Sign in with
Sign up | Sign in
Your question

Deleted the active directory database files

Last response: in Windows 2000/NT
Share
Anonymous
April 16, 2005 2:08:51 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

1. If I've deleted the active directory database files from the domain
controller and I don't have a backup, can I just reinstall NT server
2000 again in the same boot partition to restore a new database for
the domain controller?

2. In a separate situation:

If I have a Windows 2000 domain controller, and I want to downgrade it
to a regular server, can I just reinstall Windows NT 2000 advanced
server in the same boot partition and choose "server" instead of
domain controller during setup?

Any help is welcome!
Anonymous
April 16, 2005 4:26:03 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> 1. If I've deleted the active directory database files from the domain
> controller and I don't have a backup, can I just reinstall NT server 2000
> again in the same boot partition to restore a new database for the domain
> controller?

Well, that's a pretty impressive mistake to make!!! You'd have to be in
offline mode, or have purposefully played with the permissions on that file
and then rebooted!!!

Anyway, if you don't have a backup you have to either dcpromo /forceremoval
and then metadata cleanup or format, install and metadata cleanup (not
necessarily in that order ;-).


> restore a new database for the domain controller

No, because you said you don't have a backup?!?!?!


> If I have a Windows 2000 domain controller, and I want to downgrade it to
> a regular server, can I just reinstall Windows NT 2000 advanced server in
> the same boot partition and choose "server" instead of domain controller
> during setup?

No, that's the NT4 way. You simply need to run DCPROMO again and demote the
DC.

Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
and demote it first.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Anonymous
April 16, 2005 11:39:59 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
wrote:

>> 1. If I've deleted the active directory database files from the domain
>> controller and I don't have a backup, can I just reinstall NT server 2000
>> again in the same boot partition to restore a new database for the domain
>> controller?
>
>Well, that's a pretty impressive mistake to make!!! You'd have to be in
>offline mode, or have purposefully played with the permissions on that file
>and then rebooted!!!
>
>Anyway, if you don't have a backup you have to either dcpromo /forceremoval
>and then metadata cleanup or format, install and metadata cleanup (not
>necessarily in that order ;-).

I understand that "metadata cleanup" involves Ntdsutil.exe, but...

When you give "format, install, and metadata cleanup" as an option, do
you mean "format" the the system partition disk? Or is the format
step part of another nt utility?

One more thing: I'm already doing a naughty thing and running a
development web server on this corrupt DC. When running dcpromo to
demote, it states it will remove all the user accounts, among other
scary things. Do you think the IIS service and it's components will
still attempt to look for an AD account or will they automatically
look for comparable accounts in the SAM? Would dcpromo most likely
cause catastrophe to my well running web server on this DC?

I have backups of the physical files for web, and IIS config, but I'd
really like to have the AD functionality "restored" / "reinstalled"
without hassle.


>
>
>> restore a new database for the domain controller
>
>No, because you said you don't have a backup?!?!?!
>
>
>> If I have a Windows 2000 domain controller, and I want to downgrade it to
>> a regular server, can I just reinstall Windows NT 2000 advanced server in
>> the same boot partition and choose "server" instead of domain controller
>> during setup?
>
>No, that's the NT4 way. You simply need to run DCPROMO again and demote the
>DC.
>
>Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
>and demote it first.
Related resources
Anonymous
April 16, 2005 11:52:47 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<DrLovely@.> wrote in message
news:31p261d9b0qfmijhrmnbnpoc84b2sr574s@4ax.com...
> On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
> wrote:
>
> >> 1. If I've deleted the active directory database files from the domain
> >> controller and I don't have a backup, can I just reinstall NT server
2000
> >> again in the same boot partition to restore a new database for the
domain
> >> controller?
> >
> >Well, that's a pretty impressive mistake to make!!! You'd have to be in
> >offline mode, or have purposefully played with the permissions on that
file
> >and then rebooted!!!
> >
> >Anyway, if you don't have a backup you have to either dcpromo
/forceremoval
> >and then metadata cleanup or format, install and metadata cleanup (not
> >necessarily in that order ;-).
>
> I understand that "metadata cleanup" involves Ntdsutil.exe, but...
>
> When you give "format, install, and metadata cleanup" as an option, do
> you mean "format" the the system partition disk? Or is the format
> step part of another nt utility?

If that is what PT meant (and I believe so) then the metadata
cleanup would ONLY be necessary if this were not the last
DC in the domain, OR if it were a domain with OTHER domains
in the forest.

