none
Windows 2012 system disk failure wiped out most current system disk backup, how to restore system. RRS feed

  • Question

  • We have Windows Server 2012 software running on an HP Proliant server that lost the system disk over the weekend. I saw some disk errors on Friday and ordered a replacement drive to be delivered on Monday. I checked in Windows Server Backup and noticed that there were numerous backups of the system. I thought that I had stopped the scheduled backups. So I left for the weekend planning on replacing and restoring the system disk on Monday.

    Monday morning the server was down because the system disk had completely failed and won't mount. So I booted from the distribution DVD and looked at the available backups. Nothing was displayed on the System Image recovery.

    I moved the drive over to another Windows 2012 server and looked with backup. There were only 2 backups, both over the weekend with the C: drive not having a backup (because of drive errors?). None of the previous backups were on the drive.

    The system disk only contains the OS and applications. All application data is kept on a storage space array on the same machine. The storage array is working fine and I don't wish to mess with it.

    So I went to a drive with older backups. I attempted to restore using the booted distribution. I excluded the storage array and got a message saying that I had excluded a critical disk so the restore would not proceed. I forced the storage array offline with diskpart and got the same restore message. Then I physically removed all of the storage array disks and got a message about "failed to find enough suitable disks".

    I went to another Windows server and mounted the backup disk. The most recent backup has only AD, FRS, Registry, System Reserved, System State. The older backup has AD, Bare Metal, Development (the storage array), Exchange, FRS, Local disk (C:), Registry, System Reserved, System State.

    I tried restoring the "Local disk (C:)" item to an empty disk, but I could not get the disk to boot. I used bootrec to set up the boot information, but the HP red screened on power-up indicating it can't find a bootable drive. What did I do wrong?

    My thought was to restore the C: drive, bring the AD up to date with DSRM, and add the software updates. I don't seem to be able to accomplish this. Does anybody have any ideas on how to get this machine back running?




    • Edited by jphoekstra Thursday, September 26, 2019 8:17 PM
    Thursday, September 26, 2019 8:12 PM

Answers

  • Hi,

    Looks like you've already put a lot of time and effort in trying to get the backups working, since you have another DC it might be easier to simply seize roles, perform a cleanup and then rebuild the server that crashed. 

    Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

    Clean up Active Directory Domain Controller server metadata

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 26, 2019 8:43 PM
  • To resolve this issue, follow these steps

    • Restart the server on which Active Directory could not be installed.
    • Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server's computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
    • On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
    • On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
    • Restart the failed server.
    • Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form "domain\user" or "user@domain.tld."

    Ref: https://support.microsoft.com/en-us/help/2737935/active-directory-installation-stalls-at-the-creating-the-ntds-settings

    Kindly mark the response as answer if it has helped.

    • Proposed as answer by Hasan Reza Wednesday, October 2, 2019 5:41 PM
    • Marked as answer by jphoekstra Thursday, October 3, 2019 1:02 PM
    Wednesday, October 2, 2019 5:41 PM

All replies

  • Was this the domain controller , Also include what exactly do u see in the backup snapshot 
    Thursday, September 26, 2019 8:15 PM
  • Yes, it is a domain controller. There is another DC.

    I'm not sure what you mean by the backup snapshot. I listed the items from the recoverable items list of backup in the initial text.

    Thursday, September 26, 2019 8:23 PM
  • what is mean is screenshot of the backup

    Meanwhile,What you are trying to achieve could be very time consuming and path could be set for failure with a smallest mismatch , is your end result to get you DC up and running .

    Thursday, September 26, 2019 8:28 PM
  • Hi,

    Looks like you've already put a lot of time and effort in trying to get the backups working, since you have another DC it might be easier to simply seize roles, perform a cleanup and then rebuild the server that crashed. 

    Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

    Clean up Active Directory Domain Controller server metadata

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, September 26, 2019 8:43 PM
  • The failed system was also the certification authority and has exchange server. The certification database and the exchange databases are on another disk that is good.

    Any special considerations relative to certification and exchange before I start in rebuilding?

    Friday, September 27, 2019 2:00 PM
  • One thing at time, First thing First 

    1- Get your DC up and running (Give the same ip and same DNS Name) , transfer/seize all the roles using the ntdsutil

    2- Install the new Certificate a authority 

    3- Spin up a Second VM and install Exchange Server in disaster recovery mode

    4-Build new DB and configure Mailboxes (U need to ensure that user that his/her old emails would be available in a while , this way can at least start email flowing )

    5-Google and Use any third Party Offline Edb to Pst conversion tool to extract mailboxes from the old database and import as pst to the new database , there are a lot of third party tool,

    This way you get your environment up and running in the quickest manner ,

    Wish u all the best.

