Repairing a Domain Controller

To repair a failed Windows 2000 Server domain controller there are several options available to you. You might need to use one or all of the following methods to repair a failed domain controller:

• Ntbackup tool Emergency Repair Disk (ERD) wizard. You would log on by using an account that has Administrator or Backup Operator privileges. You can use the wizard to prepare a set of disaster recovery disks so that you can restart the domain controller.
• Reinstall the Windows 2000 operating system and run the Active Directory Installation Wizard (Dcpromo.exe). In the case of a major hardware malfunction that requires that the computer be completely rebuilt, reinstall the operating system. This ensures that the number and size of disk volumes is the same or larger than the previous computer. Reapply your Network Connections and DNS settings as originally configured.
• Netdom tool. In the case you needed to remove a domain, you would first run the Active Directory Installation Wizard to remove Active Directory from all domain controllers in the domain that are being removed. Then use the netdom tool to remove the domain itself (including cross reference and trusted domain objects). For example, at the command prompt, type netdom trust /remove /force
• Ntdsutil tool Cleanup command. To cleanup metadata left behind by decommissioned or failed domain controllers, use the cleanup command. It removes the defunct domain controller's identification and information from the directory. You might have to run the Dcpromo tool in addition and rename the new domain controller with the same name as the old domain controller. Replication brings the domain controller up to date with regard to its replication partners.

For more information about installing and removing Active Directory with the Active Directory Installation Wizard (Dcpromo tool), see "Active Directory Data Storage" in this book. For more information about the Ntdsutil tool, see "Active Directory Diagnostic Tool (Ntdsutil.exe)" in this book.

Repairing a Windows NT 4.0–based Backup Domain Controller

Recovering a lost backup domain controller account becomes important when you are running Windows NT 4.0 in a mixed mode environment. It's important to know how to recover if the computer account for a Windows NT 4.0–based backup domain controller becomes corrupt or is accidentally deleted.

Note

If the computer account for a backup domain controller in a mixed-mode domain gets deleted, you can use the dsacls command.

To repair a backup domain account

1. On the orphaned backup domain controller, log on locally by using an account with administrator privileges.
2. Start Server Manager.

   From the Start menu, click Run, and then type:

   svrmgr

   Server Manager for Windows NT 4.0 or for Windows NT 3.x is displayed.

3. Re-create the account for the backup domain controller. (This actually happens on the primary domain controller.)
4. Use the force sync command to reset the password properly.

Recovering from a Deleted Windows 2000 Computer and Domain Account

• When you restart the computer, you might receive the following error message:

event id 26 application pop-up

Application popup: lsass.exe - System Error : Security Accounts Manager initialization failed because of the following error: No mapping between account names and security IDs was done.  Error Status: 0xc0000073. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

The problem is that if you delete a computer account, you need to wait for the delete to replicate to all domain controllers in the domain, before doing anything further with the computer, such as joining or running the Active Directory Installation Wizard. Otherwise, the join process and Active Directory Installation Wizard re-uses the existing account and then the delete replicates in causing start or logon failures.

The solution to the computer account problem differs for clients, servers, and domain controllers:

• For a client or server, it is easy to recover from this situation. Rejoin the computer.
• For a domain controller, there is System State data to be considered, such as RID, Service Principal Names (SPNs), and FRS subscription. This System State data is affected and the only means of recovery is to reinstall it as a domain controller or authoritatively restore the domain controller's computer account.

The following is a typical scenario:

• An administrator deletes a computer account for a computer.
• An administrator rejoins the server to the domain.
• The join code attempts to find a domain controller with the account because the domain controller wants to avoid creating duplicate accounts.
• It is guaranteed to find a domain controller that hasn't yet replicated the deletion, if the join was attempted shortly after deleting the account (for example, within a replication latency).
• It joins to that domain controller and sets the password, and so on and then reports a success.
• The delete replicates throughout the domain and then removes the account.

© 1985-2000 Microsoft Corporation. All rights reserved.