Restore DC, client has to rejoint domain

[e532410]

Hello,

I have a problem last night. Our major Win2k3 DC (in ESX v3) died. Don't ask why. Fortunately I have a copy of that DC virtual server in last month. I bring that in and restart the server. Of couse, the DC up again but I have to rejoint all my member servers and clients back to the domain. It take me 10 hours to do so. Accouding to the event log, it's the problem in computer account. For every member servres or client systems, it works perfectly fine after rejoining the domain. However, that's not what I expect with virtual system. Are there any folks experience this and have a solution ? Please advise !

Regards,
Eddie

 

[mrdenny]

Windows computers have account in active directory just like users do as you know. Those computer accounts have passwords just like user accounts to. The computers change the passwords automatically every once in a while (every couple of weeks I believe). When you restored the snapshot of the DC active directory now had the wrong passwords for every computer in the domain, which is why you needed to join all the machines back to the domain.

There are a couple of things that you should to to prevent this from happening.

1. Setup another domain controller. Every domain should have at least two, if not more. This way if you loose a domain controller you can just deploy a new machine, and it will get the current copy of the AD database from the remaining DC.

2. Backup the Active Directory database on a regular basis. It should be backed up at least a couple of times a week, more often depending on how many changes you make to the database (new users, new computers, etc). Those backups should then be stored on another server than the DC so that if you do loose all your DCs again you can restore the database the state is was in a couple of days prior.

You will also notice that anyone who changed there password or had a new account created for them will either have to use thier prior password, or thier account doesn't exist any more.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog

 

[e532410]

Hello Denny,

Acturally, I have 2 DC. I originally expected that after I restored that DC, it should get AD of the latest version replicate from other DC. However, after I restore that one, ther are lot's of problems in AD, it said the restored DC computer account has problem and the other DC cannot replicate to it and a lot other error regarding KCC, Kerboros... I have no other ways but to restore both DC that I backup at the same time to rescue my AD. Any comment ?

Regards,
Eddie

 

[mrdenny]

The easiest way to fix this will probably be to transfer or seice the FSMO roles to the DC that didn't crash, then power down the one that you restored and reinstall Windows on it. It's machine account is probably to old to get back on the domain.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog