Monday, February 02, 2009

ActiveDirectory Recovery Note

Since the time of Windows NT, I really disliked the Domain Controller architecture in Microsoft network. The part that I really did not like about it is that it basically required two dedicated machines to handle this, and we are not supposed to install anything else on it, for example SQL server (you can, and I strongly advise you against doing this. Some day you run into trouble and it will cost you several times over the cost of the hardware you thought you saved.) In addition they had the idea of Primary and Backup domain controllers with the notion of the backup controller a bit dubious since if you lost the primary, you probably lost the ability to get back the primary easily.

When Windows 2000 came out I was a bit excited to be told about the fact that the AD does not have the notion of the Primary and Backup. But soon enough that was not true, and in fact it got even more complicated.

This was now 2008, in my small office, I had a brilliant idea of hosting two AD servers on virtual machines since we don't really maintain any more than a few user names and such. Well, however, we've just lost one of the controllers during a VM migration completely, so I had to basically create another one from the remaining "backup" controllers.

This has caused a several hours of "wasted time," since I really don't want delve into this AD stuff. So if this happens again here is the note to myself. Things like a backup fail-over should be basically instantaneous and I expect there ought to be one-button thingy for basically an idiotic (by choice) user by me, but this not being like that does protect lot of jobs in the industry I would guess.

  • It seems to work better if you'd install the DNS first before adding the domain controller role.
  • Download the Windows Support Tool from the MS web site. This has two important tools . One is called NETDIAG and another is DCDIAG. These are command line tools and if you run them without any argument they will tell you in more gory details about what's wrong with your DNS and Domain Controller settings. Basically they run a series of tests and they will return either pass or fail. The idea is to fix things so that they will all Pass. For each Fail, type in the error message into Google (not Live Search) and you will find the answer article on how to fix things on Microsoft web site. (Message to MS - Please improve the search on your own product related information.) I would fix the DNS first.
  • Next tool you will need to use is NTDSUTIL program. You use this tool to basically transfer some of the critical roles that your lost domain controller had. The terminology you need to use to search is "Seize [blah blah] role" And you basically issue the Seize command to this tool. There are about 4 or 5 roles that you need to Seize, and one additional tricky thing is the "Infrastructure" role. This apparently should not be seized by the primary, so run the same tool on the secondary server and have it seize the "Infrastructure" role.
I think these would provide enough hints for you to get out of the lost PDC situation.