Restoration of Domain controllers

Hi All,
I have 2 RWDCs domain controllers in headquarters and a few RODCs in branch offices.I have some question on the restoration of the domain controllers and what is required to be done on the RODCs after the restoration of RWDC.
Example:
All my RWDCs are down site but all other RODCs site are still working properly. I recover one RWDC that hold all the FSMO roles by using non-autoritative restore (restore from image). After the restoration, do i need to do anything else? Do i need
to rebuild the RODCs?
I try to search all over the internet for this scenario but couldn't find anythnig.
Please advise.
Thanks, ALoy

Hello,
the RODCs will still get the updates from the RWDCs as long as replication works after the restore.
But with 2 RWDCs you could also seize FSMO roles on the other RWDC, in case the broken RWDC NEVER comes back, run metadata cleanup and then install a new RWDC into the domain AFTER the cleanup is also replicated to the RODCs.
http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/
Cleanup also require to remove references from AD sites and services, DNS zones and DNS server lists.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Similar Messages

Restore Default Domain Controllers Policy in its original state

Hello,
Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
go.

Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support

Restoring Virtualized Domain Controllers

http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
The article above has an illustration to determine the best way to restore a virtualized DC. I have
several questions about this chart.
1. The step titled "Deploy the
VHD against a new VM, and restart in normal mode" - Must a new VM be created in HyperV,
or can the VHD just be replaced with a backup?
2.  The
steps titled "Restore the Virtual machine instance that predates the failure" - Is it really necessary to start in DSRM mode and set this registry value if the backup is an application consistent, image based backup where what you are doing is restoring
the VHDX file?
3.  What
will happen if you restart a Domain Controller that in good condition and go into DSRM mode and set the "database restored from backup" to 1?

1.
The step titled "Deploy the VHD against a new VM, and restart in normal mode" - Is it really necessary to create a new virtual machine? Why can't the existing virtual machine get used and just replace the VHDX file?
In the scenario, it is assuming that the VM failed to start. That is why you create a new VM and attach the VHD file.
2.  The
steps titled "Restore the Virtual machine instance that predates the failure" - Is it really necessary to start in DSRM mode and set this registry value if the backup is an application consistent, image based backup where what you are doing is restoring
the VHDX file?
When going to DSRM mode and doing a non-authoritative restore of the DC, you will be asking the DC to take its DB content from other DCs. You can apply this when you have no backup and you cannot get back in time with a healthy state of the DC. In other
words, you can simply re-install the DC, do a metadata cleanup (Seize FSMO roles if it is an FSMO holder) and promote it again. Of course, this suppose that you have health DC/GC server in your domain before doing that.
By the way, I do not see that this step is required when you restore from the VHDX in the chart. Please correct me if I am wrong :)
3.  What
will happen if you restart a Domain Controller that in good condition and go into DSRM mode and set the "database restored from backup" to 1?
It will do a non-authoritative restore.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Blue Screen on Domain controllers after Updates

After patching our Domain controllers (virtual on ESXi 5.5 U2) recently we started getting Blue screens and reboots. Other changes in our environment around this time include enabling vshield drivers and scanning with Trend Micro. I have removed patches
from April but cannot remove Patch KB3020370 - there is no uninstall button. The error still persists, I have removed the Vshield driver and am waiting to see if the issue reoccurs. Can anyone assist in interpreting the details below? Also is it possible to
remove the patch KB3020370? This only appeart to affect Domain Controllers, regular servers appear unaffected.
Thanks
Below is the BugCheck event.
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050031, 0x00000000000406f8, 0xfffff800018c0e14). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042915-21762-01.
And output from the debug tool.
Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\MiniDump\042815-21762-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Error: Attempts to access 'c:\windows\i386' failed: 0x2 - The system cannot find the file specified.
************* Symbol Path validation summary **************
Response Time (ms) Location
Error c:\windows\i386
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0xfffff800`0185e000 PsLoadedModuleList = 0xfffff800`01aa3890
Debug session time: Tue Apr 28 13:20:34.290 2015 (UTC + 1:00)
System Uptime: 0 days 0:27:28.954
Loading Kernel Symbols
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
Loading User Symbols
Loading unloaded module list
* Bugcheck Analysis *
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14}
Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )
Followup: MachineOwner
kd> !analyze -v
* Bugcheck Analysis *
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050031
Arg3: 00000000000406f8
Arg4: fffff800018d4e14
Debugging Details:
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT_SERVER
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff800018cffe9 to fffff800018d0a40
STACK_TEXT:
fffff800`01620d28 fffff800`018cffe9 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt!KeBugCheckEx
fffff800`01620d30 fffff800`018ce4b2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`01620e70 fffff800`018d4e14 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
fffff880`0276e000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x4
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b2
fffff800`018ce4b2 90 nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiDoubleFaultAbort+b2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5507a73c
IMAGE_VERSION: 6.1.7601.18798
FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7f_8_nt!kidoublefaultabort+b2
FAILURE_ID_HASH: {0367acc4-9bb4-ab69-5701-46a2011718e9}
Followup: MachineOwner

