AD CS hosed - anyone have any experience?
-
I have a client that was trying to push a new server cert out to his Domain through AD. It hosed the domain controller he was working on so bad, it won't boot normally. We restored it from before the issue happened, and it still won't start many services. I think booting in to AD restore mode is about it. We spun up the services that the domain controller was providing on another server and figured we would have to follow the process for removing an orphaned domain controller.
Today he rebooted the SBS 2003 server that holds the FSMO roles and it won't run most network services because it seems to have the bad cert. He can't even open an MMC console on the box to open certificate services.
Has anyone dealt with something like this?
-
-
@Mike-Davis said in AD CS hosed - anyone have any experience?:
We restored it from before the issue happened...
You can't restore a DC that is part of a cluster, you need to rebuild.
-
@scottalanmiller said in AD CS hosed - anyone have any experience?:
You can't restore a DC that is part of a cluster, you need to rebuild.
It's not part of a cluster. Physical Server 2003 SBS server that he was trying to decommission. The other servers were Server 2012 R2.
-
@Mike-Davis said in AD CS hosed - anyone have any experience?:
@scottalanmiller said in AD CS hosed - anyone have any experience?:
You can't restore a DC that is part of a cluster, you need to rebuild.
It's not part of a cluster. Physical Server 2003 SBS server that he was trying to decommission. The other servers were Server 2012 R2.
So the SBS is the one and only AD in this case?
-
@scottalanmiller said in AD CS hosed - anyone have any experience?:
So the SBS is the one and only AD in this case?
Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers.
In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands?
-
My other thought was to boot the DCs to Directory Service Restore mode and restore the system state from backups.
-
@Mike-Davis said in AD CS hosed - anyone have any experience?:
@scottalanmiller said in AD CS hosed - anyone have any experience?:
So the SBS is the one and only AD in this case?
Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers.
In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands?
Right, I'm talking about an AD application cluster (the set of domain controllers for one domain.) SBS has to be the root controller in order to work. And if you have a cluster (this isn't AD specific but is a general thing about clustering) you can't do restores. If you restore a cluster node like this, you corrupt the entire cluster in many cases, if you are lucky just one node. AD DCs form a database cluster under the hood, which is how they handle failovers, but that means that you have to protect them like a normal database cluster and let them resync from a rebuild, never do a restore.
Yes, you'll likely need to seize roles on one of the 2012 R2 machines and just retire the SBS 2003 machine.
