Appendix A: Forest Recovery Procedures

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This appendix contains procedures related to the forest recovery process described earlier in this guide. The procedures are applicable for Windows Server 2012, and are also applicable to Windows Server 2008 R2 and Windows Server 2008 with some minor exceptions. Procedures that include steps that vary for Windows Server 2003 are found in Appendix D: Forest Recovery with Windows Server 2003 Domain Controllers.

  • Backing up a full server

  • Backing up the System State data

  • Performing a full server recovery

  • Performing an authoritative synchronization of DFSR-replicated SYSVOL

  • Performing a nonauthoritative restore of Active Directory Domain Services

    These steps explain how to perform an authoritative restore of SYSVOL at the same time.

  • Configuring the DNS Server service

  • Removing the global catalog

  • Raising the value of available RID pools

  • Invalidating the current RID pool

  • Seizing an operations master role

  • Cleaning metadata of removed writable domain controllers

  • Resetting the computer account password of the domain controller

  • Resetting the krbtgt password

  • Resetting a trust password on one side of the trust

  • Adding the global catalog

  • Resources to verify replication is working

Backing up a full server

A full server backup is recommended to prepare for a forest recovery because it can be restored to different hardware or a different operating system instance. To perform a full server backup, perform the following procedure using Windows Server Backup. Windows Server Backup is not installed by default. In Windows Server 2012, install it by selecting Windows Server Backup on the Select Features page in the Add Roles and Features Wizard in Server Manager. For steps to install it in Windows Server 2008 and Windows Server 2008 R2, see Installing Windows Server Backup.

To perform a full server backup using Windows Server Backup

  1. In Windows Server 2012, open Server Manager, click Tools, and then click Windows Server Backup.

    In Windows Server 2008 R2 and Windows Server 2008, click Start, point to Administrative Tools, and then click Windows Server Backup.

  2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK.

  3. In Windows Server 2012 only, first click Local Backup.

  4. On the Action menu, click Backup once.

  5. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next.

  6. On the Select backup configuration page, click Full server (recommended), and then click Next.

  7. On the Specify destination type page, click Local drives or Remote shared folder, and then click Next.

  8. On the Specify destination type page, choose the backup location as follows:

    • If you are backing up to a local volume, in Backup destination, select a drive, and then click Next.

      When you are prompted to exclude the destination volume from the list of items to be backed up, click OK.

    • If you are backing up to a remote shared folder, do the following:

      1. Type the path to the shared folder.

      2. Under Access Control, select Do not inherit or Inherit to determine access to the backup, and then click Next.

      3. In the Provide user credentials for Backup dialog box, provide the user name and password for a user who has write access to the shared folder, and then click OK.

  9. On the Confirmation page, review your selections, and then click Backup.

  10. After the Backup Once Wizard begins the backup, click Close at any time. The backup runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.

To perform a full server backup using Wbadmin.exe

  1. Open an elevated command prompt, type the following command and press ENTER:

    wbadmin start backup -backuptarget:<Drive_letter_to store_backup>: -include:<Drive_letter_to_include>: -quiet
    

Backing up the System State data

A System State backup must be restored to the same operating system instance and hardware. Therefore it is not as flexible during a forest recovery as a full server backup. But a system state backup can be used to perform a non-authoritative restore of AD DS and an authoritative restore of SYSVOL at the same time (using wbadmin.exe), which may be more convenient than the full server restore option.

To back up System State data, complete the following procedures:

Backing up the System State data

Use the following procedure to perform a system state backup on a DC by using Windows Server Backup or wbadmin.exe.

To perform a system state backup using Windows Server Backup

  1. In Windows Server 2012, open Server Manager, click Tools, and then click Windows Server Backup.

    In Windows Server 2008 R2 and Windows Server 2008, click Start, point to Administrative Tools, and then click Windows Server Backup.

  2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK.

  3. In Windows Server 2012 only, first click Local Backup.

  4. On the Action menu, click Backup once.

  5. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next.

  6. On the Select backup configuration page, click Custom, and then click Next.

  7. On the Select backup items page:

    In Windows Server 2012, click Add Items, click System state, then click Next.

    In Windows Server 2008 R2 and Windows Server 2008, select the volumes to include in the backup. If you select the Enable system recovery check box, all critical volumes are selected.

    As an alternative, you can clear that check box, select the individual volumes that you want to include, and then click Next.

