locked
Cannot login to restored domain controller unless NIC removed RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We have four DCs (Windows 2008 R2) running on VMware, backed up with Veeam.

    Currently doing some DR testing. If I restore a DC (full VM) from backup (obviously isolated from our production environment) I cannot log in. I receive the error message:

    There are currently no logon servers available to service your request

    If I remove the NIC, I can log in.

    Once in, I can add a new NIC but I'm still seeing a lot of SRV record errors. But that aside, if I reboot with the new NIC I get the same problem, need to remove it otherwise I can't log in.

    Booting into DSRM and doing an authoritative restore seems to have no effect. We can still not boot into the DC unless we remove the NIC.

    Also, after logging in and giving the NIC the IP addresses of all four DCs, restored clients don't function correctly, even though they can ping the domain by NETBIOS name and FQDN.

    All four DCs are global catalogs, and we run DCDiag daily in our production environment and don't have any errors or issues.

    -Matt

    Wednesday, November 29, 2017 1:33 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    According to this Veeam document, and implied by this Microsoft document, a restored (or cloned) DC will boot into DSRM, and there's no way to tell from the login screen. It does flash up briefly stating this is what's happening (even if you select "Start Windows Normally"), but you have to be quick to see it.

    Logging in (successfully) with the DSRM password confirmed this was the case.

    The Veeam article suggests opening a command prompt and running the following:

    bcdedit /deletevalue safeboot
shutdown -t 01 -r

    The MS article advises the same but doesn't give the commands.

    Rebooting after this allowed a successful login with domain credentials.

    -Matt

    • Marked as answer by GolfTangoGolf Friday, December 1, 2017 12:42 AM
    Friday, December 1, 2017 12:42 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Matt,

    For your case, may I ask whether you have performed an authoritative restore after restored by veeam? If not, we should perform an authoritative restore.

    https://technet.microsoft.com/en-us/library/cc940334.aspx

    https://technet.microsoft.com/en-us/library/cc816878(v=ws.10).aspx

    Also, I found some articles for your reference, you may try the methods to see if it helps:

    https://unitrends-support.force.com/UnitrendsBackup/articles/Article/000005360?retURL=%2FUnitrendsBackup%2Fapex%2FLiveAgentPreChatForm&popup=true

    https://community.spiceworks.com/topic/583548-restore-a-dc-using-veeam-runing-windows-2012

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    William

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 30, 2017 3:01 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi William

    Thank you for the response and the links. The issue on force.com seems exactly like our situation; however, in this case it refers to logging into domain members, and in fact their fix requires logging into a domain controller, which we cannot do. It has given me some ideas for testing though.

    The discussions on Spiceworks and Veeam I have seen before, and are also relevant to my situation but appear to be unresolved.

    With regard to your question, as per my OP:

    Booting into DSRM and doing an authoritative restore seems to have no effect. We can still not boot into the DC unless we remove the NIC.

    What seems to be consistent, and difficult to explain/understand, is that removing the NIC from the VM allows us to log in. Disconnecting (rather than removing) the NIC has no effect.

    Any other suggestions would be welcome.

    -Matt

    Thursday, November 30, 2017 3:38 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    According to this Veeam document, and implied by this Microsoft document, a restored (or cloned) DC will boot into DSRM, and there's no way to tell from the login screen. It does flash up briefly stating this is what's happening (even if you select "Start Windows Normally"), but you have to be quick to see it.

    Logging in (successfully) with the DSRM password confirmed this was the case.

    The Veeam article suggests opening a command prompt and running the following:

    bcdedit /deletevalue safeboot
shutdown -t 01 -r

    The MS article advises the same but doesn't give the commands.

    Rebooting after this allowed a successful login with domain credentials.

    -Matt

    • Marked as answer by GolfTangoGolf Friday, December 1, 2017 12:42 AM
    Friday, December 1, 2017 12:42 AM