31 January 2011

13:59

Removing the global catalog

Use the following procedure to remove the global catalog from a domain controller.

Restoring a global catalog server from backup could result in the global catalog holding newer data for one of its partial replicas than the corresponding domain that is authoritative for that partial replica. In such a case, the newer data will not be removed from the global catalog and might even replicate to other global catalog servers. As a result, even if you did restore a domain controller that was a global catalog server, either inadvertently or because that was the solitary backup you trusted, you should remove the global catalog soon after the restore operation is complete. When the global catalog is removed, the computer removes all its partial replicas. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

 

To remove the global catalog

1.    Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2.    In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3.    Expand the Servers container, and then expand the server object for the domain controller from which you want to remove the global catalog.

4.    Right-click NTDS Settings, and then click Properties.

5.    Clear the Global Catalog check box.

 

 

 

 

 

 

Raising the value of available RID pools

Use the following procedure to raise the value of the relative ID (RID) pools that the RID operations master will allocate after that domain controller is restored. By raising the value of the available RID pools, you can ensure that no domain controller allocates a RID for a security principal that was created after the backup that was used to restore the domain. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

 

To raise the value of available RID pools

1.    At the command prompt, change directories to the folder that contains the Windows Support Tools, type the following command, and then press ENTER:

ldp

2.    Click Connection, click Connect, type the name of the server on which you want to raise the RID pool, and then click OK.

3.    Click Connection, click Bind, type your administrative credentials, and then click OK.

4.    Click View, click Tree, and then type the following distinguished name path:

CN=RID Manager$,CN=System,DC=

This account has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain. To view both parts, in Ldp.exe use the Large Integer Converter command in the Utilities menu.

·    Sample Value: 4611686014132422708 (Insert in Large Integer Calculator in the Utilities menu of Ldp.exe)

·    Low Part: 2100 (beginning of the next RID pool to be allocated)

·    Upper Part: 1073741823 (total number of RIDs that can be created in a domain)

When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.

5.    Click Browse, and then click Modify.

6.    Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values.

7.    In Dn, type cn=RID Manager$,cn=System,dc=.

8.    In Edit Entry Attribute, type rIDAvailablePool.

9.    Select Replace as the operation, and then click Enter.

10.    Click Run to run the operation.

 

 String:
High Part:
Low Part:
Close
11073741823
1103101
Run" width="283" height="137">

 

 r Edit Entry
Attribute: rlDAvailablePool
Values: 4611686014132623709
Operation
r r Add r Delete ( Replace [nsert fil Enter
Entry List
[Repa:&îCDA .ablePool:46 11686014132623709
Edit Remove
P' Synchronous Close
r Extended Run" width="342" height="368">

 

Seizing an operations master role - If the recovered DC does not hold the FSMO Roles

Use the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

 

To seize an operations master role

1.    At the command prompt, type the following command, and then press ENTER:

ntdsutil

2.    At the ntdsutil: prompt, type the following command, and then press ENTER:

roles

3.    At the FSMO maintenance: prompt, type the following command, and then press ENTER:

connections

4.    At the server connections: prompt, type the following command, and then press ENTER:

Connect to server ServerFQDN

Where ServerFQDN is the fully qualified domain name (FQDN) of this domain controller, for example: connect to server nycdc01.example.com.

If ServerFQDN does not succeed, use the NetBIOS name of the domain controller.

5.    At the server connections: prompt, type the following command, and then press ENTER:

quit

6.    Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.

 

 

Role	Credentials	Command
Domain naming master	Enterprise Admins	For Windows Server 2003: Seize domain naming master For Windows Server 2008: Seize naming master
Schema master	Schema Admins	Seize schema master
Infrastructure master	Domain Admins	Seize infrastructure master
PDC emulator master	Domain Admins	Seize pdc
RID master	Domain Admins	Seize rid master

 

After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears.