Hi,
Dump file displays：
BugCheck 7F, {8, 80050031, 406f8, fffff800018d4e14} and Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 ).
Bug check 0x7F typically occurs after you install a faulty or mismatched hardware (especially memory) or if installed hardware fails.
A double fault can occur when the kernel stack overflows. This overflow occurs if multiple drivers are attached to the same stack. For example, if two file system filter drivers are attached to the same stack and then the file system recurses back in, the stack
overflows.
You may reference the link below for detailed resolution about this problem:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff559244(v=vs.85).aspx
Besides, you may try to restore the server to the state before installing these Windows Update.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Dfs R Service Stopping before backup on Domain Controllers

HI,
I have a weird issue where the DFS replication service is stopping when a DC backup starts.
Setup: Forest with 5 child domains. Only one of the domains is having a problem. this domain has DCs in the US and UK. all four DCs experience the same issue. All DC’s are Server 2008 r2. DFS
R is used for AD replication.
Issue: DFS replication service stops when a backup starts.
The DFS Replication service is stopping communication with partner P1USDC01 for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9036 (Paused for backup or restore)
About 30 minutes later when the backup completed, DFS replication resumes.
As mentioned this happens to all 4 domain controllers in the domains, but no other domains are affected. AD replication stops during this time.
Every time this happens the AD DB is rebuilt.
lsass (548) A database location change was detected from 'D:\Active Directory\Windows\NTDS\DB\ntds.dit' to '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy168\Active Directory\Windows\NTDS\DB\ntds.dit'.
I thinks this is more due to the VSS provider than an issue with the DB.
Some ‘Googling/Binging’ shows that that error can be ignored as it resumes after. But im not so sure. Why are my other domains not effected. They use the same backup procedure,
same hardware, same OS, same patch revision (always 3 months behind current release).
Any suggestions would be great!

You can ignore it as long as it restarts. You can also create a scheduled task that will check the service and start it if it is not running.
I would recommend starting by installing latest Windows Updates (Especially those ones: http://support.microsoft.com/kb/968429) and make sure that your backup solution is up-to-date too.
If none helped then I would recommend contacting your backup solution developers technical support for assistance.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Domain Controllers that are DNS servers DNS Client settings

[Copying verbatim from a mail by Joe ]
So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
is the quote
"3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
Server 2008 R2 Core Network Guide)
"9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
the local computer."
From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
"The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
be configured only as a secondary or tertiary DNS server on a domain controller...
Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
DNS servers on <adapter name> should include the loopback address, but not as the first entry)
"If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.
The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
as a secondary or tertiary DNS server on a domain controller."
This also seems like justification against only using loopback versus using it first.
Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
thanks,
joe

As I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
http://support.microsoft.com/kb/275278 for information about this scenario.
However, there is still a known problem of slow boot times that can occur. See
http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
multiple servers come online simultaneously after power is restored, there can be a significant delay.
The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
-Greg

Restoring a Domain Controller - When other DC's are available

I'm trying to get some clarity and confidence on the proper way to restore domain controllers. here are my questions:
1. What is the proper way to restore a Domain controller into an existing Forrest where other domain controllers are present when you have a system state backup taken by Windows Server Backup?
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?

1. What is the proper way to restore a Domain controller into an existing Forrest where other domain
controllers are present when you have a system state backup taken by Windows Server Backup?
You can restore the DC using two possible methods:
Method 1: Do a non-authoritative restore using a system state backup. Do not do an authoritative restore so that you do not lose recent changes here.
Method 2: If the DC is an FSMO holder then size the FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again as a DC. If it is not an FSMO holder then simply do a metadata cleanup and then re-install
the server and promote it again as a DC.
1a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
Yes. You need to get inside DSRM mode to restore the DC from a system state backup.
2. What is the proper way to restore a Virtualized Domain Controller into an existing Forrest where
other domain controllers are present when you have a 3rd party image based backup solution that has HyperV VSS writers?
You can read that: http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
Also, see that about DC cloning in Windows Server 2012 and higher: http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
2a. In this scenario - will i need to enter into DSRM mode prior to booting the server?
You can find the details in the links I shared.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password

Unable to Sync SYSVOL Folder between Domain Controllers

Good Afternoon All,
I have the following issue on my current domain configuration, I say current as we are seeking to go to Server 2012 R2 within the next few months, but for now, we are at the 2008 R2 functional level.
We have three Domain Controllers namely Server-001 to 3, with Server-002 holding the PDC Emulator Role. Now when policies are created or updated through GP Management, I have noticed that they sync without issue between Server-002 and Server-003, but not
Server-001. In the SYSVOL Folder in each DC, the folder totals in policies are as follows:
Server-001 - 72 Folders
Server-002 - 96 Folders
Server-003 - 96 Folders
So here, it can be clearly seen that there is some sort of replication issue between Server-001 and the other controllers. I have researched and read several articles and opinions regarding the same issue and have ran many of the commands outlined including
repadmin, dnslint, gposync, etc. with the only output displaying errors being gposync. I have checked all the event logs for each DC with added focus on the DFS Replication Logs and have seen no errors regarding replication on Server-001 which is the server
at fault, but have noted that it appears that Server-001 is only replicating to itself, while Servers -002 and -003 are syncing/replicating between each other. I created a text document in Server-002's SYSVOL Folder and checked in Server-003's and verified
that the document successfully synced across, but on Server-001 nothing happened. I did some research on the issue and came across non-authoritative sysvol restore as an option, but when I tried this on Server-001 via ADSI Edit, I noticed that the following
path:
OU=Domain Controllers>CN=Server-001>CN=DSFR-LocalSettings>CN=Domain System Volume
is missing. Initially, DSFR-LocalSettings was missing as well, but I re-created it. I then attempted to re-create Domain System Volume, but when I tried entering the Replication Group GUID, I got an error that "one or more of the values are not in the
correct format", even though this is the same GUID used on the other two DCs. I tried changing the value to octet, hexadecimal, etc. but nothing worked. i still got the same error. I am convinced that this is where the disconnect lies, but with no possible
idea how to fix this broken section, I am unsure how to further proceed. We were going to demote the server, bring up a 2012 R2 unit and have it seize the roles, but I convinced my Systems Administrator for us to try and see if there is a fix available before
commissioning a new server. As is, group policy is somewhat broken as policies either do no get applied at all, or, get applied to certain groups or OUs.
If you are interested I can forward you our DFSR Logs from each server, along with any other reports that I have run in the hopes that someone will be able to assist. I hope that I have been as clear as possible and have provided as much information as is
possibly required.
Thank you all in advance.

Hi,
To perform non-authoritative synchronization for DFSR-replicated SYSVOL, the following article can be referred to for more information.
How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
http://support.microsoft.com/kb/2218556/en-us
Besides, we can use dcdiag command to check the health of the DC.
Dcdiag
http://technet.microsoft.com/en-us/library/cc731968.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Help with Powershell script to gather eventlogs from all Domain Controllers

I am trying to write a script to grab the last 5 days of application, security and system logs from all domain controllers. The script runs but only pulls the logs from the local server. The $Computer variable has all of my DC's so it is querying fine. I
assume it is an issue with my ForEach-Object line but it doesn't error out. See the script below.
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
ForEach-Object -InputObject $Computers -Process {Get-EventLog -LogName $log -After $then -Before $now -EntryType Error | select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File $env:TEMP\Applicationlog.htm}
Invoke-Expression $env:TEMP\Applicationlog.htm
Thanks,
Rich