Deleting a DC without telling the other DCs, or deleting a Domain
without telling the DCs of the remaining Domains requires the
metadata cleanup.

> One more thing: I'm already doing a naughty thing and running a
> development web server on this corrupt DC.

You need to be very careful running NTDSUtil if you
care about any of this domain or forest. (Truthfully,
you have shown a penchant for destroying things <grin>
and NTDSUtil can be very dangerous.)

> When running dcpromo to
> demote, it states it will remove all the user accounts, among other
> scary things.

Yes, all of the Domain user accounts if this is the
last DC.

If this is the last DC, you already lost all of the accounts
in that Domain.

> Do you think the IIS service and it's components will
> still attempt to look for an AD account or will they automatically
> look for comparable accounts in the SAM?

No, it will not. The accounts will be missing/invalid
if they are not where they used to be.

There is NO relationship between a domain account
and a server/workstation account of the same name.
(I.E., they are two different accounts.)

You will need to reconfigure IIS to use a machine account
(once this is a server) or to use a domain account if any
still exist.


> Would dcpromo most likely
> cause catastrophe to my well running web server on this DC?

Catastrophic? No.

Fixable trouble? Possibly -- see above.

> I have backups of the physical files for web, and IIS config, but I'd
> really like to have the AD functionality "restored" / "reinstalled"
> without hassle.

If this is the last DC, then you either have a System State
Backup (to restore the AD) or you have LOST THE ENTIRE
domain forever.

In that case you can just remove the very sick DC and start
the (new) domain over with new users.

> >
> >
> >> restore a new database for the domain controller
> >
> >No, because you said you don't have a backup?!?!?!
> >
> >
> >> If I have a Windows 2000 domain controller, and I want to downgrade it
to
> >> a regular server, can I just reinstall Windows NT 2000 advanced server
in
> >> the same boot partition and choose "server" instead of domain
controller
> >> during setup?
> >
> >No, that's the NT4 way. You simply need to run DCPROMO again and demote
the
> >DC.
> >
> >Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
> >and demote it first.

And only demote it (DCPromo) if you either have another
DC or you do not need the domain.

Delete last DC, lose domain.
Anonymous
April 17, 2005 7:27:17 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Sat, 16 Apr 2005 19:52:47 -0500, "Herb Martin"
<news@LearnQuick.com> wrote:

GO TO the very end of this message for my new text...


><DrLovely@.> wrote in message
>news:31p261d9b0qfmijhrmnbnpoc84b2sr574s@4ax.com...
>> On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
>> wrote:
>>
>> >> 1. If I've deleted the active directory database files from the domain
>> >> controller and I don't have a backup, can I just reinstall NT server
>2000
>> >> again in the same boot partition to restore a new database for the
>domain
>> >> controller?
>> >
>> >Well, that's a pretty impressive mistake to make!!! You'd have to be in
>> >offline mode, or have purposefully played with the permissions on that
>file
>> >and then rebooted!!!
>> >
>> >Anyway, if you don't have a backup you have to either dcpromo
>/forceremoval
>> >and then metadata cleanup or format, install and metadata cleanup (not
>> >necessarily in that order ;-).
>>
>> I understand that "metadata cleanup" involves Ntdsutil.exe, but...
>>
>> When you give "format, install, and metadata cleanup" as an option, do
>> you mean "format" the the system partition disk? Or is the format
>> step part of another nt utility?
>
>If that is what PT meant (and I believe so) then the metadata
>cleanup would ONLY be necessary if this were not the last
>DC in the domain, OR if it were a domain with OTHER domains
>in the forest.
>
>Deleting a DC without telling the other DCs, or deleting a Domain
>without telling the DCs of the remaining Domains requires the
>metadata cleanup.
>
>> One more thing: I'm already doing a naughty thing and running a
>> development web server on this corrupt DC.
>
>You need to be very careful running NTDSUtil if you
>care about any of this domain or forest. (Truthfully,
>you have shown a penchant for destroying things <grin>
>and NTDSUtil can be very dangerous.)
>
>> When running dcpromo to
>> demote, it states it will remove all the user accounts, among other
>> scary things.
>
>Yes, all of the Domain user accounts if this is the
>last DC.
>
>If this is the last DC, you already lost all of the accounts
>in that Domain.
>
>> Do you think the IIS service and it's components will
>> still attempt to look for an AD account or will they automatically
>> look for comparable accounts in the SAM?
>
>No, it will not. The accounts will be missing/invalid
>if they are not where they used to be.
>
>There is NO relationship between a domain account
>and a server/workstation account of the same name.
>(I.E., they are two different accounts.)
>
>You will need to reconfigure IIS to use a machine account
>(once this is a server) or to use a domain account if any
>still exist.
>
>
>> Would dcpromo most likely
>> cause catastrophe to my well running web server on this DC?
>
>Catastrophic? No.
>
>Fixable trouble? Possibly -- see above.
>
>> I have backups of the physical files for web, and IIS config, but I'd
>> really like to have the AD functionality "restored" / "reinstalled"
>> without hassle.
>
>If this is the last DC, then you either have a System State
>Backup (to restore the AD) or you have LOST THE ENTIRE
>domain forever.
>
>In that case you can just remove the very sick DC and start
>the (new) domain over with new users.
>
>> >
>> >
>> >> restore a new database for the domain controller
>> >
>> >No, because you said you don't have a backup?!?!?!
>> >
>> >
>> >> If I have a Windows 2000 domain controller, and I want to downgrade it
>to
>> >> a regular server, can I just reinstall Windows NT 2000 advanced server
>in
>> >> the same boot partition and choose "server" instead of domain
>controller
>> >> during setup?
>> >
>> >No, that's the NT4 way. You simply need to run DCPROMO again and demote
>the
>> >DC.
>> >
>> >Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
>> >and demote it first.
>
>And only demote it (DCPromo) if you either have another
>DC or you do not need the domain.
>
>Delete last DC, lose domain.
>

Thank you very much for your time. Just one more thing:

1. IF I demote this DC to a member server and do whatever to clean-up,
what account can I use to log in with when it reboots? I'm supposing
it creates a SAM db with a new admin user account and password?

2. Upon getting the server to "member server" status and logging in
locally as admin, what kind of trouble could I have in "reinstalling"
AD? Should it be a breeze?

Any help is appreciated!
Anonymous
April 17, 2005 7:27:18 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Thank you very much for your time. Just one more thing:
>
> 1. IF I demote this DC to a member server and do whatever to clean-up,
> what account can I use to log in with when it reboots? I'm supposing
> it creates a SAM db with a new admin user account and password?

As it becomes a Server (non-DC) it will ask you for the
new Administrator password you wish to use.

The opposite of what it does when DCPromo is used
to make a new DC.

> 2. Upon getting the server to "member server" status and logging in
> locally as admin, what kind of trouble could I have in "reinstalling"
> AD? Should it be a breeze?

Should be as easy as ever.

DNS is the main thing that most people mess up -- it is
actually fairly unusual for someone to screw up the AD
itself (directly.)

> Any help is appreciated!
Anonymous
April 17, 2005 9:36:20 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Sat, 16 Apr 2005 23:06:35 -0500, "Herb Martin"
<news@LearnQuick.com> wrote:

>> Thank you very much for your time. Just one more thing:
>>
>> 1. IF I demote this DC to a member server and do whatever to clean-up,
>> what account can I use to log in with when it reboots? I'm supposing
>> it creates a SAM db with a new admin user account and password?
>
>As it becomes a Server (non-DC) it will ask you for the
>new Administrator password you wish to use.
>
>The opposite of what it does when DCPromo is used
>to make a new DC.
>
>> 2. Upon getting the server to "member server" status and logging in
>> locally as admin, what kind of trouble could I have in "reinstalling"
>> AD? Should it be a breeze?
>
>Should be as easy as ever.
>
>DNS is the main thing that most people mess up -- it is
>actually fairly unusual for someone to screw up the AD
>itself (directly.)
>
>> Any help is appreciated!
>

If DNS services are totally inaccessible, will AD survive? What
happens if I cannot resolve the host.domainname. with the DNS while
attempting to use the AD system? Will it broadcast or use an
alternative?
Anonymous
April 17, 2005 9:36:21 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<DrLovely@.> wrote in message
news:uvs361h5i27ffqehsbuatouv0pmrchhipc@4ax.com...

> If DNS services are totally inaccessible, will AD survive?

Yes, but survive isn't a lot to ask.

If there is only one DC then it will survive indefinitely,
but it will be problematic (at best) to use it.

You will get authentication and replication (with multiple
DCs) problems.

Give it long enough (60 days) and all but one of the
DCs will be worthless (as DCs).

> What
> happens if I cannot resolve the host.domainname. with the DNS while
> attempting to use the AD system? Will it broadcast or use an
> alternative?

No, most things will not use alternatives that are
reliable (or even if they work, performance goes
way down to the point that even logging on becomes
irritating.)
!