If you are one of the many businesses that have Windows Server 2008, then you may have had the unexpected pleasure of having a Domain Controller fail on you. Now if you do not know what the domain controller is then you are in for a treat. The domain controller is only the most important computer within your Windows Server 2008 domain. But, on the other hand, you may have had a technician install this beast of a computer. I put this lightly. The domain controller is a power server but it does not have to be put on a very powerful box. What you do need to do is make sure that it is redundant. So, what should we do if the domain controller does go down and we have another domain controller? Well, first, I want to tip my hat to you. Not many companies know the importance of having more than one domain controller in their environment. Let’s digress a little. Why do you want to have multiple domain controllers? See, the domain controller does several different things. It has roles such as the Schema master, Domain Naming Master, RID Master, Infrastructure Master and PDC Emulator. These control the overall environment. Let’s go over some definitions. Don’t go to sleep on me. We will be getting to the good stuff soon enough.
Now you are asking, what is a schema? The schema is just a database. If you have used Excel or Access in the past then you have been exposed to a database. The schema is a database. Now the schema is composed of Classes which are the Tables and Attributes which are the fields. So, the Schema Master controls the updates to the schema. So, you can say that this is relatively important server. It only controls every entry that we make into the Active Directory Domain Service utility called ADUC which is short for Active Directory Users and Computers. This role is located on the first domain controller that is added to the Forest by default. There is only one Schema Master per Forest. When you update the schema which is known as extending the schema, you need to be in the same Forest as this domain controller.
Domain Naming Master
So, what is the definition of a domain? A domain is a logical grouping of computers where the domain controller is the central repository for accounts, security and policies. The Domain Naming Master is in charge of keeping track of the adding and deletion of more domains within the environment. This role is located on the first domain controller that is added to the Forest default. There is only one Domain Naming Master in the Forest.
Remember the old Operating System know as Windows NT 4.0. It was the predecessor to Windows Server 2008. Well in the old days which is really little over 10 years, the main domain controller was known as the Primary Domain Controller. So, that is where this role comes into play. It takes the place of the Primary Domain Controller. The main service that it controls is time. If this puppy is not functioning right then you whole environment will suffer. This role is located on the first domain controller that is added to the Forest by default. Now unlike the other roles, the PDC Emulator is located in every domain in the Forest. But, there is only one per domain. This is one of the most important servers in the Domain.
The unique identifier for a database is known as the primary key. Well the primary key that provides uniqueness within Active Directory Domain Services is the SID which is known as the Security ID. The RID Master controls the RID Pool for the domain. The RID is the Relative Identifier. When we run out of RIDs then we will not be able to add additional security principals such as accounts. Here is a tip do not recover this server. If you bring this server on at the same time as another RID server then you will have a majorly messed up domain. This role is located in every domain in the forest but only one per domain.
This is an odd animal. The main purpose of the Infrastructure Master is tracking movement within the domain. This needs some clarification. We are not talking about Big Brother. Well, maybe. The Infrastructure Master tracks the moving of an object (account) from one OU (Organizational Unit) to another or domain. Now the reason I call this an odd animal is because it should not be on the same server as the Global Catalog. Ok, I know we are about to go over the threshold limit of the human mind. But, the Global Catalog has a copy of every attribute in the Forest. This will be covered in another article. Back the Infrastructure Master, this role is also located in every domain and there is only one per domain.
Whew, I know that is a lot to remember. But this is important. See, remember our problem…. The domain is down. If you only have one domain controller is contains all of these roles. HELLO, can you see where we are going with this. Make sure you have more than one domain controller per domain. Ok, here is another topic. Replication. No this is not cloning but similar. The domain controllers in the Forest replicate there information to each other. This introduces another term multi-master replication. This just means that they have the same settings as the other guys. Anyway, we come into work and find that the #1 domain controller has bit the dust. Don’t panic we can fix this. Take a coffee break and realign your thought process.