Also, you're missing the -ComputerName parameter in the Get-EventLog Cmdlet.
I would re-write the loop part of the script like this:
$log = "Application"
$date = get-date -format MM-dd-yyyy
$now = get-date
$subtractDays = New-Object System.TimeSpan 5,0,0,0,0
$then = $Now.Subtract($subtractDays)
$Computers = Get-ADDomainController -filter *
foreach ($Computer in $computers) {
Get-EventLog -ComputerName $Computer -LogName $log -After $then -Before $now -EntryType Error |
select EventID,MachineName,Message,Source,TimeGenerated | ConvertTo-html | Out-File .\Applicationlog.htm -append
Invoke-Expression .\Applicationlog.htm
Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable)

I need to be able to find domain controllers that have been removed from the domain but never demoted

I need to find domain controllers that have been removed but never demoted.
Here's the story...
I came on an Active Directory administrator for an organization which has 600+ domain controllers, most running Server 2003, but I have some Server 2008R2. Throughout all this time the organization has had DCs that have stopped working, crashed or failed
for some reason and all the IT department has done is created another domain controller name it the same thing with an (A), (B) appended to the name and then never removed any of the failed controllers from the directory.
Thing is this has been going on for quite some time, don’t know for sure how long as I am still trying to clean up DNS replication problems and have been having to go around and reset machine passwords for the forest. What I need to be able to do is to script
something that will return all the failed DCs so that I can go into the directory and use NTDUTIL to clean the machines. I don’t want to go into the directory and remove a machine that’s still out there. No one in the organization has a list or record of failed
machines.
You can see this may be a gargantuan task, but I need to be able to make it easier on
myself by finding the machines first and cleaning out DNS, cleaning the DCs out of the “Sites” and cleaning them out of the directory.
Appreciate any help I can get…

Hi,
Thanks for posting in the forum.
Regarding your question, maybe we should remove these orphaned DC from AD, please try to refer to the following articles to perform the cleanup task.
How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846
Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Metadata Cleanup of a Domain controller
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/
Here is a similar thread as reference, hope it helps.
Remove References of a Failed DC/Domain
http://social.technet.microsoft.com/Forums/windowsserver/en-US/87516188-731a-4b7f-a4cc-06ce4ad27b19/remove-references-of-a-failed-dcdomain
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support

Upgrade to Server 2012 R2 domain controllers from 2003

I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine WGDDC01, is a Directory Server.
   Home Server = WGDDC01
   * Connecting to directory service on server WGDDC01.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\WGDDC01
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... WGDDC01 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\WGDDC01
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Test omitted by user request: RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         See DNS test in enterprise tests section for results
         ......................... WGDDC01 failed test DNS
   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   Running partition tests on : wgd
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation
   Running enterprise tests on : wgd.inet
      Starting test: DNS
         Test results for domain controllers:
            DC: WGDDC01.wgd.inet
            Domain: wgd.inet
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
                     MAC address is B0:83:FE:C1:98:07
                     IP Address is static
                     IP address: 10.240.1.23
                     DNS servers:
                        10.240.1.23 (WGDDC01) [Valid]
                        10.240.1.24 (WGDDC02) [Valid]
                        127.0.0.1 (WGDDC01) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
                  [Error details: 5 (Type: Win32 - Description: Access is denied
         Summary of test results for DNS servers used by the above domain
         controllers:
            DNS server: 10.240.1.23 (WGDDC01)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
            DNS server: 10.240.1.24 (WGDDC02)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
         Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
            Domain: wgd.inet
               WGDDC01                      PASS WARN n/a n/a n/a
n/a n/a
         ......................... wgd.inet passed test DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : WGDDC01
   Primary Dns Suffix . . . . . . . : wgd.inet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.240.1.1
   DNS Servers . . . . . . . . . . . : 10.240.1.23
                                       10.240.1.24
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.

