If you are one of the many companies running Windows Server 2008, you may have had the unexpected pleasure of a domain controller failing. Now, if you don’t know what domain controller is, then you are in for a surprise. The domain controller is just the most important computer inside your Windows Server 2008 domain. But then again, this beast of a computer may have been installed by a technician. I put this lightly. The domain controller is a power server, but you don’t need to put it in a very powerful box. What you need to do is make sure it is redundant. So what should we do if the domain controller goes down and we have another domain controller? Well, first, I want to take my hat off to you. Not many companies know the importance of having more than one domain controller in their environment. Let’s digress a bit. Why do you want to have multiple domain controllers? See, the domain controller does several different things. It has functions as a schema master, domain naming master, RID master, infrastructure master, and PDC emulator. These control the general environment. Let’s review some definitions. Don’t fall asleep with me. We’ll get to the good stuff soon.
outline master
Now you ask yourself, what is a schematic? The schema is just a database. If you have used Excel or Access in the past, you have been exposed to a database. The schema is a database. Now the schema is made up of Classes that are the Tables and Attributes that are the fields. Therefore, Schema Master controls schema updates. So, you can say that this is a relatively important server. It just controls every entry we make in the Active Directory Domain Service utility called ADUC, which is short for Active Directory Users and Computers. This role is found on the first domain controller added to the forest by default. There is only one schema master per forest. When you update the schema, which is known as the schema extension, it must be in the same forest as this domain controller.
Domain Name Master
So what is the definition of a domain? A domain is a logical grouping of computers where the domain controller is the central repository for accounts, security, and policies. The domain naming master is in charge of keeping track of the addition and removal of more domains within the environment. This role is found on the first domain controller that is added to the forest default. There is only one domain naming master in the forest.
PDC emulator
Remember the old Operating System known as Windows NT 4.0. It was the predecessor of Windows Server 2008. Well, in the old days, which is actually a little over 10 years ago, the primary domain controller was known as the Primary Domain Controller. So, that’s where this role comes into play. It takes the place of the primary domain controller. The main service it controls is time. If this pup isn’t working properly, your entire environment will suffer. This role is found on the first domain controller added to the forest by default. Now, unlike the other roles, the PDC emulator is found in all domains in the forest. But, there is only one per domain. This is one of the most important servers in the Dominion.
RID Master
The unique identifier of a database is known as the primary key. Well, the main key that provides uniqueness within Active Directory Domain Services is the SID, which is known as the Security ID. The RID Master controls the RID Pool for the domain. The RID is the relative identifier. When we run out of RIDs, we won’t be able to add additional security principals, such as accounts. Here’s a tip: don’t take back this server. If you activate this server at the same time as another RID server, you will have a very messy domain. This role is found in all domains in the forest, but only one per domain.
Infrastructure Masters
This is a strange animal. The primary purpose of the infrastructure master is to track movement within the domain. This needs some clarification. We’re not talking about Big Brother. Well maybe. The infrastructure master tracks the movement of an object (account) from one organizational unit (OU) to another or domain. Now the reason I’m calling this a strange animal is because it shouldn’t be on the same server as the Global Catalog. Ok, I know we are about to cross the threshold limit of the human mind. But, the Global Catalog has a copy of every attribute in the Forest. This will be covered in another article. Behind the infrastructure master, this role is also in each domain, and there is only one per domain.
Wow, I know that’s a lot to remember. But this is important. Look, remember our problem… The domain is down. If you only have one domain controller, it contains all of these roles. HELLO, can you see where we are going with this? Make sure you have more than one domain controller per domain. Ok, here’s another topic. Replication. No, this is not cloning but something similar. Domain controllers in the forest replicate information between themselves. This introduces another term multimaster replication. This just means that they have the same configuration as the others. Anyway, we started working and found that domain controller no. #1 has bitten the dust. Don’t panic, we can fix this. Take a coffee break and realign your thought process.
