Deleted the active directory database files

Archived from groups: microsoft.public.win2000.active_directory (More info?)

1. If I've deleted the active directory database files from the domain
controller and I don't have a backup, can I just reinstall NT server
2000 again in the same boot partition to restore a new database for
the domain controller?

2. In a separate situation:

If I have a Windows 2000 domain controller, and I want to downgrade it
to a regular server, can I just reinstall Windows NT 2000 advanced
server in the same boot partition and choose "server" instead of
domain controller during setup?

Any help is welcome!
7 answers Last reply
More about deleted active directory database files
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > 1. If I've deleted the active directory database files from the domain
    > controller and I don't have a backup, can I just reinstall NT server 2000
    > again in the same boot partition to restore a new database for the domain
    > controller?

    Well, that's a pretty impressive mistake to make!!! You'd have to be in
    offline mode, or have purposefully played with the permissions on that file
    and then rebooted!!!

    Anyway, if you don't have a backup you have to either dcpromo /forceremoval
    and then metadata cleanup or format, install and metadata cleanup (not
    necessarily in that order ;-).


    > restore a new database for the domain controller

    No, because you said you don't have a backup?!?!?!


    > If I have a Windows 2000 domain controller, and I want to downgrade it to
    > a regular server, can I just reinstall Windows NT 2000 advanced server in
    > the same boot partition and choose "server" instead of domain controller
    > during setup?

    No, that's the NT4 way. You simply need to run DCPROMO again and demote the
    DC.

    Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
    and demote it first.

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
    wrote:

    >> 1. If I've deleted the active directory database files from the domain
    >> controller and I don't have a backup, can I just reinstall NT server 2000
    >> again in the same boot partition to restore a new database for the domain
    >> controller?
    >
    >Well, that's a pretty impressive mistake to make!!! You'd have to be in
    >offline mode, or have purposefully played with the permissions on that file
    >and then rebooted!!!
    >
    >Anyway, if you don't have a backup you have to either dcpromo /forceremoval
    >and then metadata cleanup or format, install and metadata cleanup (not
    >necessarily in that order ;-).

    I understand that "metadata cleanup" involves Ntdsutil.exe, but...

    When you give "format, install, and metadata cleanup" as an option, do
    you mean "format" the the system partition disk? Or is the format
    step part of another nt utility?

    One more thing: I'm already doing a naughty thing and running a
    development web server on this corrupt DC. When running dcpromo to
    demote, it states it will remove all the user accounts, among other
    scary things. Do you think the IIS service and it's components will
    still attempt to look for an AD account or will they automatically
    look for comparable accounts in the SAM? Would dcpromo most likely
    cause catastrophe to my well running web server on this DC?

    I have backups of the physical files for web, and IIS config, but I'd
    really like to have the AD functionality "restored" / "reinstalled"
    without hassle.


    >
    >
    >> restore a new database for the domain controller
    >
    >No, because you said you don't have a backup?!?!?!
    >
    >
    >> If I have a Windows 2000 domain controller, and I want to downgrade it to
    >> a regular server, can I just reinstall Windows NT 2000 advanced server in
    >> the same boot partition and choose "server" instead of domain controller
    >> during setup?
    >
    >No, that's the NT4 way. You simply need to run DCPROMO again and demote the
    >DC.
    >
    >Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
    >and demote it first.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <DrLovely@.> wrote in message
    news:31p261d9b0qfmijhrmnbnpoc84b2sr574s@4ax.com...
    > On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
    > wrote:
    >
    > >> 1. If I've deleted the active directory database files from the domain
    > >> controller and I don't have a backup, can I just reinstall NT server
    2000
    > >> again in the same boot partition to restore a new database for the
    domain
    > >> controller?
    > >
    > >Well, that's a pretty impressive mistake to make!!! You'd have to be in
    > >offline mode, or have purposefully played with the permissions on that
    file
    > >and then rebooted!!!
    > >
    > >Anyway, if you don't have a backup you have to either dcpromo
    /forceremoval
    > >and then metadata cleanup or format, install and metadata cleanup (not
    > >necessarily in that order ;-).
    >
    > I understand that "metadata cleanup" involves Ntdsutil.exe, but...
    >
    > When you give "format, install, and metadata cleanup" as an option, do
    > you mean "format" the the system partition disk? Or is the format
    > step part of another nt utility?

    If that is what PT meant (and I believe so) then the metadata
    cleanup would ONLY be necessary if this were not the last
    DC in the domain, OR if it were a domain with OTHER domains
    in the forest.

    Deleting a DC without telling the other DCs, or deleting a Domain
    without telling the DCs of the remaining Domains requires the
    metadata cleanup.

    > One more thing: I'm already doing a naughty thing and running a
    > development web server on this corrupt DC.