We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master               WGDDC01.wgd.inet
Domain naming master        WGDDC01.wgd.inet
PDC                         WGDDC01.wgd.inet
RID pool manager            WGDDC01.wgd.inet
Infrastructure master       WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : WGDDC01
   Primary Dns Suffix . . . . . . . : wgd.inet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.240.1.1
   DNS Servers . . . . . . . . . . . : 10.240.1.23
                                       10.240.1.24
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master               WGDDC01.wgd.inet
Domain naming master        WGDDC01.wgd.inet
PDC                         WGDDC01.wgd.inet
RID pool manager            WGDDC01.wgd.inet
Infrastructure master       WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : WGDDC02
   Primary Dns Suffix . . . . . . . : wgd.inet
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.240.1.1
   DNS Servers . . . . . . . . . . . : 10.240.1.24
                                       10.240.1.23
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>

Windows 8.1 Pro Cannot Connect to Domain Controllers through Wi-Fi

I have a domain joined Surface 2 Pro running 8.1 Pro Update that is suddenly unable to connect to the domain controllers on the local network. The machine is fully patched. I'm guessing that it is some network level security issue because the wi-fi is working:
It has no trouble connecting to my Wi-Fi hotspot on my phone.
It has no trouble connecting to other Wi-Fi at coffee shops etc.
It is connecting to my home Wi-Fi and gets an address from DHCP on the domain controllers, but can't ping the DCs, access the DCs through remote desktop even using their IP address.
It can ping the router and ping systems on the internet using their IP address rather than hostname.
I can fully access internet systems if I point it at DNS on the router but still cannot access internal systems by name or IP address.
The Wi-Fi network shows as a public network rather than a domain.
It will work fine when it is docked and using the dock's ethernet adapter.
If I use VPN to loop back through my router then I am able to fully access local systems.
None of the other systems on the network are experiencing the same issue.
I have tried the following which didn't work:
Switched off the Windows Firewall on the Windows 8.1 system and a domain controller.
Network Troubleshooting - which told me that the network seems OK but the DNS servers are not responding.
Uninstalling the Wi-Fi device and restarting the system to re-install it.
Resetting TCP/IP.
I am not aware of any changes, but the system did install System Hardware Update 8/07/2014 (again!) but I can't recall if that was when the problem started or was just a coincidence.
Any suggestions?
Thanks,
Richard
Richard-F

Hi Richard,
Apologize for my slow understanding.
I thought as it could obtain IP address from the DC, it should have connections between them.
For the current situation, you may take a try to disable the firewall on the DC, then check the port that used by AD environment is all available,
Active Directory and Active Directory Domain Services Port Requirements, you could take use of this tool:
PortQryUI - User Interface for the PortQry Command Line Port Scanner
If all available and issue still insists, then issue here seems to be restricted with the wireless router. You may try to contact the router side and see if they could offer any further useful information regarding this situation.
Best regards
Michael Shao
TechNet Community Support

Communication issues between domain controllers

Hi everyone,
I am experiencing some problems in communication between domain controllers in our organization
We have three domain controllers, one of them is a Windows 2003 server service pack 2 which is physical (controller A), another which is Windows 2008 Service Pack 2 (controller B), also physical, and a third one (controller C) which is a Windows 2008
service pack 1 and is virtual.
I have problems with this last DC, it won't respond to pings, or DNS query. I can't Access it by remote desktop client even when it is enabled. I cannot update it, it prompts error messages if I try to do so.
This problems are solved if I reboot it, it will work fine some hours or days, but not much longer. I have checked event viewer and I didn't found any message about this.
I read some time ago it would be great to have a DC in a virtual machine, so I did it, but is it right?
Do you know what might be going on with it? would depromoting it and seting it up again the best solución?
Thank you very much.
Best regards.
David.

This sounds like a NIC issue, which is odd since it is a virtual machine. Have you checked the host for any logs about the client?
I think the first thing I would do is destroy the current virtual NIC card and add a new one. Since this has nothing to do with Active Directory I would also suggest you post this in a forum of for the Host (VMWare or Hyper-V).
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.

Autodiscover, domain controllers, and certificate errors

I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
What do I do to prevent this?

Hi,
Yes, we can have the following “switchers”
PreferLocalXML
ExcludeHttpRedirect
ExcludeHttpsAutoDiscoverDomain
ExcludeHttpsRootDomain
ExcludeScpLookup
ExcludeSrvRecord
ExcludeLastKnownGoodUR
Thanks,
Simon Wu
TechNet Community Support

Using Windows 8.1 With Older Domain Controllers

Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?
I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1? For such cases, how do we configure security policy on those 8.1 domain member
computers? Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
Will

Hi,
You could refer to below guide to complete your migration process:
Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Karen Hu
TechNet Community Support

Restoration of Domain controllers

Similar Messages

Maybe you are looking for