To the rescue
So, we have a pretty bad situation. Users can’t login; the email server is down, yada yada yada. So here’s the good stuff. How do we get our domain back and get it working? Call me of course. It’s a prank. This article is here to instruct you on how to recover from this disaster. Before we can do this, we need to use one of the two ADUC (Active Directory Users and Computers) tools or ntdsutil. Of the tool tools, ntdsutil will allow us everything we need to do. OK are you ready…..
disaster recovery
Step 1. Go to the second domain controller (you will call it Jupiter). Sign in with administrative credentials
Step 2. Open Command Prompt. Type cmd at the run command prompt or access it from the Accessories menu under Programs in the menu
Step 3. Type ntdsutil in the command prompt and press Enter
Step 4. Type roles at the ntdsutil prompt and press Enter
Step 5. Type connections in the role prompt and press Enter
Step 6. Type connect to server Jupiter at the connections prompt and press Enter. You will be presented with a message saying that you are connected and using current credentials
Step 7. Type quit at the connection prompt and press Enter. This will return you to the roles section.
Step 8. Type sixteen Schema Master at the role prompt and press Enter. This will assume the role of Schema Master and give it to Jupiter.
Step 9. Type sixteen Name Master at the role prompt and press Enter. This will take over the role of domain name master and hand it over to Jupiter.
Step 10. Type sixteen PDC at the role prompt and press Enter. This will take over the PDC emulator and give it to Jupiter.
Step 11. Type sixteen master RIDs at the role prompt and press Enter. This will take over the RID Master and give it to Jupiter.
Step 12. Type sixteen infrastructure master at the role prompt and press Enter
At this point, you’re probably saying that’s a lot of steps. We are complete with the first part. WHAT, is there more? Wait, don’t worry, this will only take about 5 hours. It’s a prank. This entire process will take around 10-20 minutes. You will be the savior of the network. Alright then, to the next part. By the way, the steps shown can be rearranged at the time of seizure. The commands are also not case sensitive.
cleaning time
Now, at the beginning of the article, I outlined each of the different roles and their purpose. Well, we took over the roles by force. The other domain controller is still offline, but still theoretically has those roles. If we were to bring that domain controller back up, there would be a lot of confusion. Also, Active Directory Domain Services does not know who to replicate the changes to. The KCC (Knowledge Consistency Check) is looking for the partner. The partner is no longer available. We have to clean up this mess and fast.
Step 13. Type quit at the role prompt and press Enter. This will take us back to the beginning.
Step 14. Type metadata cleanup at the ntdsutl prompt and press Enter. This routine will delete the persistent SRV records in DNS and also the other domain controller’s records in the Active Directory Domain Services database, the Schema.
Step 15. Type select operation target at the metadata cleanup prompt and press Enter. We need to identify the downed domain controller.
Step 16. Type the sites from the list in the destination prompt of the selected operation and press Enter. This will list the sites within the forest.
Step 17. Type the # associated with the site that the downed domain controller is a part of and press Enter. This will select the site that has the downed domain controller logs.
Step 18. Type list servers on site at the selected operation target prompt and press Enter. This will display a list of domain controllers that are on the site.
Step 19. Type the # associated with the domain of the inactive domain controller and press Enter. This will select the domain with the downed domain controller
Step 20. Type quit in the selected operation target and press Enter. This will take you back to the Metadata Cleanup section.
Step 21. Type delete selected server at the metadata cleanup prompt and press Enter. This will delete the records within the Active Directory Domain Services.
Step 22. Type quit at the metadata cleanup prompt and press Enter. Takes you back to the beginning of ntdsutils
Step 23. Type quit at the ntdsutil prompt and press Enter. Exits the ntdsutil utility
Step 24. Check ADUC, DNS, etc. Make sure you can open ADUC. You may have to change the focus of the domain controller.
Step 25. Take the old domain controller offline and reinstall Windows Server 2008 and download it.
Wow, what an ordeal. Just think if you didn’t have another domain controller within the forest of it. Do yourself a favor and make sure you have more than one domain controller in your environment. There is much more that we can teach you. But we will leave that for another article. Right now, go get that cup of coffee, high-five your staff, and relax. Your domain is back up and running. Now change some passwords and play Halo on your desktop. Whoops, I said that. Bye.