Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.

Windows_2012R2_AD_Event_2092

Windows_2008R2_AD_Event_2092

This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

So now we stand here with our restored domain controller that is physically separated from the real domain. First of make sure and triple sure that the domain controller really is separated from the real environment.

Now we need to add a registry value. For simplicity, save the text below to a file called anything “.reg”. Next double click it, Regedit will ask if you wish to merge it with the registry click yes. Now restart the Active Directory Services.

Don’t even consider setting this on all servers in production to save time. This is meant as a bypass not a regular usage registry.

Sources:

http://technet.microsoft.com/en-us/library/cc757662(v=ws.10).aspx

Leave a Reply