Appendix C: Recovering a Single Domain within a Multidomain Forest
Updated: April 25, 2013
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
There can be times when it is necessary to recover only a single domain within a forest that has multiple domains, rather than a full forest recovery. This topic covers considerations for recovering a single domain and possible strategies for recovery.
A single domain recovery presents a unique challenge for rebuilding global catalog (GC) servers. For example, if the first domain controller (DC) for the domain is restored from a backup that was created one week earlier, then all other GCs in the forest will have more up-to-date data for that domain than the restored DC. To re-establish GC data consistency, there are a couple options:
Unhost and then rehost all GCs in the forest, except those in the recovered domain, at the same time.
Follow the forest recovery process to recover the domain, and then remove lingering objects from GCs in other domains.
The following sections provide general considerations for each option. The complete set of steps that need to be done for the recovery will vary for different Active Directory environments.
Rehost all GCs
Rehosting all GCs can be done using repadmin /unhost and repadmin /rehost commands (part of repadmin /experthelp). You would run the repadmin commands on every GC in each domain that is not recovered.
The password of the built-in Administrator account for all domains must be ready for use in case a problem prevents access to a GC for logon.
This option can be advantageous for a small organization that has only a few domain controllers for each domain. All of the GCs could be rebuilt on a Friday night and, if necessary, complete replication for all read-only domain partitions before Monday morning. But if you need to recover a large domain that covers sites across the globe, rehosting the read-only domain partition on all GCs for other domains can significantly impact operations and potentially require down time.
Remove lingering objects
Similar to the forest recovery process, you restore one DC from backup in the domain that you need to recover, perform metadata cleanup of remaining DCs, and then re-install AD DS to build out the domain. On the GCs of all other domains in the forest, you remove the lingering objects for the read-only partition of the recovered domain.
The source for the lingering object cleanup must be a DC in the recovered domain. To be certain that the source DC does not have any lingering objects for any domain partitions, you can remove the global catalog if it was a GC.
Removing lingering objects is advantageous for larger organizations that cannot risk the down time associated with the other options.
For more information, see Use Repadmin to remove lingering objects.