    You need to be very careful running NTDSUtil if you
    care about any of this domain or forest. (Truthfully,
    you have shown a penchant for destroying things <grin>
    and NTDSUtil can be very dangerous.)

    > When running dcpromo to
    > demote, it states it will remove all the user accounts, among other
    > scary things.

    Yes, all of the Domain user accounts if this is the
    last DC.

    If this is the last DC, you already lost all of the accounts
    in that Domain.

    > Do you think the IIS service and it's components will
    > still attempt to look for an AD account or will they automatically
    > look for comparable accounts in the SAM?

    No, it will not. The accounts will be missing/invalid
    if they are not where they used to be.

    There is NO relationship between a domain account
    and a server/workstation account of the same name.
    (I.E., they are two different accounts.)

    You will need to reconfigure IIS to use a machine account
    (once this is a server) or to use a domain account if any
    still exist.


    > Would dcpromo most likely
    > cause catastrophe to my well running web server on this DC?

    Catastrophic? No.

    Fixable trouble? Possibly -- see above.

    > I have backups of the physical files for web, and IIS config, but I'd
    > really like to have the AD functionality "restored" / "reinstalled"
    > without hassle.

    If this is the last DC, then you either have a System State
    Backup (to restore the AD) or you have LOST THE ENTIRE
    domain forever.

    In that case you can just remove the very sick DC and start
    the (new) domain over with new users.

    > >
    > >
    > >> restore a new database for the domain controller
    > >
    > >No, because you said you don't have a backup?!?!?!
    > >
    > >
    > >> If I have a Windows 2000 domain controller, and I want to downgrade it
    to
    > >> a regular server, can I just reinstall Windows NT 2000 advanced server
    in
    > >> the same boot partition and choose "server" instead of domain
    controller
    > >> during setup?
    > >
    > >No, that's the NT4 way. You simply need to run DCPROMO again and demote
    the
    > >DC.
    > >
    > >Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
    > >and demote it first.

    And only demote it (DCPromo) if you either have another
    DC or you do not need the domain.

    Delete last DC, lose domain.
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Sat, 16 Apr 2005 19:52:47 -0500, "Herb Martin"
    <news@LearnQuick.com> wrote:

    GO TO the very end of this message for my new text...


    ><DrLovely@.> wrote in message
    >news:31p261d9b0qfmijhrmnbnpoc84b2sr574s@4ax.com...
    >> On Sat, 16 Apr 2005 12:26:03 +0100, "ptwilliams" <ptw2001@hotmail.com>
    >> wrote:
    >>
    >> >> 1. If I've deleted the active directory database files from the domain
    >> >> controller and I don't have a backup, can I just reinstall NT server
    >2000
    >> >> again in the same boot partition to restore a new database for the
    >domain
    >> >> controller?
    >> >
    >> >Well, that's a pretty impressive mistake to make!!! You'd have to be in
    >> >offline mode, or have purposefully played with the permissions on that
    >file
    >> >and then rebooted!!!
    >> >
    >> >Anyway, if you don't have a backup you have to either dcpromo
    >/forceremoval
    >> >and then metadata cleanup or format, install and metadata cleanup (not
    >> >necessarily in that order ;-).
    >>
    >> I understand that "metadata cleanup" involves Ntdsutil.exe, but...
    >>
    >> When you give "format, install, and metadata cleanup" as an option, do
    >> you mean "format" the the system partition disk? Or is the format
    >> step part of another nt utility?
    >
    >If that is what PT meant (and I believe so) then the metadata
    >cleanup would ONLY be necessary if this were not the last
    >DC in the domain, OR if it were a domain with OTHER domains
    >in the forest.
    >
    >Deleting a DC without telling the other DCs, or deleting a Domain
    >without telling the DCs of the remaining Domains requires the
    >metadata cleanup.
    >
    >> One more thing: I'm already doing a naughty thing and running a
    >> development web server on this corrupt DC.
    >
    >You need to be very careful running NTDSUtil if you
    >care about any of this domain or forest. (Truthfully,
    >you have shown a penchant for destroying things <grin>
    >and NTDSUtil can be very dangerous.)
    >
    >> When running dcpromo to
    >> demote, it states it will remove all the user accounts, among other
    >> scary things.
    >
    >Yes, all of the Domain user accounts if this is the
    >last DC.
    >
    >If this is the last DC, you already lost all of the accounts
    >in that Domain.
    >
    >> Do you think the IIS service and it's components will
    >> still attempt to look for an AD account or will they automatically
    >> look for comparable accounts in the SAM?
    >
    >No, it will not. The accounts will be missing/invalid
    >if they are not where they used to be.
    >
    >There is NO relationship between a domain account
    >and a server/workstation account of the same name.
    >(I.E., they are two different accounts.)
    >
    >You will need to reconfigure IIS to use a machine account
    >(once this is a server) or to use a domain account if any
    >still exist.
    >
    >
    >> Would dcpromo most likely
    >> cause catastrophe to my well running web server on this DC?
    >
    >Catastrophic? No.
    >
    >Fixable trouble? Possibly -- see above.
    >
    >> I have backups of the physical files for web, and IIS config, but I'd
    >> really like to have the AD functionality "restored" / "reinstalled"
    >> without hassle.
    >
    >If this is the last DC, then you either have a System State
    >Backup (to restore the AD) or you have LOST THE ENTIRE
    >domain forever.
    >
    >In that case you can just remove the very sick DC and start
    >the (new) domain over with new users.
    >
    >> >
    >> >
    >> >> restore a new database for the domain controller
    >> >
    >> >No, because you said you don't have a backup?!?!?!
    >> >
    >> >
    >> >> If I have a Windows 2000 domain controller, and I want to downgrade it
    >to
    >> >> a regular server, can I just reinstall Windows NT 2000 advanced server
    >in
    >> >> the same boot partition and choose "server" instead of domain
    >controller
    >> >> during setup?
    >> >
    >> >No, that's the NT4 way. You simply need to run DCPROMO again and demote
    >the
    >> >DC.
    >> >
    >> >Unless you HAVE to, NEVER simply delete a DC or turn one off. Always try
    >> >and demote it first.
    >
    >And only demote it (DCPromo) if you either have another
    >DC or you do not need the domain.
    >
    >Delete last DC, lose domain.
    >

