The main reason for this is that the information is publicaly available from Microsoft (Running Domain Controllers in Virtual Server 2005 – http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en) but it is INCOMPLETE and will people will hurt themselves if done incorrectly!

DISCLAIMER:

  • You are responsible on your own when using this procedure
  • This posting is provided "AS IS" with no warranties and confers no rights!
  • Always test before implementing/using tools/procedures!

 

BEST and SUPPORTED way for backup/restore of AD/DCs

  • Supported backup/restore mechanisms/tools
  • Using (at least) system state backups

More information:

 

FAST and UNSUPPORTED ways for backup/restore of AD/DCs

  • Disk images (cloning)
  • Virtual machine images
  • Breaking RAID 1 (mirroring) configurations

 

Dangers of NOT using supported AD aware backup/restore mechanisms

  • USN rollbacks in AD and in the SYSVOL
  • Inconsistent data in AD and in the SYSVOL
  • Effects:
    • Other DCs know more about a certain DC then the DC itself

Risk mitigation

  • Use ONLY SUPPORTED backup/restore mechanisms!!!
  • Follow instructions in "Running Domain Controllers in Virtual Server 2005"
  • Implement hotfixes: MS-KBQ885875 (W2K) & MS-KBQ875495 (W2K3) (also included in W2K3 SP1)

 

So let’s take a look at WHAT are USN rollbacks (in AD).

The following example environment where nothing is wrong.

image

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

image

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!! (everything is OK voor ROOTDC001, ROOTDC002 and CHLDDC001)

 

The following example environment where something IS wrong because a non- AD aware restore solution has been used

image

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

image

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!!. As you can see the ROOTDC001 and CHLDDC001 know more about ROOTDC002 than ROOTDC002 itself and THAT is wrong!

 

How to detect and recover from a USN rollback in Windows 2000 Server

How to detect and recover from a USN rollback in Windows Server 2003

 

So what do MS-KBQ885875/MS-KBQ875495 really do?

  • Detect USN rollbacks in AD, NOT in the SYSVOL
  • USN Rollback detection NOT guaranteed for 100%!!!
  • Pauses the NETLOGON service WHEN USN rollback in AD is detected!
  • Disables inbound and outbound AD replication (event ID 1113/1115), NOT SYSVOL replication,  WHEN USN rollback in AD is detected!
  • Logs event IDs 2095 and 2103 in the directory services event log
  • BOTH HOTFIXES also provide:
    • Supported recovery option that mimics a system state restore

 

That recovery option has the following requirements!

  • Hotfixes installed/implemented PRIOR to the failure
  • Use ONLY images WITHIN the “tombstone lifetime” timeframe
  • Use ONLY images that have NEVER been booted after creation (this is VERY IMPORTANT. If it has been booted into normal DC mode, it is useless and you need to start over!!!)
  • Make sure the SAME DC is NOT running elsewhere
  • Follow requirements and instructions mentioned in:
    • MS-KBQ885875 & MS-KBQ875495
    • "Running Domain Controllers in Virtual Server 2005"

Procedure for using the recovery option:

  • “Restore” the image
  • !!! Boot into DSRM !!! (not connected to the network)
  • Note the value of “DSA Previous Restore Count”
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (Not visible? –> Assume value of 0)
  • Add the entry “Database restored from backup” (DWORD) with a value of 1
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (This triggers the actions needed for AD right after a system state restore!)
  • Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup)
    (This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
    (also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets –
    http://support.microsoft.com/?id=290762)
  • Boot into normal DC mode (not connected to the network)
  • Check the value of “DSA Previous Restore Count”
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (New value = old value + 1)
  • In the DS event log check for event ID 1109
  • In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
  • In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
  • Connect to the network again
  • Check the health of the DC (AD & SYSVOL)
    • DCDIAG /D /C /V
    • NETDIAG /DEBUG /V
    • GPOTOOL.EXE /CHECKACL /VERBOSE
    • REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
  • DONE!

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore | 6 Comments »

 
%d bloggers like this: