Problems after Restore System State
in [Active Directory]
|
Prev: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...
Next: Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
From: kj on 22 Sep 2005 13:59 Need a second opinion (seeker01)? I recently had a client with this very problem ( without the added complexity of the CA ). RUN, DON'T WALK, to the phone and call Microsoft PSS !!! Your BOSS has valid concerns and you should too. Your problem is solvable, but time is crucial at this point and it's time to call in the pros! By my calculation, your 60 days is up in less than a week. If you choose to go on holiday without completely resolving this issue, then I'd suggest not coming back. -- /kj "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere(a)hotmail.com> wrote in message news:efXBAm3vFHA.2924(a)TK2MSFTNGP15.phx.gbl... > In news:39FD1F53-40AF-457E-ABFA-7566A461E99B(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: >> Hi Ace, >> I have no intention to ignore your advice but I am still blur because >> of my ignorance. What exactly is this 60days limit may I know? I >> thought I am now still within the 60days but why I face so many >> errors. Or perhaps I should learn that "nltest" is always the command >> to run whenever we restore system state? Because I am on leave next >> week so my boss shows great concern I can cause further damage. Also >> he argued that we are not any worst because the backup tape from >> 60days limit is already causing the errors, there is no difference to >> even restore it from yesterday's tape now. Does it make sense? > > Maybe in all honesty, if you are not trusting what you are hearing, > whether from me or anyone else in this group, I would HIGHLY suggest you > call Microsoft PSS and let them guide you. I believe there will be a > charge, unless you have an MSP agreement. It's your call. > > > What are you waiting for? Your vacation? You are running Certificate > services. It even complicates it. I would suggest to ACT QUICKLY and > forget your vacation next week and concentrate on this important matter. > It seems like you and your boss are gambling that the tombstone issue > doesn't mean anything to you. I'm just giving you an option before you > have no more options once the 60 Tombstone Lifetime comes up. Your issue > is a secure channel password. > > You are not comprehending the seriousness of the 60 day tombstone. Once it > comes up, you will have NO OTHER CHOICE but to trash the server, seize the > FSMO roles over to the existing server, run a metadata cleanup using > ntdsutil, clean up any remaining lingering objects from the old server in > Sites and Services and using ADSI Edit, then re-format the old server and > reinstall it from scratch. > > Good luck. > > Below taken from: > http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch10.mspx > It is not possible to restore a backup image into a replicated enterprise > that is older than the tombstone lifetime value for the enterprise. When > an Active Directory object is deleted, it is not fully and immediately > removed from Active Directory. Instead the majority of the attributes are > stripped out and the object is moved to the deleted items container. This > remaining object is called a tombstone. This tombstone object is > replicated to all domain controllers in that respective domain so that > they can learn of the object deletion. In this manner, the original object > is no longer available to anyone searching Active Directory for it, but it > is tombstoned. > > The tombstone lifetime value represents the number of days that the > deleted object (or tombstone) must be retained before it can be > permanently removed from the directory. This value can be set by using the > Active Directory Service Interfaces (ADSI) edit at the directory service > path below: > > Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration, > dc=<<Domain_Name>>,dc=<<Domain_prefix>> > > The default tombstone lifetime value is 60 days. Active Directory will not > allow data to be restored to the directory from a backup image that is > older than the tombstone lifetime. If this were to happen, the restored > object would have an Update Sequence Number (USN) too old to trigger > Active Directory replication. In this scenario, the object would never be > replicated out to other domain controllers, and the restored domain > controller would never replicate in to the necessary information to delete > the object. Active Directory on the local server would thus become > inconsistent. > > > > Ace > > > >
From: seeker01 on 22 Sep 2005 21:10 Hi All, I really appreciate your experienced advice. I have offered numerous times to work on it next week but my boss see no risk to deal with it after I am back from leaves. He is even prepared for me to rebuild the DC02 as a clean OS if "nltest" wont fix the problem after the 60days lifetime. DC01 is the FSMO holders, not DC01. Once again, thanks guys. "kj" wrote: > Need a second opinion (seeker01)? > > I recently had a client with this very problem ( without the added > complexity of the CA ). > > RUN, DON'T WALK, to the phone and call Microsoft PSS !!! Your BOSS has valid > concerns and you should too. > > Your problem is solvable, but time is crucial at this point and it's time to > call in the pros! > > By my calculation, your 60 days is up in less than a week. If you choose to > go on holiday without completely resolving this issue, then I'd suggest not > coming back. > > -- > /kj > "Ace Fekay [MVP]" > <PleaseSubstituteMyActualFirstName&LastNameHere(a)hotmail.com> wrote in > message news:efXBAm3vFHA.2924(a)TK2MSFTNGP15.phx.gbl... > > In news:39FD1F53-40AF-457E-ABFA-7566A461E99B(a)microsoft.com, > > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > > commented about below: > >> Hi Ace, > >> I have no intention to ignore your advice but I am still blur because > >> of my ignorance. What exactly is this 60days limit may I know? I > >> thought I am now still within the 60days but why I face so many > >> errors. Or perhaps I should learn that "nltest" is always the command > >> to run whenever we restore system state? Because I am on leave next > >> week so my boss shows great concern I can cause further damage. Also > >> he argued that we are not any worst because the backup tape from > >> 60days limit is already causing the errors, there is no difference to > >> even restore it from yesterday's