Restoring a domain controller
-
I'm not using SureBackup, I'm physically restoring our backup on a separate physical host running on a different network. So there are no verification options.
-
@Carnival-Boy said:
I'm not using SureBackup, I'm physically restoring our backup on a separate physical host running on a different network. So there are no verification options.
Sorry about that. I just assumed since you referenced a lab environment in the OP. It's weird. I have a separate physical host and always restore for testing in the isolated Veeam Test Lab using SureBackup. Anyway, and I'm sure you've seen this thread, but if you didn't (and yes I know it is for an older version, but I do know that Veeam uses the same restore method in 6/7), I'll link it just in case: http://forums.veeam.com/veeam-backup-replication-f2/veeam-b-r-v5-recovery-of-a-domain-controller-t7000.html
-
Or perhaps check out http://support.microsoft.com/kb/947022/en-us referenced in http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28188083.html. But I think you probably should run it by Veeam though.
-
Yeah, I read that, but it doesn't help. I think it's a problem with AD rather than anything that Veeam is doing wrong.
-
I was thinking that. Have you tried a different restore point? Anyway good luck. The SureBackup Labs are an awesome resource, especially for lab testing. I spin things up including SQL and Exchange to test stuff before rolling out to production. Worth it's weight in gold. I also use them to test every backup. Have you tried to use replication instead of restore to the other host that you are using?
-
I haven't. I imagine replication would work fine, but it doesn't solve my problem.
-
@Carnival-Boy
Maybe not your current issue, but from what I read, you need a functional DC in a test lab that is isolated from your production network, yes? A replica on a different vswitch might fit the bill. Just trying to think outside of the proverbial box. -
No, all I want to do is test that in a disaster I will be able to restore my domain from a backup. At the moment, I can't do that - which is freaking me out.
-
Test DNS. Is it working properly? Can the problematic DC resolve itself and does it look to itself?
-
@scottalanmiller said:
Test DNS. Is it working properly? Can the problematic DC resolve itself and does it look to itself?
When I first read this thread, I was thinking this same question - but further conversation drove me away from it. Yet here it is any how
-
@Carnival-Boy said:
No, all I want to do is test that in a disaster I will be able to restore my domain from a backup. At the moment, I can't do that - which is freaking me out.
That would. It seems that most people tend to associate this issue with DNS failures.
-
My guy isn't coming until the end of month now. So I'm hoping ML can solve it!
DNS sounds like a good place to start. How exactly should I test it?
I ran nslookup on the restored DC and it lists itself as the server. I ran nslookup server_ip_address and it displays its name, and nslookup server_name and it displays its IP address.
I ran dcdiag /test:DNS on the live server, and it fails with TEST: Basic (Basc) Warning: no DNS RPC connectivitiy (error or non Microsoft DNS server is running)
I mentioned earlier that when I opened DNS manager on the restored DC it hangs. I think is because it is looking for our second DNS server on our other DC. After a while it says it can't find it (which it won't because I haven't restored that DC) and loads DNS manager normally.
Please hold my hand here....
-
When I run nslookup from a command prompt, it works ok (displays the default server and address).
However, when I run nslookup from within DNS manager (right click on the server and select "Launch nslookup" it says:
Default Server: UnKnown
Address: fe80::704f::3fe7:6795:d3c7That address is an IPV6 address, right?
Also, in DNS manager, there are NS entries for our old DC, which is no longer part of the domain, and also an NS entry for our file server which used run DNS but doesn't any more. Should I delete this entries. Do they make a difference?
-
Once DNS Manager loads, have you manually switched it to look at your restored DC instead of the other one?
Also, did you look at your manually configured DNS settings (control panel > network and Sharing Center > Change adapter settings (on the left), etc, etc... ) and made sure that the DC is pointing to itself as the first and only DNS server? By default that would not be the case. this server should be pointing to your other DNS, and the other to this one...this allows you to reboot more quickly as they will use DNS from the other (hopefully) online DNS server. But in the case of your restore, this would not be the case, and you'd need to manually change it.
-
I have removed the other DNS server from the network adapter. But it shouldn't be necessary should it? Isn't one of the features of having two DNS servers listed that if one is not contactable the other will be used?
I'm not sure what you mean by manually switching to look at the restored DC. On the live DC, DNS manager only lists the DC on the left hand side. However, on the restored DC, DNS manager lists the IP address of the other DNS server and the DC. The other DNS server is listed with a red cross against it. I have removed it, but AD is still not working.
I don't think I should have to do anything to DNS after recovery, should I? So long as one DNS server is up, it should just work? I think the problems are on the live servers, and not a problem with the restore workflow or with Veeam.
-
@Carnival-Boy said:
I have removed the other DNS server from the network adapter. But it shouldn't be necessary should it? Isn't one of the features of having two DNS servers listed that if one is not contactable the other will be used?
Yep it should, but that isn't always the case - at least in my experience. I've had windows clients that took 20+ mins to log into the domain because they had two DNS entries and the first one was offline. Once I changed the DNS order, the problem went away. (different time, but similar problem if the Primary DNS entry on the only remaining DC wasn't pointing to itself (either it's own IP or 127.0.0.1).
@Carnival-Boy said:
I'm not sure what you mean by manually switching to look at the restored DC. On the live DC, DNS manager only lists the DC on the left hand side.
Which DC is it listing? To help our understanding let's use some names: DC-01 and DC-02, assuming you only have two DCs. We'll also assume that you're restoring DC-01.
When you launch DNS Manger on DC-01, which server shows up there? FYI, it could be either DC-01 or DC-02. You can change it to look at the other by right clicking on DNS at the top, then choose connect to DNS server.
If for example, before the backup was taken of DC-01, you opened DNS Manager and pointed DNS Manager at DC-02, then took a backup and did a restore - the restored server should be trying to open DNS Manger pointing to DC-02, which in your case will fail because it's not part of your temp network. This is why I suggest that after DNS Manger is open on the restored DC-01, that you make sure it's pointed to itself - then close it, and reopen it. It should open faster this time. If not, you have other DNS issues (probably the one noted above).
-
What are the chances that DC-01 does not have all the FSMO roles? You're restoring into a vacuum and might be missing other critical roles on other servers.
-
Nope. That was one of the things I check already.
-
Are you still having issues after you changed the DNS settings on the IP configuration page?
-
Yeah, still no go. DNS Manager on DC-01 was set to look at DC-01, so no issues there. It still hung then errored looking for DC-02, but despite that error it was still looking at DC-01 as the primary DNS server. Removing DC-02 altogether means DNS manager loads instantly. But AD is still screwed.
In the network settings, DC-01 had itself as the primary DNS server, and DC-02 as the secondary. I guess that should be the other way round, although I've read arguments for doing it that way. Either way, I've removed DC-02 as the secondary on the restored DC-01.
A bit more background. The guy who set all this up also tried to get DirectAccess working. He spent an unbelievable 5 days working on DirectAccess and failed completely. I suspect that during this process he hacked around with AD and as a result did something to break it. This is only a hunch, and doesn't really help me now. He's not on the scene anymore.