    Your selection must include the volumes that store the operating system, Ntds.dit, and SYSVOL.

    Note

    If you select a volume that hosts an operating system, all volumes that store system components are also selected.

  8. On the Specify destination type page, choose the backup location as follows:

    • If you are backing up to a local volume, in Backup destination, select a drive, and then click Next.

      When you are prompted to exclude the destination volume from the list of items to be backed up, click OK.

    • If you are backing up to a remote shared folder, do the following:

      1. Type the path to the shared folder.

      2. Under Access Control, select Do not inherit or Inherit to determine access to the backup, and then click Next.

      3. In the Provide user credentials for Backup dialog box, provide the user name and password for a user who has write access to the shared folder, and then click OK.

  9. For Windows Server 2008 R2 and Windows Server 2008, on the Specify advanced option page, select VSS copy backup and then click Next,

  10. On the Confirmation page, review your selections, and then click Backup.

  11. After the Backup Once Wizard begins the backup, click Close at any time. The backup runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.

To perform a system state backup using Wbadmin.exe

  1. Open an elevated command prompt, type the following command and press ENTER:

    wbadmin start systemstatebackup -backuptarget:<targetDrive>: -allCritical -quiet
    

Performing a full server recovery

Use the following procedure to perform a full server recovery for Windows Server 2012. A full server recovery is necessary if you are restoring to different hardware or a different operating system instance. The number drives on the target server needs to be equal to the number in the backup and they need to be the same size or greater.

The target server needs to be started from the operating system DVD in order to access the Repair your computer option. If the target DC is running in a VM on Hyper-V and the backup is stored on a network location, you must install a legacy network adapter.

After you perform a full server recovery, you need to separately perform an authoritative restore of SYSVOL, as described in the next section.

To perform a full server recovery

  1. Start Windows Setup, specify the Language, Time and currency format, and keyboard options and click Next.

  2. Click Repair your computer. If the backup is stored locally, skip to step 6. If the backup is stored on a network location, continue with step 3.

  3. Click Troubleshoot, click Command Prompt.

  4. Type the following command and press ENTER:

    wpeinit
    
  5. To confirm the name of the network adapter, type:

    show interfaces
    

    Type the following commands and press ENTER after each command:

    netsh
    
    interface
    
    tcp
    
    ipv4
    
    set address "Name of Network Adapter" static IPv4 AddressSubnetMaskIPv4 Gateway Address 1
    

    For example:

    set address "Local Area Connection" static 192.168.1.2 255.0.0.0 192.168.1.1 1
    

    Type quit to return to a command prompt. Type ipconfig /all to verify the network adapter has an IP address and try to ping the IP address of the server that hosts the backup share to confirm connectivity. Close the command prompt when you are done.

  6. Click Troubleshoot, click System Image Recovery, and click Windows Server 2012.

  7. If you are restoring the most recent local backup, click Use the latest available system image (recommended) and click Next twice, click Finish, and click Yes to confirm the restore operation.

    If you are restoring a different backup, click Select a system image and click Next.

  8. Click the name of a local backup file or click Advanced and click Search for a system image over the network to search for a backup over the network.

  9. Type the UNC path to the backup share location (for example, \\server1\backups) and click OK. You can also type the IP address of the target server, such as \\192.168.1.3\backups.

  10. Type credentials necessary to access the share and click OK.

  11. Select the name of the backup file and click Next.

  12. Select the drives in the backup file and click Next.

  13. Click Format and repartition disks and click Next.

  14. Click Finish, and click Yes to confirm that all disks will be restored.

Performing an authoritative synchronization of DFSR-replicated SYSVOL

There are different ways to perform an authoritative restore of SYSVOL. You can either edit the msDFSR-Options attribute or perform a system state restore using wbadmin –authsysvol. If you have the option to restore a system state backup (that is, you are restoring AD DS to the same hardware and operating system instance) then using wbadmin –authsysvol is simpler. But if you need to perform a bare metal restore, then you need to edit the msDFSR-Options attribute.

Use the following steps to perform an authoritative synchronization of SYSVOL (if it is replicated using DFSR) by editing the msDFSR-Options attribute. If SYSVOL is replicated using FRS, see article 290762.

To perform an authoritative synchronization of DFSR-replicated SYSVOL

  1. Open Active Directory Users and Computers.

  2. Click View, and then select Users, Contacts, Groups, and Computers as containers and Advanced Features.

  3. In the tree-view, click Domain Controllers, the name of the DC you restored, DFSR-LocalSettings, and then Domain System Volume.

  4. In the Details pane, right-click SYSVOL Subscription, click Properties, and click Attribute Editor.

  5. Click msDFSR-Options, click Edit, type 1, and click OK

  6. Click OK to close the Attribute Editor.

Performing a nonauthoritative restore of Active Directory Domain Services

To perform a nonauthoritative restore, complete the following procedure.

The following procedures use the Wbadmin.exe to perform a nonauthoritative restore of Active Directory or Active Directory Domain Services (AD DS). If you are using a different backup solution or if you intend to complete the authoritative restore of SYSVOL later in the forest recovery process, you can perform an authoritative restore of SYSVOL by using these alternative methods:

  • If you are using File Replication Service (FRS) to replicate SYSVOL, follow the steps in article 290762 in the Microsoft Knowledge Base, using the BurFlags registry key to reinitialize FRS replica sets, or if necessary, article 315457 315457to rebuild the SYSVOL tree. To determine if SYSVOL is replicated by FRS, see Determining Whether a Domain Controller's SYSVOL Folder is Replicated by DFSR or FRS.

  • If you are using Distributed File System (DFS) Replication to replicate SYSVOL, see Performing an authoritative synchronization of DFSR-replicated SYSVOL.

Performing a nonauthoritative restore

Use the following procedure to perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL at the same time by using wbadmin.exe on a DC that runs Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. The backup must explicitly include system state data; a full server backup that is used for full server recovery will not work. For more information about creating a system state backup, see Backing up the System State data.

To perform a nonauthoritative restore of AD DS and authoritative restore of SYSVOL using wbadmin.exe

  • Include the -authsysvol switch in your recovery command, as shown in the following example:

    wbadmin start systemstaterecovery <otheroptions> -authsysvol
    

    For example:

    wbadmin start systemstaterecovery -version:11/20/2012-13:00 -authsysvol
    

Configuring the DNS Server service

If the DNS server role is not installed on the DC that you restore from backup, you must install and configure the DNS server.

Install and configure the DNS Server service

Complete this step for each restored DC that is not running as a DNS server after the restore is complete.

Note

If the DC that you restored from backup is running Windows Server 2008, you must connect the DC to an isolated network in order to install DNS server. Then connect each of the restored DNS servers to a mutually shared, isolated network. Run repadmin /replsum to verify that replication is functioning between the restored DNS servers. After you verify replication, you can connect the restored DCs to the production network If the DNS server role is already installed, you can apply a hotfix that makes it possible for a DNS server to start while the server is not connected to any network. You should slipstream the hotfix into the operating system installation image during your automated build processes. For more information about the hotfix, see Article 975654 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=184691).

To install and configure the DNS Server service using Server Manager

  1. Open Server Manager and start the Add Roles Wizard.

  2. In the Add Roles Wizard, if the Before You Begin page appears, click Next.

  3. In the Roles list, click DNS Server, and then click Next.

  4. Read the information on the DNS Server page, and then click Next.

  5. On the Confirm Installation Options page, verify that the DNS Server role will be installed, and then click Install.

    After the installation, complete the following steps to configure the DNS server.

  6. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

  7. Create DNS zones for the same DNS domain names that were hosted on the DNS servers before the critical malfunction. For more information, see Add a Forward Lookup Zone (https://go.microsoft.com/fwlink/?LinkId=74574).

  8. Configure the DNS data as it existed before the critical malfunction. For example:

  9. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and glue host (A) resource records) for the child zone that is hosted on this DNS server. For more information, see Create a Zone Delegation (https://go.microsoft.com/fwlink/?LinkId=74562).

  10. After you configure DNS, you can speed up registration of the NETLOGON Records.

    Note

    Secure dynamic updates only work when a global catalog server is available.

    At the command prompt, type the following command, and then press ENTER:

    net stop netlogon

  11. Type the following command, and then press ENTER:

    net start netlogon

Removing the global catalog

Use the following procedure to remove the global catalog from a DC.

Restoring a global catalog server from backup could result in the global catalog holding newer data for one of its partial replicas than the corresponding domain that is authoritative for that partial replica. In such a case, the newer data will not be removed from the global catalog and might even replicate to other global catalog servers. As a result, even if you did restore a DC that was a global catalog server, either inadvertently or because that was the solitary backup you trusted, you should remove the global catalog soon after the restore operation is complete. When the global catalog is removed, the computer removes all its partial replicas.

