AD replication shafted!
We have a self created problem here and are trying to find a way back! We have 2 DCs each hosted on a seperate VM host. Due to problems with (what appears to be iSCSI) losing mapped drives, we decided to take DC2 down and bring it back up on another host. To cut a long story short, we got our knickers in a twist and brought up the wrong snapshot up (about 3 weeks old) which resulted in an older version of AD coming back up. We didn't realise at the time and happily carried on with what we were testing and then brought it back up on the original VM host. Now (obviously) replication is broken, causing all sorts of mayhem with GP not applying correctly etc.
Is there any way to force DC2 to replicate from DC1 to bring it up to date? or is the only way to Demote DC2 and then Re-Promo it?
Thanks for any help.
If its only a DC/DNS server then dump it and build a new one!
Do you not need to do a Non Authorative Restore on the duff DC, I think that would work.
Dump it and re-build. Lesson - do not snapshot DCs! System State them, but with the nature of multiple DCs you should not need to have snapshots anyway.
Thanks for that,
It provides network shares, DHCP, DNS and is also a print server. I think what I'll do is bring up a DC3 and DCpromo it, attach the shared storage to it and then demote DC2 cleam it up and bring it back up.
When i say snapshot, I mean a VM snapshot.
Never snapshot a VM DC, it is not recommended by MS and bad things can come of it.
I would try the Non Authorative Restore as suggested by @jsnetman as that should bring it in line with the other DC. edit: didn't actually mean this, see below.
i suspect if its the only dc its not that bad but with multi dcs somethings bound to go wrong
Originally Posted by sparkeh
Is it the case that I should be able to just do a Demote and then promote it again? Surely when It's promoted it'll pick up AD from the remaining workable DC1?
I realise, as @sparkeh says you must not snapshot a VM DC.
Originally Posted by manick
In theory, it should pick up again from the remaining DC if you dcpromo. Make sure that has all necessary roles and that AD works okay with just that one online.
Sorry I didn't actually mean to use the process linked to by @jsnetman but rather the process for Nonauthoritative restore here: Using the BurFlags registry key to reinitialize File Replication Service replica sets
Read the article and I think it applies to your situation, the process just makes the borked AD reinitialise with the good AD.
Does this not underpin the argument about maintaining a dedicated hardware server for the sole purpose of maintaining the AD?
Thats what we do, we always have a 1u single cpu server with a pair of mirrored (preferably SAS HDD's) and a USB drive attached using the Windows 2008R2 bare metal backup running. It does very little else than maintain a bullet proof copy of the forest.
Everything else is virtualised.
If a windows 2008 domain controller that has not spoken to the other domain controller for a bit it will refuse to replicate.
Now you need to do some reading before doing any of this and make sure you know what the consequences are.
Event ID 2042: It has been too long since this machine replicated: Active Directory
@ricki from the info given by the OP its does not look like he is in that position, there is no mention of that error and the AD is different by three weeks which is much shorted than the tombstone period.
I was on a 2008 server course 3 weeks ago, instructor told us in no uncertain terms, NEVER virtualize a live DC, always use a dedicated hardware server. This is MS advise.
Originally Posted by m25man
Can you clarify this? Are you saying you were told never to virtualise a DC?
Originally Posted by HallX