Appendix A: Forest Recovery Procedures

Use the following procedure to back up the System State data, along with any other data you have selected for the current backup operation, of a domain controller that runs Windows Server 2003. Windows Server 2003 includes the Ntbackup tool, which you can use to back up System State data.

Membership in Administrators or Backup Operators, or equivalent, is the minimum required to back up files and folders. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

If you are backing up the System State data to a tape, and the Backup program indicates that there is no unused media available, you might have to use Removable Storage. This adds your tape to the free media pool so that Backup can use it.

You can only back up the System State data on a local computer. You cannot back it up on a remote computer.

To back up the System State data on a domain controller that runs Windows Server 2003

If your domain controller is running Windows Server 2008, you can use Windows Server Backup or Wbadmin.exe to back up a domain controller. For more information, see Performing an Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?LinkId=132632).

Use the following procedure to perform a nonauthoritative restore of a domain controller that runs Windows Server 2003. By performing a nonauthoritative restore on Active Directory in Windows Server 2003, you automatically perform a nonauthoritative restore of SYSVOL. No additional steps are required.

Note
If you are also reinstalling the Windows Server 2003 operating system, you might or might not join the computer to the domain and you can give any name to the computer during setup of the operating system. Do not install Active Directory. After reinstalling the operating system, go directly to step 4.

Some of the remaining procedures require Windows Support Tools. These tools are available on the Windows Server 2003 operating system installation disc in the \Support\Tools folder. For more information about Windows Support Tools, click Start, click Help and Support, click Tools, and then click Windows Support Tools. To download these tools from the Microsoft Download Center, see Windows Server 2003 Service Pack 1 32-bit Support Tools (http://go.microsoft.com/fwlink/?LinkId=70775).

To perform a nonauthoritative restore of a domain controller that runs Windows Server 2003

Use the following procedure to perform an authoritative (also known as primary) restore of SYSVOL on a domain controller that runs Windows Server 2003. Perform this procedure only on the first Windows Server 2003 domain controller that is restored in the domain. If the domain controller runs Windows Server 2008, see the next procedure: “To perform an authoritative restore of SYSVOL on a domain controller that runs Windows Server 2008.”

To perform an authoritative restore of SYSVOL on a domain controller that runs Windows Server 2003

Complete the steps to perform a nonauthoritative restore of AD DS. For more information, see Performing a Nonauthoritative Restore of AD DS (http://go.microsoft.com/fwlink/?LinkId=132637).

To perform an authoritative restore of SYSVOL on a domain controller that runs Windows Server 2008

If the domain controller that you restored from backup is running Windows Server 2003, you can install DNS server without connecting the domain controller to any network.

To install and configure the DNS Server service for Windows Server 2003

If the domain controller that you restored from backup is running Windows Server 2008, you must connect the domain controller to an isolated network in order to install DNS server. If the DNS server role is already installed, you can apply a hotfix that makes it possible for a DNS server to start while the server is not connected to any network. You should slipstream the hotfix into the operating system installation image during your automated build processes. For more information about the hotfix, see Article 975654 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=184691).

Complete this step for each domain. After you have one restored domain controller with DNS installed and configured for every domain, you can reconnect each of them to a mutually shared, isolated network. Run repadmin /replsum to verify that replication is functioning between the recovered domain controllers. After you verify replication, you can connect the recovered the production network.

To install and configure the DNS Server service for Windows Server 2008

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the domain controller from which you want to remove the global catalog.

4. Right-click NTDS Settings, and then click Properties.

5. Clear the Global Catalog check box.

1. At the command prompt, change directories to the folder that contains the Windows Support Tools, type the following command, and then press ENTER:

   ldp

2. Click Connection, click Connect, type the name of the server on which you want to raise the RID pool, and then click OK.

3. Click Connection, click Bind, type your administrative credentials, and then click OK.

4. Click View, click Tree, and then type the following distinguished name path:

   CN=RID Manager$,CN=System,DC=<domain name>

   This account has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain. To view both parts, in Ldp.exe use the Large Integer Converter command in the Utilities menu.

