I've inherited an Active Directory forest that is laid out very badly. It has a single forest with a domain tree for each site, each with a single domain controller. No domain is a child of any other domain.
Now one of the DCs, lets call it M1 for domain M, had a problem when we were moving the VM from one hypervisor to another so we went back to the working one, it has caused USN rollback, and the 2008r2 DC M1 has detected this. During this fudge up there were 2 DNS entries made in the domain M, that were likely the only things lost during the rollback as no users were active in domain M at the time. Currently DC M1 has had its inbound and outbound replication re-enabled with repadmin /options M1 -DISABLE_INBOUND_REPL
and repadmin /options M1 -DISABLE_OUTBOUND_REPL
and its netlogon service continued after it starts in a paused state with event id 2103.
The solution I'd like is to make a new single domain for all 10 sites and start over. However, apart from the annoyance of netlogon starting in a paused state it seems to be working ok anyway. The questions I have are:
- Any less severe suggestions or would it be just as much work to start again and do it properly?
- If I just delete the registry key
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Not Writable
and ignore the rollback, what will be the effect on the single DC domain in a multi-domain forest?
Because it is a single DC we cannot perform
- demote then promote the DC to replicate from another existing DC as there are none in the same domain to replicate from
- Do a non-authoritative system state restore as this requires a functioning healthy DC to replicate from as well.
Edit: yes we have, or can make a system state backup from an old system image, that is younger than the tombstone lifetime.
Best Answer
I think the safest thing to do is to call Microsoft Support and have them guide you through it. The thing is, doing something as simple as manually modifying the
Dsa Not Writable
registry entry can land you in a permanently unsupported state.With that disclaimer out of the way, the thing with USN rollbacks is that you need another DC in the domain to be the authoritative standard to roll back to for your domain. Since you have only 1 DC in the domain, you don't have that.
You have a system state backup?
This is pretty much your bible on this matter: http://support.microsoft.com/kb/875495/en-US
Don't have a system state backup? You could set the AD database to give itself a new invocation ID:
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
None of that worked? Then look on the bright side: at least you only lost one domain!