To the Rescue
So, we have a pretty bad situation. Users cannot logon; email server is down, yada yada yada. So, here is the good stuff. How do we get our domain back up and functioning? Call me of course. Just kidding. This article is here to instruct you on how to recover from this disaster. Before can do this we need to use one of two tools ADUC (Active Directory Users and Computers) or ntdsutil. Of the tool tools, ntdsutil will allow us to everything that we need to do. Ok, are you ready…..
Recovering From Disaster
Step 1. Go to the second domain controller (will Call this Jupiter). Logon with administrative credentials
Step 2. Bring up the command prompt. Type cmd at the run command prompt or access it from the Accessories menu under Programs on the menu
Step 3. Type ntdsutil at the command prompt and press Enter
Step 4. Type roles at the ntdsutil prompt and press Enter
Step 5. Type connections at the roles prompt and press Enter
Step 6. Type connect to server Jupiter at the connections prompt and press Enter. You will be presented with a message saying you are connected and using current credentials
Step 7. Type quit at the connections prompt and press Enter. This will return you to the roles section
Step 8. Type seize Schema Master at the roles prompt and press Enter. This will take over the Schema Master role and give it to Jupiter.
Step 9. Type seize Naming Master at the roles prompt and press Enter. This will take over the Domain Naming Master role and give it to Jupiter
Step 10. Type seize PDC at the roles prompt and press Enter. This will take over the PDC Emulator and give it to Jupiter
Step 11. Type seize RID master at the roles prompt and press Enter. This will take over the RID Master and give it to Jupiter
Step 12. Type seize infrastructure master at the roles prompt and press Enter
Right now you are probably saying that is a lot of steps. We are complete with the first part. WHAT, there is more? Hold on don’t get antsy this will have take only about 5 hours. Just kidding. This whole process will take about 10-20 minutes. You will be the savior of the network. All righty then, on to the next part. By the way, the steps that are shown can be re-ordered when it comes to seizing. The commands are not case sensitive either.
Now in the beginning of the article, I pointed out each of the different roles and their purpose. Well we forcibly took over the roles. The other domain controller is still offline but still theoretically has those roles. If we were to bring that domain controller up again there would be major confusion. Also, Active Directory Domain Services does not know who to replicate changes. The KCC (Knowledge Consistency Check) is looking for the partner. The partner is no longer available. We need to clean up this mess and quickly.
Step 13. Type quit at the roles prompt and press Enter. This will take us back to the beginning.
Step 14. Type metadata cleanup at the ntdsutl prompt and press Enter. This routine will get rid of the SRV records lingering in DNS and also records of the other domain controller in Active Directory Domain Services database the Schema.
Step 15. Type select operation target at the metadata cleanup prompt and press Enter. We need to identify the downed domain controller.
Step 16. Type list sites at the select operation target prompt and press Enter. This will list the sites within the Forest
Step 17. Type the # associated with the Site which the downed domain controller is part and press Enter. This will select the site which has the records for the downed domain controller
Step 18. Type list servers in the site at the select operation target prompt and press Enter. This will list the domain controllers that are in the Site
Step 19. Type the # associated with domain the down domain controller and press Enter. This will select the domain with the downed domain controller
Step 20. Type quit at the select operation target and press Enter. This will take you back to the Metadata Cleanup section
Step 21. Type remove selected server at the metadata cleanup prompt and press Enter. This will remove the records within Active Directory Domain Services
Step 22. Type quit at the metadata cleanup prompt and press Enter. Takes you back to the beginning of ntdsutils
Step 23. Type quit at the ntdsutil prompt and press Enter. Quits the ntdsutil utility
Step 24. Check ADUC, DNS etc. Ensure that you can open ADUC. You may have to change focus of the domain controller.
Step 25. Take old domain controller off line and reinstall Windows Server 2008 and dcpromo it
Wow, what an ordeal. Just think if you did not have another domain controller within your Forest. Do yourself a favor and make sure you have more than one domain controller in your environment. There is a lot more that we can teach you. But, we will leave that for another article. Right now, go get that cup of coffee, high five your staff and relax. Your domain is back up and running. Now go change some passwords and play Halo at your desk. Oops, did I say that. See you later.