I've been testing Disaster Recovery scenario restoring Active Directory. One of the servers was restored, and it worked for a moment after restore. If you can regain your Primary DC, it's best to do so. If you can't, a standard thing to do during DR is to move all FSMO roles to the restored server so that it can become a master server. You can find out your FSMO holders by using those commands below:
Get-Adforest | Format-Table DomainNamingMaster, SchemaMaster Get-ADDomain 'ad.evotec.xyz' | Format-Table InfrastructureMaster, PDCEmulator, RIDMaster
If you're ready, you have confirmed where FSMO roles are stored you can do the force move. This can be done with a single PowerShell command as below.
Move-ADDirectoryServerOperationMasterRole -Identity 'YourRestoredDC' -OperationMasterRole 0,1,2,3,4 -Force
Notice that I'm using Force switch. This switch should only be used in a case where you don't have access to your FSMO roles holder! And so I did.
Now the tricky part showed up when I wanted to create a new user for my test purposes. I was greeted with this nice little error message.
Windows cannot create the object because The directory service was unable to allocate a relative identifier.
It was a bit unexpected because moving FSMO roles I've actually moved RID Master which should have allowed me to continue. But it didn't.
A quick check with dcdiag and indeed rID data seems to be corrupted.
dcdiag /test:ridmanager /v
Actually, a fix to this is quite simple. I've actually planned to do that later on but it seems not doing so will prevent any changes You have to clean up your Active Directory from old, still down servers. Until you delete them and clean up their metadata it will not let you go any further. You just need to delete them from Domain Controllers in Active Directory Users and Computers as shown below.
And finally, remove them from Active Directory Sites and Services. After that, you should be good to go and be able to create users again. Short but simple. Just make sure not to delete working servers, and definitely, don't do it on production unless you know what you're doing.
This post was last modified on March 27, 2019 21:41
Today, I made the decision to upgrade my test environment and update the version of…
Have you ever looked at your Active Directory and wondered, "Why do I still have…
Active Directory replication is a critical process that ensures the consistent and up-to-date state of…
Hey there! Today, I wanted to introduce you to one of the small but excellent…
Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…
In today's digital age, the ability to create compelling and informative HTML reports and documents…