To remove the global catalog using Active Directory Sites and Services

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

  3. Expand the Servers container, and then expand the server object for the DC from which you want to remove the global catalog.

  4. Right-click NTDS Settings, and then click Properties.

  5. Clear the Global Catalog check box.

To remove the global catalog using Repadmin

  1. Open an elevated command prompt, type the following command, and press ENTER:

    repadmin.exe /options DC_NAME –IS_GC
    

Raising the value of available RID pools

Use the following procedure to raise the value of the relative ID (RID) pools that the RID operations master will allocate after that DC is restored. By raising the value of the available RID pools, you can ensure that no DC allocates a RID for a security principal that was created after the backup that was used to restore the domain.

Each domain has an object CN=RID Manager$,CN=System,DC=<domain_name>. This object has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain.

Note

In Windows Server 2012, the number of security principals that can be allocated is increased to just over 2 billion. For more information, see Managing RID issuance.

  • Sample Value: 4611686014132422708

  • Low Part: 2100 (beginning of the next RID pool to be allocated)

  • Upper Part: 1073741823 (total number of RIDs that can be created in a domain)

When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.

To raise the value of available RID pools using adsiedit and the calculator

  1. At an elevated command prompt, type:

    adsiedit.msc
    
  2. Connect do the Default Naming Context, and browse to the following distinguished name path: CN=RID Manager$,CN=System,DC=<domain name>.

  3. Open the properties of CN=RID Manager$.

  4. Select the attribute rIDAvailablePool, click Edit, and then copy the large integer value to the clipboard.

  5. Start calculator, and from the View menu, select Scientific Mode.

  6. Add 100,000 to the current value.

  7. Using ctrl-c, or the Copy command from the Edit menu, copy the value to the clipboard.

  8. In the edit dialog of adsiedit, paste this new value.

  9. Click OK in the dialog, and Apply in the property sheet to update the rIDAvailablePool attribute.

To raise the value of available RID pools using LDP

  1. At the command prompt, type the following command, and then press ENTER:

    ldp

  2. Click Connection, click Connect, type the name of RID manager, and then click OK.

  3. Click Connection, click Bind, type your administrative credentials, and then click OK.

  4. Click View, click Tree, and then type the following distinguished name path:

    CN=RID Manager$,CN=System,DC=domain name

  5. Click Browse, and then click Modify.

  6. Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values.

  7. In Dn, type cn=RID Manager$,cn=System,dc=<domain name>.

  8. In Edit Entry Attribute, type rIDAvailablePool.

  9. Select Replace as the operation, and then click Enter.

  10. Click Run to run the operation.

  11. To validate the change, select the cn=RID Manager$,cn=System,dc=<domain name> object and verify then value of the rIDAvailablePool attribute.

Invalidating the current RID pool

Use the following procedure to us Windows PowerShell to invalidate the current RID pool on a domain controller. Windows PowerShell is enabled by default on Windows Server 2012 and Windows Server 2008 R2, but not Windows Server 2008 where it must be installed by using Add Features. It can be downloaded to run on Windows Server 2003.

To verify the command completed successfully, check for event ID 16654 (source is Directory-Services-SAM) in the System log in Event Viewer in Windows Server 2012. Earlier versions of Windows do not log this event.

Note

After you invalidate the RID pool, you will receive an error when you first attempt to create security principal (user, computer, or group). The attempt to create an object triggers a request for a new RID pool. Retry of the operation succeeds because the new RID pool will be allocated.

To invalidate the current RID pool

  1. Open an elevated Windows PowerShell session, run the following command and press ENTER:

    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $DomainSid = $Domain.objectSid
    $RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
    $RootDSE.UsePropertyCache = $false
    $RootDSE.Put("invalidateRidPool", $DomainSid.Value)
    $RootDSE.SetInfo()
    

Seizing an operations master role

Use the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all DCs.

To seize an operations master role

  1. At the command prompt, type the following command, and then press ENTER:

    ntdsutil
    
  2. At the ntdsutil: prompt, type the following command, and then press ENTER:

    roles
    
  3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:

    connections
    
  4. At the server connections: prompt, type the following command, and then press ENTER:

    Connect to server ServerFQDN
    

    Where ServerFQDN is the fully qualified domain name (FQDN) of this DC, for example: connect to server nycdc01.example.com.