    Thank you very much for your time. Just one more thing:

    1. IF I demote this DC to a member server and do whatever to clean-up,
    what account can I use to log in with when it reboots? I'm supposing
    it creates a SAM db with a new admin user account and password?

    2. Upon getting the server to "member server" status and logging in
    locally as admin, what kind of trouble could I have in "reinstalling"
    AD? Should it be a breeze?

    Any help is appreciated!
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Thank you very much for your time. Just one more thing:
    >
    > 1. IF I demote this DC to a member server and do whatever to clean-up,
    > what account can I use to log in with when it reboots? I'm supposing
    > it creates a SAM db with a new admin user account and password?

    As it becomes a Server (non-DC) it will ask you for the
    new Administrator password you wish to use.

    The opposite of what it does when DCPromo is used
    to make a new DC.

    > 2. Upon getting the server to "member server" status and logging in
    > locally as admin, what kind of trouble could I have in "reinstalling"
    > AD? Should it be a breeze?

    Should be as easy as ever.

    DNS is the main thing that most people mess up -- it is
    actually fairly unusual for someone to screw up the AD
    itself (directly.)

    > Any help is appreciated!
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Sat, 16 Apr 2005 23:06:35 -0500, "Herb Martin"
    <news@LearnQuick.com> wrote:

    >> Thank you very much for your time. Just one more thing:
    >>
    >> 1. IF I demote this DC to a member server and do whatever to clean-up,
    >> what account can I use to log in with when it reboots? I'm supposing
    >> it creates a SAM db with a new admin user account and password?
    >
    >As it becomes a Server (non-DC) it will ask you for the
    >new Administrator password you wish to use.
    >
    >The opposite of what it does when DCPromo is used
    >to make a new DC.
    >
    >> 2. Upon getting the server to "member server" status and logging in
    >> locally as admin, what kind of trouble could I have in "reinstalling"
    >> AD? Should it be a breeze?
    >
    >Should be as easy as ever.
    >
    >DNS is the main thing that most people mess up -- it is
    >actually fairly unusual for someone to screw up the AD
    >itself (directly.)
    >
    >> Any help is appreciated!
    >

    If DNS services are totally inaccessible, will AD survive? What
    happens if I cannot resolve the host.domainname. with the DNS while
    attempting to use the AD system? Will it broadcast or use an
    alternative?
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    <DrLovely@.> wrote in message
    news:uvs361h5i27ffqehsbuatouv0pmrchhipc@4ax.com...

    > If DNS services are totally inaccessible, will AD survive?

    Yes, but survive isn't a lot to ask.

    If there is only one DC then it will survive indefinitely,
    but it will be problematic (at best) to use it.

    You will get authentication and replication (with multiple
    DCs) problems.

    Give it long enough (60 days) and all but one of the
    DCs will be worthless (as DCs).

    > What
    > happens if I cannot resolve the host.domainname. with the DNS while
    > attempting to use the AD system? Will it broadcast or use an
    > alternative?

    No, most things will not use alternatives that are
    reliable (or even if they work, performance goes
    way down to the point that even logging on becomes
    irritating.)
Ask a new question

Read More

Active Directory Domain Controller Database Windows