To prevent this in TFS2005/TFS2008, the options would be:
1. If there is a planned maintenance for domain controller, you can stop the TFSServiceScheduler service during this period. Once the domain controller is up, you can start the service again.
2. Capture the results of the query below periodic basis (change YourTFSservername and port if neccessary below):
-------------------------------------------------
SELECT 'tfssecurity /g+' AS Expr1, tbl_security_identity_cache_1.sid AS agroup, tbl_security_identity_cache.sid AS auser, ' /server:http://YourTFSservername:8080/' AS Expr2
FROM tbl_security_membership_cache INNER JOIN
tbl_security_identity_cache ON tbl_security_membership_cache.member = tbl_security_identity_cache.sid INNER JOIN
tbl_security_identity_cache AS tbl_security_identity_cache_1 ON tbl_security_membership_cache.container = tbl_security_identity_cache_1.sid
WHERE (tbl_security_identity_cache_1.type = 4) AND (tbl_security_identity_cache_1.sid <> 'S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-3'
and tbl_security_identity_cache.deleted<>1)
-------------------------------------------------
If the issue reoccurs, you can copy the results to a batch file, say Update.bat.(Remove the column headers etc but just leave the lines that starts with TFSSecurity) and run it from a Visual Studio Command line. This will re-add the group membership back for those users into TFS.
3. If you have a recent backup copy of your TFS databases that is not far from when the issue occurs, you can also restore that databases.
This issue has been resolved in TFS 2010.