tape now. Does it make sense? > > > > Maybe in all honesty, if you are not trusting what you are hearing, > > whether from me or anyone else in this group, I would HIGHLY suggest you > > call Microsoft PSS and let them guide you. I believe there will be a > > charge, unless you have an MSP agreement. It's your call. > > > > > > What are you waiting for? Your vacation? You are running Certificate > > services. It even complicates it. I would suggest to ACT QUICKLY and > > forget your vacation next week and concentrate on this important matter. > > It seems like you and your boss are gambling that the tombstone issue > > doesn't mean anything to you. I'm just giving you an option before you > > have no more options once the 60 Tombstone Lifetime comes up. Your issue > > is a secure channel password. > > > > You are not comprehending the seriousness of the 60 day tombstone. Once it > > comes up, you will have NO OTHER CHOICE but to trash the server, seize the > > FSMO roles over to the existing server, run a metadata cleanup using > > ntdsutil, clean up any remaining lingering objects from the old server in > > Sites and Services and using ADSI Edit, then re-format the old server and > > reinstall it from scratch. > > > > Good luck. > > > > Below taken from: > > http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch10.mspx > > It is not possible to restore a backup image into a replicated enterprise > > that is older than the tombstone lifetime value for the enterprise. When > > an Active Directory object is deleted, it is not fully and immediately > > removed from Active Directory. Instead the majority of the attributes are > > stripped out and the object is moved to the deleted items container. This > > remaining object is called a tombstone. This tombstone object is > > replicated to all domain controllers in that respective domain so that > > they can learn of the object deletion. In this manner, the original object > > is no longer available to anyone searching Active Directory for it, but it > > is tombstoned. > > > > The tombstone lifetime value represents the number of days that the > > deleted object (or tombstone) must be retained before it can be > > permanently removed from the directory. This value can be set by using the > > Active Directory Service Interfaces (ADSI) edit at the directory service > > path below: > > > > Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration, > > dc=<<Domain_Name>>,dc=<<Domain_prefix>> > > > > The default tombstone lifetime value is 60 days. Active Directory will not > > allow data to be restored to the directory from a backup image that is > > older than the tombstone lifetime. If this were to happen, the restored > > object would have an Update Sequence Number (USN) too old to trigger > > Active Directory replication. In this scenario, the object would never be > > replicated out to other domain controllers, and the restored domain > > controller would never replicate in to the necessary information to delete > > the object. Active Directory on the local server would thus become > > inconsistent. > > > > > > > > Ace > > > > > > > > > > >
From: Ace Fekay [MVP] on 22 Sep 2005 22:17 In news:20A440D3-A0C5-469C-AF6A-E5DC38450EE7(a)microsoft.com, seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then commented about below: > Hi All, > I really appreciate your experienced advice. I have offered numerous > times to work on it next week but my boss see no risk to deal with it > after I am back from leaves. He is even prepared for me to rebuild > the DC02 as a clean OS if "nltest" wont fix the problem after the > 60days lifetime. DC01 is the FSMO holders, not DC01. Once again, > thanks guys. Good luck. Ace
From: kj on 22 Sep 2005 23:50 > DC01 is the FSMO holders, not DC01 Too bad it's not the (root?) CA. Before you go, consider printing the following for a little "put you to sleep reading". http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx Particularly the second, which of course, you will have problems completing beacuse replication is broken. Viva la holiday! ;-) -- /kj "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere(a)hotmail.com> wrote in message news:eZRxIU%23vFHA.256(a)TK2MSFTNGP15.phx.gbl... > In news:20A440D3-A0C5-469C-AF6A-E5DC38450EE7(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: >> Hi All, >> I really appreciate your experienced advice. I have offered numerous >> times to work on it next week but my boss see no risk to deal with it >> after I am back from leaves. He is even prepared for me to rebuild >> the DC02 as a clean OS if "nltest" wont fix the problem after the >> 60days lifetime. DC01 is the FSMO holders, not DC01. Once again, >> thanks guys. > > Good luck. > > Ace >
From: seeker01 on 23 Sep 2005 01:57
Thanks for your sympathy & advice about the certificate. I will backup the current certificate key. I meant to say "DC02' is not the FSMO holder. DC01 is the FSMO & the infrastructure master, etc. Because I am rebuilding DC02 as a clean Windows OS configure it as a new domain controller using the same IP address and same computer name, do I still need to seize the FSMO roles from DC01? AT the moment, I am writing all options on email before I receive the blame from my boss in the future. Yes....I need lots of luck. "kj" wrote: > > DC01 is the FSMO holders, not DC01 > > Too bad it's not the (root?) CA. > > Before you go, consider printing the following for a little "put you to > sleep reading". > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx > > Particularly the second, which of course, you will have problems completing > beacuse replication is broken. > > Viva la holiday! > > ;-) > > -- > /kj > "Ace Fekay [MVP]" > <PleaseSubstituteMyActualFirstName&LastNameHere(a)hotmail.com> wrote in > message news:eZRxIU%23vFHA.256(a)TK2MSFTNGP15.phx.gbl... > > In news:20A440D3-A0C5-469C-AF6A-E5DC38450EE7(a)microsoft.com, > > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > > commented about below: > >> Hi All, > >> I really appreciate your experienced advice. I have offered numerous > >> times to work on it next week but my boss see no risk to deal with it > >> after I am back from leaves. He is even prepared for me to rebuild > >> the DC02 as a clean OS if "nltest" wont fix the problem after the > >> 60days lifetime. DC01 is the FSMO holders, not DC01. Once again, > >> thanks guys. > > > > Good luck. > > > > Ace > > > > > |