[Today’s post comes to us courtesy of Wayne Gordon McIntyre from Commercial Technical Support]

You may find yourself in a scenario where your SBS 2008 server has died and you have no backups available, however you do have a second non-SBS domain controller that is still operational which contains all of your domain information. The steps below will guide you thru rejoining the SBS 2008 server back into the existing domain so you do not have to recreate all of your AD objects and rejoin your client machines.

*** Please note that this is not a replacement for doing regular backups. Our recommended method to recover a server in these situations is to restore from a good backup. You should only do this if you have no other choice because there is no good backup to restore from. ***

Preparation and Clean Up Steps:

  1. Change the primary DNS server IP on the TCP/IP properties of the network card of the second DC to point to it (e.g. 127.0.0.1).

    clip_image001

  2. Ensure the second DC is a global catalog server. Open Active Directory Sites and Services and go to the properties of NTDS settings of the second DC and check the global catalog box if it was not checked.

    clip_image003


    ***
    IMPORTANT:  If the server was not a global catalog, make it a GC and wait for the Directory services event log to log event 1119 that states the server is now acting as a global catalog server. As a sanity test you can use ldp.exe to confirm that the server is responding to requests on port 3268. For these steps please see the appendix.***

  3. Verify which FSMO Roles were held by SBS 2008 by running “NETDOM QUERY FSMO” from an elevated CMD prompt.
  4. Seize all FSMO roles the SBS 2008 Server held to the second domain controller. From an administrative command prompt open the ntdsutil utility by typing NTDSUTIL and pressing ENTER.
    1. Type activate instance NTDS, and then press ENTER. *only required if the second DC is a 2008 Server otherwise skip this step.
    2. Type roles, and then press ENTER.
    3. Type connections, and then press ENTER.
    4. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
    5. At the server connections prompt, type q, and then press ENTER.
    6. Type seize PDC, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
    7. Type seize infrastructure master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
    8. Type seize naming master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
    9. Type seize RID master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
    10. Type seize schema master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
    11. Type q, and press ENTER until you are back at the command prompt.

      Steps taken and modified for 2008 from KB 255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

      http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504

  5. Perform metadata cleanup to remove the SBS server from Active Directory.

    216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

    ** Please note you have to type “Activate Instance NTDS” in ntdsutil if it is a 2008 DC before you do the meatadata cleanup steps. Also if any FSMO roles were not seized in step 3, the updated version of ntdsutil (2003sp1 and greater) will perform the seizure of the remaining FSMO roles.

  6. Clean up DNS records that point back to SBS 2008.
    1. Delete CNAME records “CompanyWeb”, “Connect”, “SBSConnectComputer” and “Sites”

      clip_image005

    2. Delete the Same as parent ‘A’ records that point to the IP of the SBS server
    3. Go to properties of the _msdcs.domain.local and domain.local zones and go to name servers tab and remove the SBS server as a name server

      clip_image006

  7. Delete the exchange server object out of Active Directory.
    1. Open Active Directory Sites and Services.
    2. With Active Directory Sites and Services highlighted at the top node of the tree use the view menu and click on Show Services Node.

      clip_image008

    3. Expand until you get to the Server name of the failed server as shown below, and press DELETE, put a check in the box to delete sub-containers then click yes.

      clip_image010

  8. You are now ready to rebuild your SBS server to rejoin the existing domain by following Sections 1 – 3 from the link below using the secondary DC as the source server. http://technet.microsoft.com/en-us/library/cc664208(WS.10).aspx

Post Migration Install Steps

  1. Change the DNS server IP back on the 2nd DC to point to the SBS server, with alternate pointing to itself.

    clip_image011

  2. Re-add the Source Server on the SMTP connector.
    1. Open the Exchange Management Console.
    2. Expand Organization Configuration
    3. Select the Hub Transport Node
    4. Go to the Send Connectors tab.
    5. Open the properties of Windows SBS Internet Send COUGAR connector.
    6. Select the Source Server Tab and choose Add, select the SBS 2008 server as the source server.

      clip_image013

  3. Run “Connect to the Internet Wizard” and the “Set up your Internet Address Wizard”.
  4. If you have data to restore such as Exchange, Sharepoint, SQL or files you can now restore it.

Appendix A

Using LDP to verify GC functionality

  1. From an Administrative cmd prompt launch LDP
  2. From the file menu select connect and enter the server name that you are on and change the port number to 3268
  3. Once it connects we know that the server is listening and responding to connections on the GC port. Also verify it has the “isGlobalCatalogReady” equals true setting.
  4. Next step is to verify you can Bind go to file menu and select bind and use the currently logged on credentials.
  5. Click on View > Tree and leave the baseDN blank and you should see your domain tree.

Appendix B

Testing replication:

To test replication between the 2 domain controllers run Repadmin /showrepl. The output should show successful replication for all partitions. For more assistance on using repadmin please see the following Technet link.

http://technet2.microsoft.com/WindowsServer/en/library/a103036b-5d82-4d99-8e61-23d434a8e6eb1033.mspx?mfr=true