windows server 2003
FSMO roles: schema master, domain naming master, infrastructure master, relative id master, pdc emulator
run->open -> rgsvr32 schmmgmt.dll mmc -> add/remove snapin -> Add Active Directory Schema close / ok
Do a daily scheduled ntbackup of system state to a data disk - if you ever need to restore an image of a DC, reboot in non-authorative domain controller restore mode (F8 at startup) and restore the latest NTbackup system state.
DC will think it's non-auth restored, and at reboot will request DC information from the other DC's.
- unplug network cable from server
- Boot to acronis cd and restore image
- reboot into directory services restore mode
- restore most recent system state of the server
( reboot into normal windows mode and make sure everything is intact. programs data, etc.)
while rebooting and out of the OS plug in network cable
repadmin /options andersdc1 -DISABLE_INBOUND_REPL repadmin /replicate destination_server source_server dc=anders,dc=co,dc=local
It takes up to 20 minutes for the "normal" replications to propogate through and gives event ID 1587
This domain controller has been restored or has been configured to host an application partition.
As a result, its replication identity has changed.
A partner has requested replication changes using our old identity.
The starting sequence number has been adjusted.
The destination domain controller corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local domain controller was restored from backup media.
Then to further FIX things...
use dssite.msc (AD Sites and Services) -> Site -> Servers -> NTDS Settings
delete the two "automatically generated" connections and then Right click to create a new connection
When both have been recreated try right clicking and "Replicate Now"
repadmin /replsummary (to see if there are any fails or Delta)
should return empty (no errors)
right click on ...
first steps in AD Replication testing
netsh diag show test Dnslint /s localhost /ad dcdiag /q or dcdiag /v dcdiag /test:replications
force a replication:
repadmin /replicate destination_server source_server dc=anders,dc=co,dc=local
then see if the two DC's have converged, note sizes may not be equal but looking for "PASS"
To SEIZE roles
# Click Start, click Run, type ntdsutil in the Open box, and then click OK. # Type roles, and then press ENTER. # Type connections, and then press ENTER. # Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. # At the server connections prompt, type q, and then press ENTER. # Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type
seize rid master
dc1 has roles (with errors)
schema partitions rid
AFTER SEIZING roles you should run: ntdsutil /metadata cleanup
after running eseutil /p database.edb
event id: 10016
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
to the user ANDERS\johnpfeiffer SID (S-1-5-21-3214350923-3095742658-2461861312-1743). This security permission can be modified using the Component Services administrative tool.
Start->Run->dcomcnfg component services -> computers -> my computer -> dcom config
find match for CLSID
Properties->Security->Launch and Activation Permissions->Custom->Add
Add my user account (domain admin even!)
dc1 had d:\ backup being overwritten eveyr night dc2 had lost d:\backup
setup andersmail & anders-crm
anders-crm had sysstate to tape
- Active Directory (NTDS)
- The boot files
- The COM+ class registration database
- The registry
- The system volume (SYSVOL)
If CA is installed, Certificate Server
alternative to acronis = http://utools.com/help/UsnRollback.asp