Reconnecting a Domain Controller After a Long-Term Disconnection
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Assuming that a domain controller has not been disconnected for longer than the maximum safe period for disconnection (tombstone lifetime minus end-to-end replication latency), reconnecting the domain controller to the replication topology requires no special procedures. By default, the Knowledge Consistency Checker (KCC) on a domain controller runs five minutes after the domain controller starts, automatically incorporating the reconnected domain controller into the replication topology.
Reconnecting an Outdated Domain Controller
If you plan appropriately for disconnecting and reconnecting domain controllers, no domain controller will be disconnected from the replication topology for longer than a tombstone lifetime. However, if unexpected events result in a domain controller becoming outdated, reconnect the domain controller as follows:
The disconnected domain controller is running Windows Server 2003, and an authoritative domain controller running Windows Server 2003 is available in this site or a neighboring site: Reconnect the domain controller, and immediately follow the instructions in Use Repadmin to remove lingering objects.
The disconnected domain controller is running Windows Server 2003, but no other authoritative domain controller running Windows Server 2003 is available in the domain: Reconnect the domain controller, and follow the instructions in article 314282, "Lingering objects may remain after you bring an out-of-date global catalog server back online," in the Microsoft Knowledge Base on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=37924).
The disconnected domain controller is running Windows 2000 Server, and another domain controller is available in the domain: Do not reconnect the domain controller. Instead, force Active Directory removal on the disconnected domain controller, perform metadata cleanup, and then reinstall Active Directory. To complete these tasks, follow the instructions in Forcing the Removal of a Domain Controller and Installing a Domain Controller in an Existing Domain.
The disconnected domain controller is running Windows 2000 Server, and no other domain controller is available in the domain: If you want to recover the domain, reconnect the domain controller, and follow the instructions in article 314282, "Lingering objects may remain after you bring an out-of-date global catalog server back online," in the Microsoft Knowledge Base on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=37924).
As described in Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection, the recommended practice to ensure consistency of SYSVOL is to modify the registry before disconnecting the domain controller so that SYSVOL is updated automatically when the domain controller is restarted. In addition, if you want to avoid a full synchronization of SYSVOL through intersite replication, you must take preparatory steps before disconnection. For information about how to ensure that SYSVOL is sourced locally and updated over the network only for changes, see "Seeding the SYSVOL tree from restored files during IFM promotion" in article 311078, "How to use the Install from Media feature to promote Windows Server 2003-based domain controllers," in the Microsoft Knowledge Base on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=37924). To update SYSVOL as soon as possible after reconnecting a domain controller, plan the time that you restart the domain controller to optimize the replication schedule, as follows:
If the closest replication partner for the domain is in a different site, view site link properties to determine the replication schedule, and then restart the domain controller as soon as possible after replication is scheduled to start.
If a replication partner for the domain is available within the site, verify replication success on that partner before restarting the domain controller.
Do not use file copy utilities, such as Xcopy or Robocopy, to update an outdated SYSVOL. Copying SYSVOL files is recommended only for recreating a nonfunctioning SYSVOL, which requires several preliminary procedures. Copying SYSVOL files from one domain controller to another without following these procedures causes invalid data to be replicated and causes the system volumes on other domain controllers to become inconsistent. For information about how to recreate a nonfunctioning SYSVOL, see Restoring and Rebuilding SYSVOL.
To complete this task, perform the following procedures:
Determine whether the maximum safe disconnection time has been exceeded. The maximum safe disconnection time should have been established at the time of disconnection, as follows:
Subtract a generous estimate of the amount of time for end-to-end replication latency from the tombstone lifetime. Either find the latency estimate in the design documentation for your deployment or request the information from a member of your design or deployment team.
If the maximum safe disconnection time has not been exceeded, proceed with the reconnection process as follows:
If the site in which you are reconnecting the domain controller has one or more other domain controllers that are authoritative for the domain, start the domain controller anytime.
If the site in which you are reconnecting the domain controller has no other domain controllers that are authoritative for the domain, proceed as follows:
Determine when intersite replication is scheduled to begin by viewing the replication properties on the site link that connects this site to the next closest site that includes a domain controller that is authoritative for this domain.
As soon as possible after the next replication cycle begins, start the domain controller.
If the maximum safe disconnection time has been exceeded, proceed in the appropriate manner according to the operating system, as described in "Reconnecting an Outdated Domain Controller" earlier in this topic.
After replication is complete, Verify successful replication to a domain controller (the reconnected domain controller) of the domain, configuration, and schema directory partitions. If the domain controller is a global catalog server, check for successful replication of all domain directory partitions.