 

Note

If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

Windows Server 2008: Deleting a domain controller using Active Directory Users and Computers

When you use the version of Active Directory Users and Computers in Windows Server 2008, metadata cleanup is performed automatically when you delete the domain controller object. In addition, the server object and the computer object are also deleted automatically, which eliminates the need to perform those additional procedures.

As an alternative, you can also use Active Directory Sites and Services in Windows Server 2008 to delete a domain controller object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the domain controller object.

If you do not have Windows Server 2008, you can instead download and use the Microsoft Remote Server Administration Tools for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=115118) to perform this procedure.

 

To delete a domain controller object using Active Directory Users and Computers in Windows Server 2008

1.    Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2.    In the console tree, double-click the domain container, and then double-click the Domain Controllers organizational unit (OU).

3.    In the details pane, right-click the domain controller that you want to delete, and then click Delete.

Resetting the krbtgt password

Use the following procedure to reset the krbtgt password for the domain. The following procedure applies to domain controllers that run Windows Server 2003 or writable domain controllers (not read-only domain controllers (RODCs)) that run Windows Server 2008.

 

Important

If you leave RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number.

 

To reset the krbtgt password

1.    Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

2.    In the console tree, double-click the domain container, and then click Users.

3.    In the details pane, right-click the krbtgt user account, and then click Reset Password.

4.    In New password, type a new password, retype the password in Confirm password, and then click OK.

 

Notes

As mentioned in "Recovery steps," earlier in this guide, you should perform this operation twice.

 

 

 

 

 

Resetting the computer account password of the domain controller

Use the following procedure to reset the computer account password of the domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

 

To reset the computer account password of the domain controller

1.    At a command prompt, type the following command, and then press ENTER:

netdom help resetpwd

2.    Use the syntax that this command provides for using the NetDom command-line tool to reset the computer account password, for example:

netdom resetpwd /server: /userD:administrator /passwordd:*

Where is the local domain controller that you are recovering.

 

Note

As mentioned in "Recovery steps," earlier in this guide, you should run this command twice.

Resetting a trust password on one side of the trust - If you have trusts inplace

Use the following procedure to reset a trust password on one side of the trust. This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).

Reset the password on only the trusting domain side of the trust, known in Windows Server 2003 as the incoming trust (the side where this domain belongs). Then, use the same password on the trusted domain side of the trust. In Windows Server 2003, this trusted domain is called the specified domain, and the trust is called the outgoing trust. Reset the password of the outgoing trust when you restore the first domain controller in each of the other (trusted) domains.

 

Important

To perform the following procedure, use the latest Netdom.exe command-line tool in the Windows Server 2003 Service Pack 1 32-bit Support Tools, which you can download from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=70775), or use Netdom.exe, which is included in Windows Server 2008 or in the Microsoft Remote Server Administration Tools for Windows Vista. Do not use older versions of the Netdom.exe command-line tool.

 

To reset a trust password on one side of the trust

1.    At a command prompt, type the following command, and then press ENTER:

netdom experthelp trust

2.    Use the syntax that this command provides for using the NetDom tool to reset the trust password.

For example, if there are two domains in the forest-parent and child-and you are running this command on the restored domain controller in the parent domain, use the following command syntax:

netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*

When you run this command in the child domain, use the following command syntax:

netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*

 

Note

passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

Adding the global catalog

Use the following procedure to add the global catalog to a domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

 

To add the global catalog

1.    Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2.    In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3.    Expand the Servers container, and then expand the server object for the domain controller to which you want to add the global catalog.

4.    Right-click NTDS Settings, and then click Properties.

5.    Select the Global Catalog check box.

Once complete Plug back the NIC and restart

On all Rebuilt DC boxes configure the Name, IP and configuration as per the topology report

Once each machine join back to the domain and run DCPROMO as per original design

 

 

 

Additional considerations

Be aware of the following issues when you perform a nonauthoritative restore of AD DS:

 

Note

Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken.