DOne goofed up (AD issues after restoring DC)

[vleesdoekje]

Hello everyone,

After a failed WSUS update a dc booted up in safe mode and we couldn't get it running again properly.
What we did to fix this was performing a full restore of the DC to right before the updates.

Everything came back, seemingly no issues os went ahead and ended the day.

When I checked in and performed a few tests as dcdiag I noticed that the restored DC (which holds all 5 roles) trows RPC errors when tested from another DC.
The GUID changed after the restore and because of this none of the other 2 DC's recognize the restored DC.

Does anyone knows how to get out of this mess? The only guide I found referenced windows 2000 but these are all 2012R2 machines without dcpromo available.
(https://support.microsoft.com/en-us/kb/316829).

I'm also wondering how it could be that the GUID changed because of a restore, is this normal behavior?

I'm running Veeam 8 btw.

[Gostev]

Hi, this is unexpected and needs to be investigated by our AD specialists. Did you perform the same test of DC in question from another DC BEFORE everything happened? And please include support case ID for this issue, so that we could track it with support. Thanks!

[Zew]

What version of DC's? If you are running 2008 R2 and older, you have to do an Authoritative restore

https://technet.microsoft.com/en-us/lib ... s.10).aspx
https://msdn.microsoft.com/en-us/library/bb727048.aspx

Only 2012 DC's support snapshots/instant recovery technology. I remember this being a huge topic when I took a Windows Server 2012 course. Hope this info helps.

[Gostev]

Zew, we do support full DC recovery for 2003 and above. We do not rely on this new functionality of 2012 (DSA Invocation ID) that you are talking about, as this one was only introduced in Windows Server 2012. Thanks!

[Bl0ckH@rm0ny]

I am shootin from the hip here, may be deprecated, can you get it to boot into (DSRM) Director Services Recovery Mode?

https://dirteam.com/sander/2012/11/29/r ... tore-mode/

[hoFFy]

I believe you know it already, but the shortest workaround will be to transfer / seize the fsmo roles to another dc, demote this dc (if possible) and promote it again.
I know this doesn't help you much with this specific restore problem, but this will be a good chance to keep your AD stable. I would recommend to check AD logs after that, start a new backup and test restore with Sure Backup.
Thats the was I would do it...

[Zew]

Zew, we do support full DC recovery for 2003 and above. We do not rely on this new functionality of 2012 (DSA Invocation ID) that you are talking about, as this one was only introduced in Windows Server 2012. Thanks!

And how exactly does Veeam manage that?

[Gostev]

By leveraging Microsoft VSS at backup and restore time. Microsoft designed AD VSS Writer specifically to ensure this issue does not happen, and we leverage these capabilities. In fact, this functionality was first introduced in our v2, which was 7 years ago...