Forest Room Domain Controller Crash

Posted on 2003-03-06
Medium Priority
Last Modified: 2010-04-13
What fail-safes are in place in Windows 2000 AD in case your forest root domain controller were to crash?  That is, is there some automatic precedence of ranking other servers for one of them to assume the role?  Or is there a way to promote another server to be the forest root domain controller?  Any assistance would be greatly appreciated.  Thanks.
Question by:mheyer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3

Expert Comment

ID: 8083619
The fail-safes that are in place include being able to transfer the FSMO roles to other domain controllers, and the ability to do authoritive and non-authoritive restores.
W2K is a multi-master modeled network meaning all DC's are peers; there is no PDC and BDC only DC or member servers.

There are 5 master roles assigned to the first DC in a forest and these roles are based on a single-master model and that’s why they're called FSMO (Flexible Single Master Operation) roles.

You can promote another W2K server to a DC by using dcpromo.exe or by using the Configure your Server wizard. If this DC is the only one in the Forest then you will have to fix it or re-install AD on it.

These should help:

HOW TO: Create an Active Directory Server in Windows 2000

HOW TO: Perform an Authoritative Restore to a Domain Controller in Windows 2000


Expert Comment

ID: 8085598
Nothing "assumes" the roles. If you don't have another domain controller in the forest root domain, your only option is a full restore (assuming you have a current, good backup).

If you do have another domain controller in the forest root, you have two choices:

The preferred choice would be to restore of the domain controller that crashed. Authoratative vs non-authoratative restore is a moot point - that is primarily used when something is deleted from Active Directory and not when the entire server has crashed.

The second and less preferred choice would be to seize the FSMO role(s) to the remaining controller. This is to be done a last resort though. You can use the NTDSTIL utility to do it (from the remaining controller) or through Active Directory sites and services.

Creating a new domain controller in the absence of any other existing domain controller will just mess you up.

Expert Comment

ID: 8085900
Thanks for repeating my answer newbie. He never said anything about not having another DC so the only thing that is "assuming" is your opinion!

Actually other DC's do assume roles you would know that if you knew what you were talking about. Considering it's not NTDSTIL idiot it's NTDSUTIL! Dam I can't stand these know it all newbies!

The fact of the matter is if it's the only DC in the forest and it goes down any smart administrator would have a backup DC ready to go, in which cause he would seize the roles of the crashed DC. On my enterprise all critical production servers are mirrored so if one goes down nobody even notices the difference, that's how to properly set up redundancy.

And by the way Authoritive DOES matter in this case because he obviously didn't just do a directory backup before it crashed and if it's the root DC you don't want replication from other DC's to overwrite the settings.

Think before you speak NEWBIE!
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Expert Comment

ID: 8087068

First of all, personal attacks are childish and do not belong in forums such as these. If you want the points, I really don't care because I am here to help, not grandstand.

As for your retort-

I am not a newbie, nor am I an idiot, and if you go to Microsoft, or use the product, you will see that what I have written is accurate. I did not repeat your answer, I corrected an innaccuracy you stated and also covered the all situations that mheyer may be in and how to recover from each one. You assumed that backups have been made - that is not necessarily true everywhere. There are small companies with inexperienced administrators where backups aren't made. Sometimes restores fail, which puts him in the same situation as not having a backup at all.

I mispelled ntdsutil, sorry - but that happens...

Authorative vs non-authorative restores do not matter if it is the only domain controller, as I stated above. The only difference between the two is that an authoratative restore adds 50000 to the version number of the AD objects to ensure that it appears as the newest, thereby being the newest and having authority over anything on any other domain controller.

To quote from just one of Microsoft's troubleshooting guides:

"Identify the computer holding the RID master role by using the command netdom query fsmo and repair or replace the computer holding the RID master role. It may be necessary to seize the RID master role. Or, resolve the network connectivity problem."

If you notice, there is no "automatic assumption" of any FSMO roles mentioned and never has been. It must be seized or transferred.

Author Comment

ID: 8088394
Hey guys - thanks for the input.  Just for some clarification to make sure that I am understanding this properly:
 assuming the restore of a backup were to not be up to date, or if it were to fail, I would be left with a crashed FRDC, in which case I would assume that I couldn't seize the roles from it as it would be down - what then?  (that is, no backup media or computer of FRDC, no backup of roles, but other DCs that are not FRDCs).  Would I be screwed at that point?  Again, I would assume that a failed FRDC cannot be accessed for seizing the roled, or is the assumption that the FRDC is not working properly, but is in enough of an "up" state that the utility can be used to seize the roles from it, and the roles transferred to another DC?  

Again thanks for your input.  I really appreciate it as I am an experienced NT administrator, but am new to W2K AD.

Expert Comment

ID: 8088687
They whole point of seizing the roles is because the DC that has the role is not available. The DC isn't supposed to be online when you seize its role.

If you’re an experienced NT admin. Then you should know where to go to find this out! I believe we are doing your homework for you but I'll give you the benefit of the doubt.

Flexible Single Master Operation Transfer and Seizure Process

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

Now as for the debate with the noob over here, I never said anything about "Automatic Assumption" of roles once again the noob is assuming. I said that a DC can assume roles and they can they can assume 1 of 5 FSMO roles or they can assume all 5 roles depending on the situation. Here let me help you as well noob.

Windows 2000 Active Directory FSMO Roles

Accepted Solution

mfutty earned 150 total points
ID: 8091890
Toolkits, go pick your childish fights in teen chat rooms. Like I said earlier, you can have the points. I have nothing to prove in here and am done replying to you about your remarks.

Mheyer -

Your final answer depends on the situation that you have.

Let's get rid of the "what ifs" and deal with what you are really faced with. How many domain controllers did you have in the forest root before the crash? Are there any left that were online when the one you are talking about crashed? Do you have a valid backup of the one that crashed? Have you tried to restore it? Did the restore work?

Once we know that, then we can help you with exactly what you need to do.


Expert Comment

ID: 8091923
Whatever you say noob, err I mean Muffy err um Muff.

Author Comment

ID: 8395092
Thanks again for all of your help.  I am new to Windows2000 AD, and didn't understand what transferring the roles was all about (I thought that some "data" was being transferred, and thus my confusion as to how you transferred the role/data when the FRDC was down).  I have it figured out and all working now.  I have successfully migrated to Windows2000 AD from NT, and this questions was more about catastrophe preparedness.  Again thanks for your help.

Author Comment

ID: 8395105
Thanks again for the help, and the patience with my naivety on the subject.

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question