Hi all,

The following is an issue I have seen at least 3 times over the past few months in different environments and wonder if you guys have any ideas.

Example situation:

You have an environment with  Hyper-V hosts and Hyper-V replicas. On the Hyper-V hosts are based 2 DC's with 1 being the FSMO as per normal. The Domain runs fine.

One of the following situations occur:

                - A failure occurs that means that you have to recover one or all of the DC’s

                or

                - You export one of the servers (normally the FSMO) in order to bring it up in another location, for example in an a totally isolated testing environment.

It used to be that generally you could achieve the above to get things working again without too much trouble, but recently when we have needed to do one of the above, although the recovered Server(s) boot up fine, AD fails to function. Investigation has shown that the reason this happens is probably to do with

the RID master.

There are 2 fixes we use for this which are documented below:

https://support.microsoft.com/en-gb/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-service

https://support.microsoft.com/en-us/help/947022/the-netlogon-share-is-not-present-after-you-install-active-directory-domain-services-on-a-new-full-or-read-only-windows-server-2008-based-domain-controller

So…

Why does bringing up a copy of a previously fine DC (FSMO) in a new/test environment cause AD to have to be repaired in order to function?

Cheers

PT

Thanks for your comments:

A few thoughts:

"Any time you restore a DC, it expects to have a working replication partner."
So this issue does not apply if you only have one DC?
Does it expect to see one working replication partner or all DC's you may have?

In a disaster you may only have one DC so I take it your comments are still valid?

I/We know from experience that, in the past, you could take just one DC (FSMO/GC) to an isolated enviroment and AD would function correctly even if it's other DC's were not available.

Thoughts?

Thanks

PT

Hi 

Many thanks for your explanation. One other question is that has it always been the case that a copy of a DC/FSMO placed in an isolated enviroment requires the removal of the now non-exsistent DC's in order for AD to function? I am sure that in that past I have undertaken such work and the FSMO/DC, although not happy that is can't see other DC's still allows AD to function.

Additionally, take an example where 2 DC's in one Domain are in different physical locations connected by a VPN. e.g.


DC1 (FSMO)--VPN================VPN=DC1


If the VPN goes down, would you expect DC1 to not be able to run AD as it could not see the other DC's in the Domain?