Sunday, August 9, 2009


This document was prepared for the building of a copy of the production Active Directory.  Following these steps will define how to rebuild the entire Microsoft Active Directory for a test domain.  *** Be careful ***


The first set of steps is to get a good pc into the production domain.  Once this pc is a member it needs to be promoted and be a healthy participant in the network.  The new DC then needs to be removed from the network before it is restarted (From its restore) to prevent any replication activity from damaging the production system.  Reconnection to the production system will create major problems in the production system


1.                  Shutdown ALL pc's within the test sub-net  (For this document it will be 192.168.1.x, gateway =, mask =

2.                  Remove the physical cable for the new pc and build the member server (This all should reside within the test domain) in production

        Install DNS (AD Integrated needed for this document)

3.                  Re-connect the cable and join the domain

        Select the IP Address

        Select the mask to

        Select the Gateway

        Point the DNS services to a production AD DNS server

4.                  Promote the server to a Domain Controller (DC) via dcpromo.exe

5.                  Promote the server to a Global Catalog Server

6.                  Let the system sit idle (2 hours) for Replication to sync up

        Point the DNS services to itself

7.                  Open up a command prompt

        dcdiag /v /test:ridmanager

        Make sure no errors with the rid manager

        Create an object on the new DC

        Physically disconnect the cable

        Bring up "Active Directory Users and Computers"

        By disconnecting you force the system to attach locally

        Create a test user with the account disabled

        Reconnect the physical cable

8.                  At  a command prompt type in NTBACKUP and do a system state backup saving the file to the local server

9.                  Demote this server to a member server with in the production domain (DCPROMO)

        Remove the NS record in the production environment

10.              Physically disconnect the server from the network by unplugging the cable from the hub

11.              Move the server to the test domain

12.              Re-Promote once this system has been disconnected and the ip changed


        Domain Name =

        NetBios Name = NetBIOS_Name

        Allow the promotion to create the DNS domain

        Once this DC is brought online (The DNS services on the member server can be shut down), define it with Integrated Active Directory DNS and all name space records will be restored.  Make sure to bring up DNS and select reload to refresh all data

        Active Directory Integrated

        Only Secure Updates 

13.              Reboot this server and After the POST Select F8

        Scroll down and select the option

"Directory Services Restore Mode (Windows 200x domain controllers only)"

14.              Log on as the administrator (This is within the old SAM account)

15.              Restore the System State from the previous NTBACKUP

16.              Re-boot the Domain Controller (DC)


Now that the DC is restored it needs to take control of all Flexible Single Master Operation roles (FSMO and the File Replication service).  Because of this utilities need to be loaded off of the Windows 200x install CD.  NTDSUTIL will perform most of these steps.  Since this is the first DC it needs to be a Global Catalog server and validate that it is the primary server in the domain.


17.              After the POST Select F8

        Scroll down and select the option

"Directory Services Restore Mode (Windows 200x domain controllers only)"

18.              Log on as the administrator (This is within the old SAM account)

19.              Install the Windows 200x Active Directory Administration Tools from the server cd

        D:\i386\ Adminpak.msi

20.              Install the Windows 200x Server Resource Kit from the server cd


21.              Re-boot the Domain Controller (DC)

22.              Log on as the administrator (This is with the AD account)

23.              Reset the ip address to the test domain, the restore resets the ip address.  Make sure to also point the dns server to itself as well

24.              Set this server as a Global Catalog (Ignore this step in a multi-domain environment and this DC holds the Infrastructure Master Role)

        Click Start, click Run, type mmc, and then click OK

        On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Sites and Services, click Close, and then click OK

        Double Click Active Directory Sites and Services

        Double Click Sites

        Double Click MP-Default-Site

        Double Click Servers

        Double Click the DC

        Right Click on NTDS Settings and Select Properties

        If the "Global Catalog" check box is not checked, check it

25.              All Flexible Single Master Operations (FSMO) roles need to reside on this DC

        Seize the PDC

        Click Start and then click Run

        In the Open text box, type ntdsutil

        Type roles

        Type connections

        Type connect to server  <DC name>

        Type q

        Type seize pdc

        Click "Yes"

