VeeamON 2024 - Use Code "COMMUNITY10" for 10% Off!
Sorry for the super-long delay; after successfully doing the work on the server, I left a few days later for two weeks holidays (not that I like to do that - I would rather be around for a bit but they were booked and everything seemed okay!). In short, was able to clean up AD for the “bad DC” instead of having to restore from Veeam. Even though the below is not a “veaam” solution, thought a post-op summary would be informative to anyone reading this thread - and I still had a few questions re what happened - more for my info than anything. I also still have some specific questions re being better prepared in case next time I have to restore from Veeam. But for now, here is a log of what I did to do the cleanup.>>>>>>>>>>>>>>>>>>>>>>>>>»Reminder: we had one bad DC in our environment that we could not log into in any way so we could not demote it gracefully. This happened about 3 weeks ago and we were starti
How did you get on @MckITGuys? If there was any particular advice that you found the most helpful, please don’t forget to mark it as the answer to help others in your position in the future 🙂 Hi all,First off, big thanks to everyone who jumped in with advice. Learned a lot through this exercise (not exactly my kind of exercise though :-) I need to read back through the thread and mark a few more replies but since am short on time this morning, will just give a summary of what happened. Note that the conclusion did NOT need to use Veeam for restores but in case someone hits this thread and wants to know the outcome, it might help them. As well a caveat - this might not have been the “best” way to do this (i.e. manually pruning AD) but it was the first step we opted to take instead of getting into restoring DCs.Reminder: we had one bad DC in our environment that we could not log into no-how so we could not demote it gracefully. This happened about 3 weeks ago and we were starting
I am writing up a “playbook” now with a couple different scenarios so forgive me for random questions that may or may not be the “best plan” i.e. I just want to know more in case I have to go down different routes:-if I keep one DC (the one with most of the newest changes), and just down and delete the other 2 DCs, I am going to have DNS entries for the other two DCs still in DNS (I assume that because the other 2 DCs are at a different site and even if I demote them and remove them from the domain, it is possible that their records will persist on the good DC-question from that: other than the A record in the root of the zone, do I have to find and remove every reference for each of the downed DCs (service records etc.) or is there one spot to delete it such that it cascade deletes to all service records?
Really nice topic which mix Veeam and AD knowledge. By luck I never had to restore all DCs of the infrastructure. But I ll keep all this precious advices in a corner. Yeah, I shudder at the thought of restoring all DC’s. I’d honestly consider shutting down all of the DC’s, restoring one authoratively, and then cleaning up AD and building new DC’s for any remote systems. Building a DC is practically throw-away anymore, especially since you don’t have to do metadata cleanups anymore. I have thought of that too - just restoring one DC, cleaning it up and then building others from that. The DC with most likely the latest changes on it (password changes, trust relationships) though does not hold the FSMO roles. So if I started with this, I would have to seize all the FSMO roles.If I start with the server with the FSMO roles, it is at their head office but because most of their users log into VDI desktops at their data center, most likely there will be more broken trust relatio
More questions from excellent discussion above:-netdom resetpwd - so I have a server or user PC that has lost its trust relationship: am I going to be able to log into that server to perform this command? and if I do, say my server is named DC1 and my domain admin account is SkinnyAdmin, would the command be:netdom resetpwd /s:DC1 /ud:mydomain.com\SkinnyAdmin /pd:bigFatPassword-so I assume this from what I have read, since this is a machine password, gets a new generated password from the DC and updates that locally and also in that computer’s object in AD? just checking-and I assume that this resets the trust relationship at the same timeDSRM password: I have taken over admin of a client’s network: although I have the administrator passwords, I have not found any DSRM passwords recorded anywhere; I can guess by a list of commonly used passwords but cannot be sure; is that going to prevent a Veeam restore or does it just use the domain admin passwords stored in its credentials setup?
hopefully Veeam support is faster than the usual response - but maybe if this is severity 1 I will get someone right away - going to try this on a long weekend starting Friday-so in short, I power down all 3 DCs, restore the one which I think has the best data, issue a command at the command line or a registry setting to make this the authoratative server, then restore the other 2 servers right?Scott wrote: Call Veeeam support for help if you need The easiest way for me would be to power down ALL of the DC’s and restore the master as authoritative. I’d then restore the other/rest and let them sync.
Trust relationship failures are generally easy to resolve, but that said, going 3 weeks back, I’m betting, depending on the number of workstations (and servers), there may be a lot of trust relationship failures. In a smaller environment (35 workstations), with not a lot of new activity, what causes a trust relationship to get lost - are they renewed every few days or something? Or would the only ones lost be those of any new PCs added to the domain?
Those articles look great for restoring a single object - but I might have to restore the entire AD database (for reasons too deep to go into here). I wonder if I just restore the entire vm image?Also, I have another potential problem: one of the 3 DCs did not have application aware processing turned on so it does not even show up in the restore wizard - turning that on tonight! I think there was initially problems with that DC and somehow then it never got fixed or at least turned on.Albert
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.