   • Sample Value: 4611686014132422708 (Insert in Large Integer Calculator in the Utilities menu of Ldp.exe)
     
     
   • Low Part: 2100 (beginning of the next RID pool to be allocated)
     
     
   • Upper Part: 1073741823 (total number of RIDs that can be created in a domain)
     
     

   When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.

5. Click Browse, and then click Modify.

6. Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values.

7. In Dn, type cn=RID Manager$,cn=System,dc=<domain name>.

8. In Edit Entry Attribute, type rIDAvailablePool.

9. Select Replace as the operation, and then click Enter.

10. Click Run to run the operation.

1. At the command prompt, type the following command, and then press ENTER:

   ntdsutil

2. At the ntdsutil: prompt, type the following command, and then press ENTER:

   roles

3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:

   connections

4. At the server connections: prompt, type the following command, and then press ENTER:

   Connect to server ServerFQDN

   Where ServerFQDN is the fully qualified domain name (FQDN) of this domain controller, for example: connect to server nycdc01.example.com.

   If ServerFQDN does not succeed, use the NetBIOS name of the domain controller.

5. At the server connections: prompt, type the following command, and then press ENTER:

   quit

6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.
   

    

   Role	Credentials	Command
   Domain naming master	Enterprise Admins	For Windows Server 2003: Seize domain naming master For Windows Server 2008: Seize naming master
   Schema master	Schema Admins	Seize schema master
   Infrastructure master	Domain Admins	Seize infrastructure master
   PDC emulator master	Domain Admins	Seize pdc
   RID master	Domain Admins	Seize rid master

   After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears.

   Note

   If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

When you use the version of Active Directory Users and Computers in Windows Server 2008, metadata cleanup is performed automatically when you delete the domain controller object. In addition, the server object and the computer object are also deleted automatically, which eliminates the need to perform those additional procedures.

As an alternative, you can also use Active Directory Sites and Services in Windows Server 2008 to delete a domain controller object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the domain controller object.

If you do not have Windows Server 2008, you can instead download and use the Microsoft Remote Server Administration Tools for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=115118) to perform this procedure.

To delete a domain controller object using Active Directory Users and Computers in Windows Server 2008

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, right-click the server object for the domain controller that you want to remove, and then click Delete.

1. Click Start, click Run, type adsiedit.msc, and then click OK.

   By default, the ADSI Edit support tool is connected to this local domain controller.

2. To make the domain container appear in the console tree, click Action, click Connect to, and then click OK.

3. In the console tree, double-click the default naming context, and then double-click the domain container.

4. Double-click the OU for Domain Controllers.

   Note
   If the domain controller computer accounts have been moved out of the Domain Controllers OU, double-click the container in which they now reside.

5. Right-click the computer object associated with the failed domain controller, and then click Delete.

1. At a command prompt, type the following command, and then press ENTER:

   netdom help resetpwd

2. Use the syntax that this command provides for using the NetDom command-line tool to reset the computer account password, for example:

   netdom resetpwd /server:<domain controller name> /userD:administrator /passwordd:*

   Where <domain controller name> is the local domain controller that you are recovering.

   Note
   As mentioned in "Recovery steps," earlier in this guide, you should run this command twice.

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, double-click the domain container, and then click Users.

3. In the details pane, right-click the krbtgt user account, and then click Reset Password.

4. In New password, type a new password, retype the password in Confirm password, and then click OK.

   Note
   As mentioned in "Recovery steps," earlier in this guide, you should perform this operation twice.

1. At a command prompt, type the following command, and then press ENTER:

   netdom experthelp trust

2. Use the syntax that this command provides for using the NetDom tool to reset the trust password.

   For example, if there are two domains in the forest—parent and child—and you are running this command on the restored domain controller in the parent domain, use the following command syntax:

   netdom trust <parent domain name> /domain:<child domain name> /resetOneSide /passwordT:<password> /userO:administrator /passwordO:*

   When you run this command in the child domain, use the following command syntax:

   netdom trust <child domain name> /domain:<parent domain name> /resetOneSide /passwordT:<password> /userO:administrator /passwordO:*

   Note
   passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the domain controller to which you want to add the global catalog.

4. Right-click NTDS Settings, and then click Properties.

5. Select the Global Catalog check box.