        Seize the Infrastructure master role

        Type seize infrastructure master

         Click "Yes"

         Seize the Domain Naming master role

        Type seize domain naming master

        Click "Yes"

        Seize the schema master role

        Type seize schema master

        Click "Yes"

        Seize the RID Master Role

        Type seize rid master

        Click "Yes"

        Type q

        Type q

26.              Remove all other DC server objects (Repeat this step for each DC) KB216498

        Click Start and then click Run

        In the Open text box, type ntdsutil

         Type metadata cleanup

        Type connections

        Type connect to server <DC>

        Type q (The metadata cleanup prompt should now show)

        Type select operation target

        Type list domains (A list of domains should be displayed)

        Type select domain <#> (This is the domain of the server to be pruned)

        Type list sites (A list of sites should be displayed)

        Type select site <#> (This is the site of the server to be pruned)

        Type list servers in site (A list of servers should be displayed)

        Type select server <#> (This is the server to be pruned)

        Type q

        Type remove selected server (You should get confirmation of the removal)

        Type q

        Type q

27.              Remove all other DC orphaned records in Active Directory (Repeat this step for each DC) KB216498

        Click Start - Programs - Windows 200x Support Tools - Tools - ADSI Edit

         Delete the computer account in OU=Domain Controllers, DC=Domain_Name,DC=com

        Delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Domain_Name,DC=com

28.              Remove all other DC orphaned records in DNS

        Click Start - Programs - Administrative Tools - DNS

        Click <DC> - Forward Lookup Zones -

        Delete the cname (alias) of all other DC's

        Delete the a record of all other DC's

29.              This DC needs to be the File Replication Service Master  (KB316790)

        Stop the File Replication service on the DC

        Make sure the following folders exist, if not create them


              C:\WINNT\SYSVOL\sysvol  (Share as SYSVOL)


                          copy the contents of C:\WINNT\SYSVOL\domain to this folder

        Start Registry Editor (Regedt32.exe)

        Locate and then click the BurFlags value under the following key in the registry:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

        On the Edit menu, click DWORD, click Hex, type D2, and then click OK

        Quit Registry Editor

        Restart the File Replication Service

        Check the FRS event viewer to see if the system states that the sysvol is now being shared and defines all the paths

30.              Ensure that the DC has registered the proper computer role

        Enter net accounts at a dos prompt

        The computer role should say "primary"


Finally any information related to the old DC's need to be purged from AD.


31.              Re-boot the Authoritatively restored DC

32.              Within the production system delete the test user and computer account

33.              Within the production system delete the server object within the site that it was placed into for replication


Note: The File Replication Service can prevent the computer from becoming a Domain Controller (See below).  If when doing a dcdiag a message states that the rid pool is corrupt, what is probably happening is there are problems with replication.  Check the "File Replication Service" Event Log.  Also make sure that all sub-folders are available within c:\winnt\sysvol.

To re-test just the rid pool:                                dcdiag /v test:ridmanager




Never again connect this server to the production system!!!



When you restore a domain controller from backup (or when you restore the System State), the FRS database is not restored because the most up-to-date state exists on a current replica instead of in the restored database. When FRS starts, it enters a "seeding" state and then tries to locate a replica with which it can synchronize. Until FRS completes replication, it cannot share Sysvol and Netlogon.

If you restore all of the domain controllers in the domain backup, all the domain controllers enter the seeding state for FRS and try to synchronize with an online replica. This replication does not occur because all of the domain controllers are in the same seeding state. Setting the primary domain controller FSMO role holder to be authoritative forces the domain controller to rebuild its database based on the current contents of the system volume. When that task is completed, the Sysvol and Netlogon shares are shared. All the other domain controllers can then start synchronizing from the online replica

(See - KB316790)

No comments: