[apatheticsheep]

First I hope that my post is in the correct forum and that i am not posting a duplicate thread. If I am please forgive me.

I have a network with 2 sites connected Via an ipsec VPN. there is a DC at each site. I will call SITE-A the authoritative or original Site. SITE-B the second site (which has ONLY a sharepoint server).

Site-A is healthy as far as i can tell.
Site-B suffered the loss of 2 raid members disks and had to be restored from a backup. The Backup was almost a week old and was an acronis True Image image. After restoration it appears that active directory has stopped replicating.

I noticed this when a user was added at site-a and appears in DSA at site-b but cannot authenticate to the Sharepoint portal.

the following events appear on Site-B (with corresponding events on Site-A)

Code:

Event Type:    Warning
Event Source:    NTDS KCC
Event Category:    Knowledge Consistency Checker 
Event ID:    1865
Date:        12/3/2009
Time:        1:10:20 PM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    SHAREPOINT
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 
 
Sites: 
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Metalico,DC=local 
 


Event Type:    Error
Event Source:    NTDS KCC
Event Category:    Knowledge Consistency Checker 
Event ID:    1311
Date:        12/3/2009
Time:        1:10:20 PM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    SHAREPOINT
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 
 
Directory partition:
CN=Configuration,DC=Metalico,DC=local 
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. 
 
User Action 
Use Active Directory Sites and Services to perform one of the following actions: 
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. 
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. 
 
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:    Warning
Event Source:    NTDS KCC
Event Category:    Knowledge Consistency Checker 
Event ID:    1566
Date:        12/3/2009
Time:        1:10:20 PM
User:        NT AUTHORITY\ANONYMOUS LOGON
Computer:    SHAREPOINT
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable. 
 
Site:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Metalico,DC=local 
Directory partition:
CN=Configuration,DC=Metalico,DC=local 
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Metalico,DC=local

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have attached the output of DCDIAG for both sites.

[Garen]

Don't worry this happens to someone every week. Google USN Rollback.

Leason learned, don't restore images of a DC.

[apatheticsheep]

In the future how should this type of situation be handled?
I am assuming that an "image" backup is not sufficient.
Should I just use ntbackup to backup system state?
Could I then restore the image and then restore AD through the ntbackup?

If I follow the directions i found after googling "USN rollback" could this potentially harm my "functioning" server? or will it just reload from the "good" ADC?

Does anything have to be done on the Server at Site-A?

And finally, can you please shoot me?

[Garen]

Your guess is correct. Take a system state backup daily. If you need to restore a DC from image do it while its isolated from other DCs, restore the system state then connect it to the production network.

Microsoft released patches long ago to keep USN rollbacks from corrupting functional DCs. You'll just need to demote, metadata cleanup and promote the bad DC.

[PledgeTechnologies]

Few things you can make sure before promoting the DC back in Site B.

1. Check for any reported events for Directory Services, or FRS (Sysvol/Netlogon Shares)
2. No stale entries should be left in Active Directory, i.e. after metadata cleanup, all the entries should be erased for Site B's DC.
3. All the FSMO Roles are up and running on DC in Site A.
4. Take a System state backup of DC in Site A.
5. Now go ahead and promote the server as a DC.

Note: You'll need to use the Force Removal Switch to remove Active Directory from Problem DC.

Feel free to reply back if you have any queries.

[apatheticsheep]

If i demote my server at site-B (which is a sharepoint server) can I keep it as a member server and still expect sharepoint to function properly?