    If ServerFQDN does not succeed, use the NetBIOS name of the DC.

  5. At the server connections: prompt, type the following command, and then press ENTER:

    quit
    
  6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.

    Role Credentials Command

    Domain naming master

    Enterprise Admins

    Seize naming master

    Schema master

    Schema Admins

    Seize schema master

    Infrastructure master

    noteNote
    After you seize the infrastructure master role, you may receive an error later if you need to run Adprep /Rodcprep. For more information, see KB article 949257.

    Domain Admins

    Seize infrastructure master

    PDC emulator master

    Domain Admins

    Seize pdc

    RID master

    Domain Admins

    Seize rid master

    After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears. You can also run Netdom Query FSMO at an elevated command prompt to verify current role holders.

    Note

    If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

Cleaning metadata of removed writable domain controllers

Metadata cleanup removes Active Directory data that identifies a DC to the replication system.

Use the following procedure to delete the DC objects for DCs that you plan to add back to the network by reinstalling AD DS.

If you are using the version of Active Directory Users and Computers or Active Directory Sites and Services that is included Remote Server Administration Tools (RSAT), metadata cleanup is performed automatically when you delete a DC object.

Deleting a domain controller using Active Directory Users and Computers

When you use the version of Active Directory Users and Computers or Active Directory Administrative Center in Remote Server Administration Tools (RSAT), metadata cleanup is performed automatically when you delete the DC object. The server object and the computer object are also deleted automatically.

As an alternative, you can also use Active Directory Sites and Services in RSAT to delete a DC object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the DC object.

To download RSAT:

The following procedure is the same for DCs that run either Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. The target DC of the metadata cleanup operation can run any version of Windows Server.

To delete a domain controller object using Active Directory Users and Computers in RSAT

  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, double-click the domain container, and then double-click the Domain Controllers organizational unit (OU).

  3. In the details pane, right-click the DC that you want to delete, and then click Delete.

  4. Click Yes to confirm the deletion. Select the This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO) check box and click Delete.

  5. If the DC was a global catalog server, click Yes confirm that the deletion.

Resetting the computer account password of the domain controller

Use the following procedure to reset the computer account password of the DC.

To reset the computer account password of the domain controller

  1. At a command prompt, type the following command, and then press ENTER:

    netdom help resetpwd
    
  2. Use the syntax that this command provides for using the Netdom command-line tool to reset the computer account password, for example:

    netdom resetpwd /server:domain controller name /userD:administrator /passwordd:*
    

    Where domain controller name is the local DC that you are recovering.

    Note

    You should run this command twice.

Resetting the krbtgt password

Use the following procedure to reset the krbtgt password for the domain. The following procedure applies writeable DCs, but not read-only domain controllers (RODCs).

Important

If you plan to recover RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number. If you use a customized password filter (such as passfilt.dll) on a DC, then you might receive an error when you try to reset the krbtgt password. For more information, including a workaround, see Microsoft Knowledge Base article 2549833 (https://support.microsoft.com/kb/2549833).

To reset the krbtgt password

  1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Click View, and then click Advanced Features.

  3. In the console tree, double-click the domain container, and then click Users.

  4. In the details pane, right-click the krbtgt user account, and then click Reset Password.

  5. In New password, type a new password, retype the password in Confirm password, and then click OK. The password that you specify is not significant because the system will generate a strong password automatically independent of the password that you specify.

    Note

    You should perform this operation twice. The password history of the krbtgt account is two, meaning it includes the two most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.

Resetting a trust password on one side of the trust

If the forest recovery is related to a security breach, use the following procedure to reset a trust password on one side of the trust. This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).

Reset the password on only the trusting domain side of the trust, also known as the incoming trust (the side where this domain belongs). Then, use the same password on the trusted domain side of the trust, also known as the outgoing trust. Reset the password of the outgoing trust when you restore the first DC in each of the other (trusted) domains.

Resetting the trust password ensures that the DC does not replicate with potentially bad DCs outside its domain. By setting the same trust password while restoring the first DC in each of the domains, you ensure that this DC replicates with each of the recovered DCs. Subsequent DCs in the domain that are recovered by installing AD DS will automatically replicate these new passwords during the installation process.

