qUICKLY Explained: Domain or Forest Restore - So Did U Recover Schema Master, Rid, Remaining Roles

  • Article

Hello and thanks for visiting my blog again.

Lately, I have been involved with discussions around recovery processes and steps for Active Directory, whether it is recovering from an accidental deletion of an object or a TOTAL meaning Forest Recovery.

While we don’t expect any company to actually have to recover their entire forest or any single domain in the forest, it is however important to understand the steps needed, in case (the chance of this happening is less likely than the chance of you not getting to an important meeting you have been planning for months). Well, either can happen… <silence>… so let’s look at Q’s (remember Star Trek and my second blog) acronym that will save the day or at least get you back up and running – time that is needed to recover the minimal services can be important so do test in a lab if concerned with how long it may take your environment to be restored from a backup. Now then,

Q’s Acronym for Forest Recovery: S D U R S M R R R

            or

So Did U Recover Schema Master, Rid, Remaining Roles

Now your domain/forest recovery can be as simple as remembering the above statement and yes each first character of the above statement is a step that needs to be done in order to properly restore your environment. Let’s quickly see what each step is:

So - SYSVOL is ready (depends on FRS or DFSR being used)

Did - DNS Cleanup

U - Un-GC

Recover - Raise the rIDAvailablePool

Schema - Seize fSMO Roles

Master - Metadata cleanup

Rid - Reset the domain controller computer object password - twice

Remaining - Reset the krbtgt account password – twice

Roles - Reset the trust password (all and any)

Easy, isn’t it? The only thing remaining to understand is the details of each step. The steps are needed once for each domain, on the first Domain Controller that is being restored. These steps are done when you logon to the restored and only Domain Controller as a member of Domain Admins or Enterprise Admins group. Below are some links to help with each step (no point in reinventing the wheel so quickly explaining the Q’s Acronym):

Step 1: So (SYSVOL is ready):

For FRS, use Authoritative Restore from https://support.microsoft.com/kb/290762

For DFSR, use LastRestoreID and SYSVOL REG_SZ as authoritative from https://msdn.microsoft.com/en-us/library/bb891959(VS.85).aspx#lastrestoreid

Verify that SYSVOL and NETLOGON are shared before going to Step 2 (though u can, but before proceeding its best to have this DC sharing SYSVOL and NETLOGON), you can use 'net share' to check or event logs

Step 2: Did (DNS Cleanup):

Cleanup or remove DNS entries including SRV records related to all other DCs in the domain, except the one being restored

Step 3: U (Un-GC)

Un-GC the restored domain controller from AD Sites and Services. Notice: Until the DC is made a Global Catalog and is ready, you will not be a member of Enterprise Admins group. See https://technet.microsoft.com/en-us/library/cc755257.aspx

Step 4: Raise (Raise the rIDAvailablePool)

You would need to raise the value of this attribute by 100,000 for each day since the disaster (recommended value of 100,000) to prevent duplicate SIDs in the domain. Details are https://technet.microsoft.com/en-us/library/cc781218(v=WS.10).aspx#RaiseRIDPool

Step 5: Schema (Seize fSMO Roles)

Use the Seize FSMO roles section in https://support.microsoft.com/kb/255504 even if the restored domain controller was a FSMO Owner, I would seize all the roles on it (again)

Step 6: Master (Metadata Cleanup)

Note first that if the restored Domain Controller is Windows Server 2008 or above, the n you can simply delete the computer object of all other domain controllers in the domain using AD Users and Computers, checking the box that the domain controller cannot be gracefully demoted etc.

You can also use https://support.microsoft.com/kb/216498 or https://technet.microsoft.com/en-us/library/cc781218(v=WS.10).aspx#BKMK_CleanMetadata to cleanup data related to other domain controllers in the domain

Step 7: Rid (Reset the domain controller computer object password - twice)

Netdom to the rescue:

netdom resetpwd /server:<domain controller name> /userD:administrator /passwordd:*

https://technet.microsoft.com/en-us/library/cc781218(v=WS.10).aspx#BKMK_ResetComputerPassword

Step 8: Remaining (Reset the krbtgt account password – twice)

Use AD Users and Computers snap-in, enable Advance Features and right click Reset Password, or https://technet.microsoft.com/en-us/library/cc781218(v=WS.10).aspx#BKMK_ResetTrustPassword

Please take a note of ‘Changing The Krbtgt Password May Fail When A Custom Password Filter Is Installed’ at https://support.microsoft.com/kb/2549833

Step 9: Roles (Reset the trust password (all and any))

If the environment is a multi-domain forest, then use the below on the parent domain:

netdom trust <parent domain name> /domain:<child domain name> /resetOneSide /passwordT:<password> /userO:administrator /passwordO:*

and for the child domain (when restoring the first domain controller in the child domain):

netdom trust <child domain name> /domain:<parent domain name> /resetOneSide /passwordT:<password> /userO:administrator /passwordO:*

See https://technet.microsoft.com/en-us/library/cc781218(v=WS.10).aspx#BKMK_ResetTrustPassword

Once you are done with Step 9 which is needed in multi-domain forests or Step 8 in a single-domain forest, do enable Global Catalog on the Domain Controller. Also, as a best practice, reset the Administrator Password and other important account passwords as well as DSRM Admin Password. Once your first domain controller is up, it is also recommended to take a backup of this DC. Further domain controllers can then be promoted using DCPROMO. Hope this has been a good qUICKLY Recovery of your Domain / Forest. Till next time, :)