Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Forest Room Domain Controller Crash

What fail-safes are in place in Windows 2000 AD in case your forest root domain controller were to crash?  That is, is there some automatic precedence of ranking other servers for one of them to assume the role?  Or is there a way to promote another server to be the forest root domain controller?  Any assistance would be greatly appreciated.  Thanks.
  • 4
  • 3
  • 3
1 Solution
The fail-safes that are in place include being able to transfer the FSMO roles to other domain controllers, and the ability to do authoritive and non-authoritive restores.
W2K is a multi-master modeled network meaning all DC's are peers; there is no PDC and BDC only DC or member servers.

There are 5 master roles assigned to the first DC in a forest and these roles are based on a single-master model and that’s why they're called FSMO (Flexible Single Master Operation) roles.

You can promote another W2K server to a DC by using dcpromo.exe or by using the Configure your Server wizard. If this DC is the only one in the Forest then you will have to fix it or re-install AD on it.

These should help:

HOW TO: Create an Active Directory Server in Windows 2000

HOW TO: Perform an Authoritative Restore to a Domain Controller in Windows 2000

Nothing "assumes" the roles. If you don't have another domain controller in the forest root domain, your only option is a full restore (assuming you have a current, good backup).

If you do have another domain controller in the forest root, you have two choices:

The preferred choice would be to restore of the domain controller that crashed. Authoratative vs non-authoratative restore is a moot point - that is primarily used when something is deleted from Active Directory and not when the entire server has crashed.

The second and less preferred choice would be to seize the FSMO role(s) to the remaining controller. This is to be done a last resort though. You can use the NTDSTIL utility to do it (from the remaining controller) or through Active Directory sites and services.

Creating a new domain controller in the absence of any other existing domain controller will just mess you up.
Thanks for repeating my answer newbie. He never said anything about not having another DC so the only thing that is "assuming" is your opinion!

Actually other DC's do assume roles you would know that if you knew what you were talking about. Considering it's not NTDSTIL idiot it's NTDSUTIL! Dam I can't stand these know it all newbies!

The fact of the matter is if it's the only DC in the forest and it goes down any smart administrator would have a backup DC ready to go, in which cause he would seize the roles of the crashed DC. On my enterprise all critical production servers are mirrored so if one goes down nobody even notices the difference, that's how to properly set up redundancy.

And by the way Authoritive DOES matter in this case because he obviously didn't just do a directory backup before it crashed and if it's the root DC you don't want replication from other DC's to overwrite the settings.

Think before you speak NEWBIE!
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


First of all, personal attacks are childish and do not belong in forums such as these. If you want the points, I really don't care because I am here to help, not grandstand.

As for your retort-

I am not a newbie, nor am I an idiot, and if you go to Microsoft, or use the product, you will see that what I have written is accurate. I did not repeat your answer, I corrected an innaccuracy you stated and also covered the all situations that mheyer may be in and how to recover from each one. You assumed that backups have been made - that is not necessarily true everywhere. There are small companies with inexperienced administrators where backups aren't made. Sometimes restores fail, which puts him in the same situation as not having a backup at all.

I mispelled ntdsutil, sorry - but that happens...

Authorative vs non-authorative restores do not matter if it is the only domain controller, as I stated above. The only difference between the two is that an authoratative restore adds 50000 to the version number of the AD objects to ensure that it appears as the newest, thereby being the newest and having authority over anything on any other domain controller.

To quote from just one of Microsoft's troubleshooting guides:

"Identify the computer holding the RID master role by using the command netdom query fsmo and repair or replace the computer holding the RID master role. It may be necessary to seize the RID master role. Or, resolve the network connectivity problem."

If you notice, there is no "automatic assumption" of any FSMO roles mentioned and never has been. It must be seized or transferred.
mheyerAuthor Commented:
Hey guys - thanks for the input.  Just for some clarification to make sure that I am understanding this properly:
 assuming the restore of a backup were to not be up to date, or if it were to fail, I would be left with a crashed FRDC, in which case I would assume that I couldn't seize the roles from it as it would be down - what then?  (that is, no backup media or computer of FRDC, no backup of roles, but other DCs that are not FRDCs).  Would I be screwed at that point?  Again, I would assume that a failed FRDC cannot be accessed for seizing the roled, or is the assumption that the FRDC is not working properly, but is in enough of an "up" state that the utility can be used to seize the roles from it, and the roles transferred to another DC?  

Again thanks for your input.  I really appreciate it as I am an experienced NT administrator, but am new to W2K AD.
They whole point of seizing the roles is because the DC that has the role is not available. The DC isn't supposed to be online when you seize its role.

If you’re an experienced NT admin. Then you should know where to go to find this out! I believe we are doing your homework for you but I'll give you the benefit of the doubt.

Flexible Single Master Operation Transfer and Seizure Process

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

Now as for the debate with the noob over here, I never said anything about "Automatic Assumption" of roles once again the noob is assuming. I said that a DC can assume roles and they can they can assume 1 of 5 FSMO roles or they can assume all 5 roles depending on the situation. Here let me help you as well noob.

Windows 2000 Active Directory FSMO Roles
Toolkits, go pick your childish fights in teen chat rooms. Like I said earlier, you can have the points. I have nothing to prove in here and am done replying to you about your remarks.

Mheyer -

Your final answer depends on the situation that you have.

Let's get rid of the "what ifs" and deal with what you are really faced with. How many domain controllers did you have in the forest root before the crash? Are there any left that were online when the one you are talking about crashed? Do you have a valid backup of the one that crashed? Have you tried to restore it? Did the restore work?

Once we know that, then we can help you with exactly what you need to do.

Whatever you say noob, err I mean Muffy err um Muff.
mheyerAuthor Commented:
Thanks again for all of your help.  I am new to Windows2000 AD, and didn't understand what transferring the roles was all about (I thought that some "data" was being transferred, and thus my confusion as to how you transferred the role/data when the FRDC was down).  I have it figured out and all working now.  I have successfully migrated to Windows2000 AD from NT, and this questions was more about catastrophe preparedness.  Again thanks for your help.
mheyerAuthor Commented:
Thanks again for the help, and the patience with my naivety on the subject.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now