To reset a trust password on one side of the trust

  1. At a command prompt, type the following command, and then press ENTER:

    netdom experthelp trust
    
  2. Use the syntax that this command provides for using the NetDom tool to reset the trust password.

    For example, if there are two domains in the forest—parent and child—and you are running this command on the restored DC in the parent domain, use the following command syntax:

    netdom trust parent domain name /domain:child domain name /resetOneSide /passwordT:password /userO:administrator /passwordO:*
    

    When you run this command in the child domain, use the following command syntax:

    netdom trust child domain name /domain:parent domain name /resetOneSide /password:password /userO:administrator /passwordO:*
    

    Note

    passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

Adding the global catalog

Use the following procedure to add the global catalog to a DC.

To add the global catalog

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

  3. Expand the Servers container, and then expand the server object for the DC to which you want to add the global catalog.

  4. Right-click NTDS Settings, and then click Properties.

  5. Select the Global Catalog check box.

To add the global catalog using Repadmin

  1. Open an elevated command prompt, type the following command, and press ENTER:

    repadmin.exe /options DC_NAME +IS_GC
    

The following are ways to speed up the process of adding the global catalog to the DC in the root domain:

  • Ideally, the DC in the root domain should be a replication partner of the restored DCs in the non-root domains. If so, confirm that the Knowledge Consistency Checker (KCC) has created the corresponding repsFrom object for the source DC and partition in the root DC. You can confirm this by running the repadmin /showreps /v command.

  • If there is no repsFrom object created, create this object for the configuration partition. This way, the DC in the root domain can determine which DCs in the non-root domain have been deleted. You can do this with the following commands:

    repadmin /add ConfigurationNamingContext DestinationDomainController SourceDomainControllerCNAME
    
    repadmin /options DSA -Disable_NTDSCONN_XLATE
    

    The format for the SourceDomainControllerCNAME is:

    sourceDCGuid._msdcs.root domain
    

    For example, the repadmin /add command for the configuration partition of the contoso.com domain could be:

    repadmin /add cn=configuration,DC=contoso,DC=com DC01 937ef930-7356-43c8-88dc-8baaaa781cf6._msdcs.dDSP17A22.contoso.com
    
  • If the repsFrom object is present, try to sync the DC in the root domain with the DC in the non-root domain as follows:

    Repadmin /sync DomainNamingContext DestinationDomainController SourceDomainControllerGUID
    

    Where DestinationDomainController is the DC in the root domain and SourceDomainController is the restored DC in the non-root domain.

  • The root domain DNS server should have the alias (CNAME) resource records for the source DC. Ensure that the parent DNS zone contains delegation resource records (name server (NS) and host (A) resource records) for the correct DCs (the DCs that have been restored from backup) in the child zone.

  • Make sure that the DC in the root domain is contacting the correct Key Distribution Center (KDC) in the non-root domain. To test this, at the command prompt, type the following command, and then press ENTER:

    nltest /dsgetdc:nonroot domain name /KDC /Force
    

Resources to verify replication is working

After you have restored or re-installed all DCs, you can verify that AD DS and SYSVOL are recovered and replicating correctly by using repadmin /replsum, which runs on any version of Windows Server.

Tip

You can also download and run the Active Directory Replication Status Tool (ADReplStatus), a free tool that monitors replication status of DCs and reports errors. ADReplStatus requires .NET Framework 4, which will be installed if it is not already present.

Check the DFS Replication log in Event Viewer for Event ID 4602 (or File Replication Service event ID 13516), which indicates SYSVOL has been initialized.

If the first recovered DC logs Event ID 4614 (“the domain controller is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner”) in the DFS Replication log, then Event ID 4602 does not appear and you need to perform the following manual steps to recover SYSVOL if it is replicated by DFSR:

  1. When DFSR Event 4612 appears on the first restored DC perform a manual authoritative restore as described in 2218556: How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS) (https://support.microsoft.com/kb/2218556).

  2. Set SysvolReady Flag to 1 manually, as described in 947022 The NETLOGON share is not present after you install Active Directory Domain Services on a new full or read-only Windows Server 2008-based domain controller.

You can also create a diagnostic report DFS Replication. For more information, see Create a Diagnostic Report for DFS Replication and DFS Step-by-Step Guide for Windows Server 2008. If the server is running Windows Server 2008 R2, you can use dfsrdiag.exe ReplicationState command line switch.

You can also run the Replications test using dcdiag.exe to check for replication errors. For more information, see Knowledge Base article 249256.