Restoring a domain controller
-
Test DNS. Is it working properly? Can the problematic DC resolve itself and does it look to itself?
-
@scottalanmiller said:
Test DNS. Is it working properly? Can the problematic DC resolve itself and does it look to itself?
When I first read this thread, I was thinking this same question - but further conversation drove me away from it. Yet here it is any how
-
@Carnival-Boy said:
No, all I want to do is test that in a disaster I will be able to restore my domain from a backup. At the moment, I can't do that - which is freaking me out.
That would. It seems that most people tend to associate this issue with DNS failures.
-
My guy isn't coming until the end of month now. So I'm hoping ML can solve it!
DNS sounds like a good place to start. How exactly should I test it?
I ran nslookup on the restored DC and it lists itself as the server. I ran nslookup server_ip_address and it displays its name, and nslookup server_name and it displays its IP address.
I ran dcdiag /test:DNS on the live server, and it fails with TEST: Basic (Basc) Warning: no DNS RPC connectivitiy (error or non Microsoft DNS server is running)
I mentioned earlier that when I opened DNS manager on the restored DC it hangs. I think is because it is looking for our second DNS server on our other DC. After a while it says it can't find it (which it won't because I haven't restored that DC) and loads DNS manager normally.
Please hold my hand here....
-
When I run nslookup from a command prompt, it works ok (displays the default server and address).
However, when I run nslookup from within DNS manager (right click on the server and select "Launch nslookup" it says:
Default Server: UnKnown
Address: fe80::704f::3fe7:6795:d3c7That address is an IPV6 address, right?
Also, in DNS manager, there are NS entries for our old DC, which is no longer part of the domain, and also an NS entry for our file server which used run DNS but doesn't any more. Should I delete this entries. Do they make a difference?
-
Once DNS Manager loads, have you manually switched it to look at your restored DC instead of the other one?
Also, did you look at your manually configured DNS settings (control panel > network and Sharing Center > Change adapter settings (on the left), etc, etc... ) and made sure that the DC is pointing to itself as the first and only DNS server? By default that would not be the case. this server should be pointing to your other DNS, and the other to this one...this allows you to reboot more quickly as they will use DNS from the other (hopefully) online DNS server. But in the case of your restore, this would not be the case, and you'd need to manually change it.
-
I have removed the other DNS server from the network adapter. But it shouldn't be necessary should it? Isn't one of the features of having two DNS servers listed that if one is not contactable the other will be used?
I'm not sure what you mean by manually switching to look at the restored DC. On the live DC, DNS manager only lists the DC on the left hand side. However, on the restored DC, DNS manager lists the IP address of the other DNS server and the DC. The other DNS server is listed with a red cross against it. I have removed it, but AD is still not working.
I don't think I should have to do anything to DNS after recovery, should I? So long as one DNS server is up, it should just work? I think the problems are on the live servers, and not a problem with the restore workflow or with Veeam.
-
@Carnival-Boy said:
I have removed the other DNS server from the network adapter. But it shouldn't be necessary should it? Isn't one of the features of having two DNS servers listed that if one is not contactable the other will be used?
Yep it should, but that isn't always the case - at least in my experience. I've had windows clients that took 20+ mins to log into the domain because they had two DNS entries and the first one was offline. Once I changed the DNS order, the problem went away. (different time, but similar problem if the Primary DNS entry on the only remaining DC wasn't pointing to itself (either it's own IP or 127.0.0.1).
@Carnival-Boy said:
I'm not sure what you mean by manually switching to look at the restored DC. On the live DC, DNS manager only lists the DC on the left hand side.
Which DC is it listing? To help our understanding let's use some names: DC-01 and DC-02, assuming you only have two DCs. We'll also assume that you're restoring DC-01.
When you launch DNS Manger on DC-01, which server shows up there? FYI, it could be either DC-01 or DC-02. You can change it to look at the other by right clicking on DNS at the top, then choose connect to DNS server.
If for example, before the backup was taken of DC-01, you opened DNS Manager and pointed DNS Manager at DC-02, then took a backup and did a restore - the restored server should be trying to open DNS Manger pointing to DC-02, which in your case will fail because it's not part of your temp network. This is why I suggest that after DNS Manger is open on the restored DC-01, that you make sure it's pointed to itself - then close it, and reopen it. It should open faster this time. If not, you have other DNS issues (probably the one noted above).
-
What are the chances that DC-01 does not have all the FSMO roles? You're restoring into a vacuum and might be missing other critical roles on other servers.
-
Nope. That was one of the things I check already.
-
Are you still having issues after you changed the DNS settings on the IP configuration page?
-
Yeah, still no go. DNS Manager on DC-01 was set to look at DC-01, so no issues there. It still hung then errored looking for DC-02, but despite that error it was still looking at DC-01 as the primary DNS server. Removing DC-02 altogether means DNS manager loads instantly. But AD is still screwed.
In the network settings, DC-01 had itself as the primary DNS server, and DC-02 as the secondary. I guess that should be the other way round, although I've read arguments for doing it that way. Either way, I've removed DC-02 as the secondary on the restored DC-01.
A bit more background. The guy who set all this up also tried to get DirectAccess working. He spent an unbelievable 5 days working on DirectAccess and failed completely. I suspect that during this process he hacked around with AD and as a result did something to break it. This is only a hunch, and doesn't really help me now. He's not on the scene anymore.
-
No you had it right. It should point to itself as the primary DNS and only go over the network if its own DNS server fails. This dramatically reduces latency and load on the network.
-
@Reid-Cooper said:
No you had it right. It should point to itself as the primary DNS and only go over the network if its own DNS server fails. This dramatically reduces latency and load on the network.
I suppose, but in the SMB latency shouldn't be that big of an issue. I'd rather my DC boot faster by having it point to another DNS server as the primary and itself as a secondary.
-
CB - if you can afford the downtime, take DC-01 offline and make an image of it using something like Clonezilla. Then restore that image into your test environment and see if you have the same issues.
-
I can shut the server down, back it up, and then restore it, and it works just fine. It's just backing it up whilst online that causes the problem.
-
Have you opened a case with Veeam? Since a cold image works it definitely sounds like an issue with the way Veeam is backing things up.
-
I'm not sure about that. If I shut it down, services are shut down cleanly. If I backup live, it needs to boot into AD services non-authoritative restore mode. My understanding is that this is a Windows process and not really anything to do with Veeam.
I'd rather hold off calling Veeam until I've explored a few more avenues. I could test it with another backup product like Unitrends, I suppose. That could eliminate Veeam being the cause.
-
Some success:
I restored the PDC and let it boot twice and do it's non-authoritive restore thingy. As I mentioned in the OP, AD initially looks ok but after a few minutes it fails and I can't open AD users & computers.
I then restored the second DC. This DC doesn't have any primary roles.
After restoring the second DC, everything appears to be working. I can open AD users & computers on both DCs and I can add a PC to the domain.
I shouldn't have to restore the second DC, should I? The PDC should fix itself if it can't find it, shouldn't it?
So what do you think might be going on?
-
Correct, restoring a secondary DC is not recommended. Once a main DC is up and working, subsequent DCs should be built fresh rather than restored to avoid database issues.