    Regards - H Reza.


    • Proposed as answer by Hasan Reza Saturday, September 28, 2019 2:26 AM
    • Edited by Hasan Reza Saturday, September 28, 2019 2:30 AM
    Saturday, September 28, 2019 2:26 AM
  • I have installed windows 2012 from the DVD, brought it into the domain as a computer, and installed updates.

    Today I started in on the features installation. When I selected the Certificate Authority role it warned me that I wouldn't be able to promote this computer as a DC if I installed the CA first. So I just selected the features for the domain and answered all of the questions. The install has displayed "Creating the NTDS settings object..." for about 2 hours.

    The computer is visible to Server Manager from other machines. Soon after I started the installation there were Certificate enrollment failure events for the newly built DC. Of course, there is no CA because I am rebuilding the machine that hosts the CA.

    Is the failure of the machine to enroll certificates preventing the promotion from completing? If so, how should I handle this?



    • Edited by jphoekstra Wednesday, October 2, 2019 4:27 PM
    Wednesday, October 2, 2019 4:25 PM
  • I understand that you have already installed the Domain Controller successfully and seize the FSMO role

    and now you are installing the CA, kindly select enterprise root CA,

    Please post pics of error for better understanding,

    Kindly mark response as an answer if it has helped to motivate me,

    Regards - Hasan Reza

    Wednesday, October 2, 2019 4:43 PM
  • The computer is installed but it is not yet a Domain Controller. Here is the screen that it has been displaying while trying to promote to a DC.

    The failure event that I saw is "Certificate enrollment for Local system failed to enroll for a Copy of Computer certificate with request ID N/A from WIN-65BH5OFVDEO.holland.factoryinsite.com\holland-WIN-65BH5OFVDEO-CA (Class not registered 0x80040154 (-2147221164))." There are multiple of these, but they are all the same failure, just for different certificates.
    • Edited by jphoekstra Wednesday, October 2, 2019 4:53 PM
    Wednesday, October 2, 2019 4:51 PM
  • Currently the error has no relation with Certificate Authority, I believe there is communication error between your new DC and Old DC "Fenger.holland.factoryinsite.com"

    Kindly check the below,

    1-Ping to Ip Address of Fenger.holland.factoryinsite.com

    2- Ensure that your DNS is pointing to correct DC (That should be typically ip address of the "fenger" ip

    3-Have u defined AD site



    • Edited by Hasan Reza Wednesday, October 2, 2019 5:41 PM
    Wednesday, October 2, 2019 5:14 PM
  • No communications problems from the rebuilt server to the old one.

    The DNS seems to be correct. We have been running for a week on the alternate DC. What specifically should I check?

    The AD site definition hasn't changed. The failed DC went away. I removed it from AD as a DC and now I am trying to add it back.

    Wednesday, October 2, 2019 5:32 PM
  • To resolve this issue, follow these steps

    • Restart the server on which Active Directory could not be installed.
    • Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server's computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
    • On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
    • On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
    • Restart the failed server.
    • Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form "domain\user" or "user@domain.tld."

    Ref: https://support.microsoft.com/en-us/help/2737935/active-directory-installation-stalls-at-the-creating-the-ntds-settings

    Kindly mark the response as answer if it has helped.

    • Proposed as answer by Hasan Reza Wednesday, October 2, 2019 5:41 PM
    • Marked as answer by jphoekstra Thursday, October 3, 2019 1:02 PM
    Wednesday, October 2, 2019 5:41 PM
  • Thanks, that fixed the problem. I'm on to the next step.
    Wednesday, October 2, 2019 6:28 PM
  • Kindly mark my response as answer
    Wednesday, October 2, 2019 6:32 PM
  • I'm getting ready to install the CA. Can I use the old CA database? If so, how do I accomplish that?

    If I have to create a new database, will all certificates need to be re-issued?

    Thursday, October 3, 2019 12:36 PM
  • Hi 

    Good to hear that you are installing the certificate , not sure on the old ca database is all good, you need 3 components from your old CA,

    • The CA’s database
    • Private key
    • CA Registry settings

    If not then it would be best to create a new ca and issue the certificate,

    BTW : the internal CA was issuing certificate primarily for what service ?

    Regards - Reza

    Thursday, October 3, 2019 1:42 PM
  • I have the CA database. I probably have the registry on a backup.

    I don't know about the private key. When I ask the CA configuration wizard to search for the key it does not find an existing key. There is a .pfx file that appears to only contain the certificate and not the private key. Is it stored in AD or some file that I might be able to restore from backup?

    Certificates for domain machines, web services, and exchange server.

    Thursday, October 3, 2019 2:25 PM