Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
JamesNT

Senior Member
Registered:
Posts: 147
Reply with quote  #1 
We are practicing disaster recovery.  We restored both domain controllers, using VEEAM, to a totally new server not connected to the old one.  Separate networks.

The DC's do NOT want to get along at all.  Replication issues and all that.  I was able to get everything back up by using NTSDUTIL and removing one of the controllers. 

While NTSDUTIL worked, does it have to be that way?  Or am I doing something wrong?

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 940
Reply with quote  #2 
How far apart were the backups?
How far apart were the restores?
What is the approximate time difference between the snap time of the first DC and the second DC.
Then the time difference between the first restored DC power on and the 2nd DC power on?

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #3 
Quote:
to a totally new server not connected to the old one.  Separate networks.


Did the 'new server' have the same hardware as the original?
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 940
Reply with quote  #4 
Quote:
Originally Posted by donoli


Did the 'new server' have the same hardware as the original?


It's virtual and a Veeam restore so almost 100% hardware agnostic

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #5 
Oops, I missed that somewhere along the line.
0
JamesNT

Senior Member
Registered:
Posts: 147
Reply with quote  #6 
The DC's were backed up by Veeam in the same scheduled backup.  They were restored one right after the other.  So time difference could only be a few minutes at most.

VM's were powered on at the same time after restore.

Keep in mind we are simulating a total loss; therefore, a total restore.  There is no bare metal DC anywhere to be found.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 94
Reply with quote  #7 
What os version are they? Only win12 and higher are smart enough to know thy are restored from a backup. If you have win08r2, you should restore only one and recreate the second from scratch. If they are win12, it should work out of the box and you should check time sync, ip adressing, dns, etc.
__________________
-----
Home is where is sleep
360ict.nl/blog
thegood.cloud
0
JamesNT

Senior Member
Registered:
Posts: 147
Reply with quote  #8 
All hosts and VM's are Windows Server 2012 R2.  I was thinking the same thing about them knowing they were restored, but that doesn't seem to be the case at the moment.  I have everything working, but I did restore only one DC and used NTSDUTIL to remove the other.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #9 
The problem is going to be that you restored the whole domain at the same time. That doesn't work if the DCs are 2012 or higher. They will  just wait on each other forever. Solution: forest recovery (search TechNet for the basic idea's).
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
CFBurns

Still Checking the Forum Out
Registered:
Posts: 3
Reply with quote  #10 
We regularly test restoring 2008 R2, however I have not restored 2012R2 DC's yet, so could be there is something I need to see... 

Is your VM restore, restoring them "authoritatively"?  Here is the thing, if you have 2 domain controllers in your environment, and you restore "both", there is no need to update the USNs.  If you have more than 2 in your production environments, so that in your test you have not restored all operations masters, then you may need to do some work to recover those operation roles.

We practice Distaster Recovery every six months, and when we restore a single server, we have recovered it authoritatively.  However when I have perfectly good backups of all domain controllers and can restore them, which for us is very fast.  I just restore them without choosing to restore authoritatively because there is no need to raise the ad object numbers, there will be no domain controller pop in with any argument, over which object is the master copy etc. 

I'm just wondering in your test, if both domain controllers were restored authoritatively, which would effectly raised the object update sequence number on each domain controller's AD database... could have added to your issue.

Btw.. I have in a test environment (where network access to our production environment was not possible, or desired).. recovered our forest root (sometimes one DC authoritatively, else both non-auth), as well as 4 child domains (always only single DC restore, authoritative), and our DMZ domain (standalone domain, mix this up, with auth, and non-auth, remembering if one backup were bad, would have to depend on single backup to restore).   You do want to make certain your driver is there, and network connectivity is active, due to issues with AV etc, I usually need to fix the nic, and then reboot clean, both DC's are pretty happy and pretty quick to serve up active directory, when they've had a clean boot with network connectivity (within 15 min or less).  My test beyond checking event logs for the happy AD events, is to create a new Domain Admin account, which is usually an issue in the case where your RID operations master is not happy.
0
JamesNT

Senior Member
Registered:
Posts: 147
Reply with quote  #11 
We are not restoring them authoritatively.

Right now we are restoring one DC and removing the other using NTSDUTIL which seems to be working fine.  We just re-install the second DC.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
CFBurns

Still Checking the Forum Out
Registered:
Posts: 3
Reply with quote  #12 
Cool to mix things up, test restoring your infrastructure master, and next time.  Test restoring another DC, and have to take ownership of the roles.   We ship tapes offsite every week, and its very possible during a test, or real disaster that we would have access to two full restores of any single DC.   We definitely have had occasion to find problems with a particular backup, so it's nice to be agile on your recovery skills, because as they say, even with the best laid plan.. things go wrong.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.