gllanderas
asked on
Two servers in the same domain are PDC master and Infrastructure master
I have two Windows Server 2003 Standard in my network (Server1 and Server2), both domain controllers of the same domain.
The problem is that both says that are the PDC and Infrastructure master of the domain, and I have problems with the replication.
If I do a ntdsutil then:
ntdsutil: roles
fsmo maintenance: select operation target
select operation target: connection
server connections: connect to server Server1
Binding to Server1 ...
Connected to Server1 using credentials of locally logged on user.
server connections: q
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site,CN=S ites,CN=Co nfiguratio n,DC=myd,D C=es
select operation target: select site 0
Site - CN=Default-First-Site,CN=S ites,CN=Co nfiguratio n,DC=myd,D C=es
No current domain
No current server
No current Naming Context
select operation target: list domains in site
Found 1 domain(s)
0 - DC=myd,DC=es
select operation target: select domain 0
Site - CN=Default-First-Site,CN=S ites,CN=Co nfiguratio n,DC=myd,D C=es
Domain - DC=myd,DC=es
No current server
No current Naming Context
select operation target: list servers for domain in site
Found 2 server(s)
0 - CN=Server1,CN=Servers,CN=D efault-Fir st-Site,CN =Sites,CN= Configurat ion,DC=myd ,DC=es
1 - CN=Server2,CN=Servers,CN=D efault-Fir st-Site,CN =Sites,CN= Configurat ion,DC=myd ,DC=es
select operation target: list roles for connected server
Server "Server1" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Domain: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
PDC: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
RID: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Infraestructure: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
select operation target: connection
Connected to Server1 using credentials of locally logged on user.
server connections: connect to server Server2
Unbinding de Server1...
Binding to Server2 ...
Connected to Server2 using credentials of locally logged on user.
server connections: q
select operation target: list roles for connected server
Server "Server2" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Domain: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
PDC: CN=NTDS Settings,CN=Server2,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
RID: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Infraestructure: CN=NTDS Settings,CN=Server2,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
As you can see, both says that are the PDC and Infraestructure master. Any idea how can I solve it?
TIA.
The problem is that both says that are the PDC and Infrastructure master of the domain, and I have problems with the replication.
If I do a ntdsutil then:
ntdsutil: roles
fsmo maintenance: select operation target
select operation target: connection
server connections: connect to server Server1
Binding to Server1 ...
Connected to Server1 using credentials of locally logged on user.
server connections: q
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site,CN=S
select operation target: select site 0
Site - CN=Default-First-Site,CN=S
No current domain
No current server
No current Naming Context
select operation target: list domains in site
Found 1 domain(s)
0 - DC=myd,DC=es
select operation target: select domain 0
Site - CN=Default-First-Site,CN=S
Domain - DC=myd,DC=es
No current server
No current Naming Context
select operation target: list servers for domain in site
Found 2 server(s)
0 - CN=Server1,CN=Servers,CN=D
1 - CN=Server2,CN=Servers,CN=D
select operation target: list roles for connected server
Server "Server1" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser
Domain: CN=NTDS Settings,CN=Server1,CN=Ser
PDC: CN=NTDS Settings,CN=Server1,CN=Ser
RID: CN=NTDS Settings,CN=Server1,CN=Ser
Infraestructure: CN=NTDS Settings,CN=Server1,CN=Ser
select operation target: connection
Connected to Server1 using credentials of locally logged on user.
server connections: connect to server Server2
Unbinding de Server1...
Binding to Server2 ...
Connected to Server2 using credentials of locally logged on user.
server connections: q
select operation target: list roles for connected server
Server "Server2" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser
Domain: CN=NTDS Settings,CN=Server1,CN=Ser
PDC: CN=NTDS Settings,CN=Server2,CN=Ser
RID: CN=NTDS Settings,CN=Server1,CN=Ser
Infraestructure: CN=NTDS Settings,CN=Server2,CN=Ser
As you can see, both says that are the PDC and Infraestructure master. Any idea how can I solve it?
TIA.
ASKER
I have tried both things.
I can't transfer the roles because when I connect to Server1 and do:
- Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
- Right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
- Select the domain controller Server1 and press OK.
- Right-click the Active Directory Users and Computers icon again and press Operation Masters.
- Select PDC and click on Change
Then I obtain and error saying (I have the Spanish version of Windows, so I will translate the message to English):
'Current domain controller is the operation master. To transfer the function of operation master to another sever, you must connect to it first.'
And the same occurs when I do it to the Server2 server.
If I try to force the transfer then:
ntdsutil: roles
fsmo maintenance: connection
server connections: connect to server Server1
Binding to Server1 ...
Connected to Server1 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize pdc
[I receive a warning window and I confirm the seize]
Are you sure you want server "Server1" to seize the domain naming role with the value below?
CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Attempting safe transfer of PDC FSMO before seizure.
Transfer of PDC FSMO success. It is not necessary to seize.
Server "Server1" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Domain: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
PDC: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
RID: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Infraestructure: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
fsmo maintenance: connection
Connected to Server1 using credentials of locally logged on user.
server connections: connect to server Server2
Unbinding de Server1...
Binding to Server2 ...
Connected to Server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize pdc
[I receive a warning window and I confirm the seize]
Are you sure you want server "Server2" to seize the domain naming role with the value below?
CN=NTDS Settings,CN=Server2,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Attempting safe transfer of PDC FSMO before seizure.
Transfer of PDC FSMO success. It is not necessary to seize.
Server "Server2" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Domain: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
PDC: CN=NTDS Settings,CN=Server2,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
RID: CN=NTDS Settings,CN=Server1,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
Infraestructure: CN=NTDS Settings,CN=Server2,CN=Ser vers,CN=De fault-Firs t-Site,CN= Sites,CN=C onfigurati on,DC=myd, DC=es
I can't transfer the roles because when I connect to Server1 and do:
- Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
- Right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
- Select the domain controller Server1 and press OK.
- Right-click the Active Directory Users and Computers icon again and press Operation Masters.
- Select PDC and click on Change
Then I obtain and error saying (I have the Spanish version of Windows, so I will translate the message to English):
'Current domain controller is the operation master. To transfer the function of operation master to another sever, you must connect to it first.'
And the same occurs when I do it to the Server2 server.
If I try to force the transfer then:
ntdsutil: roles
fsmo maintenance: connection
server connections: connect to server Server1
Binding to Server1 ...
Connected to Server1 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize pdc
[I receive a warning window and I confirm the seize]
Are you sure you want server "Server1" to seize the domain naming role with the value below?
CN=NTDS Settings,CN=Server1,CN=Ser
Attempting safe transfer of PDC FSMO before seizure.
Transfer of PDC FSMO success. It is not necessary to seize.
Server "Server1" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser
Domain: CN=NTDS Settings,CN=Server1,CN=Ser
PDC: CN=NTDS Settings,CN=Server1,CN=Ser
RID: CN=NTDS Settings,CN=Server1,CN=Ser
Infraestructure: CN=NTDS Settings,CN=Server1,CN=Ser
fsmo maintenance: connection
Connected to Server1 using credentials of locally logged on user.
server connections: connect to server Server2
Unbinding de Server1...
Binding to Server2 ...
Connected to Server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize pdc
[I receive a warning window and I confirm the seize]
Are you sure you want server "Server2" to seize the domain naming role with the value below?
CN=NTDS Settings,CN=Server2,CN=Ser
Attempting safe transfer of PDC FSMO before seizure.
Transfer of PDC FSMO success. It is not necessary to seize.
Server "Server2" knows about 5 roles
Schema: CN=NTDS Settings,CN=Server1,CN=Ser
Domain: CN=NTDS Settings,CN=Server1,CN=Ser
PDC: CN=NTDS Settings,CN=Server2,CN=Ser
RID: CN=NTDS Settings,CN=Server1,CN=Ser
Infraestructure: CN=NTDS Settings,CN=Server2,CN=Ser
try this
You must use Ntdsutil.exe to seize the schema master, domain naming master, and RID master roles. When you use Ntdsutil.exe to seize an operations master role, it first attempts a transfer from the current role owner. If the current role owner is unavailable, it performs the seizure.
In the Run dialog box, type ntdsutil and press ENTER.
At the ntdsutil: prompt, type roles and press ENTER.
At the fsmo maintenance: prompt, type connections and press ENTER.
At the server connections: prompt, type connect to server servername, where servername is the name of the domain controller that will assume the operation master role, and press ENTER.
After you receive confirmation of the connection, type quit and press ENTER to exit the menu..
RID Master Domain Admins seize rid master
The system asks for confirmation. It then attempts to transfer the role. When the transfer fails, some error information appears and the system proceeds with the seizure. After the seizure is complete, a list of the roles and the LDAP name of the server that currently holds each role appears.
During seizure of the RID master, the current role holder attempts to synchronize with its replication partners. If it cannot establish a connection with a replication partner during the seizure operation, it displays a warning and confirms that you want the role seizure to proceed. Click Yes to proceed.
Type quit and press ENTER. Type quit and press ENTER to exit ntdsutil.exe.
---------
To get RID of the old Snark object, you should cleanup this metadata. Use the following procedure:
If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller.
At the command line, type ntdsutil and press ENTER.
At the ntdsutil: prompt, type metadata cleanup and press ENTER.
At the metadata cleanup: prompt, type connections and press ENTER.
At the server connections: prompt, type connect to server servername, where servername is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press ENTER.
Type quit and press ENTER to return you to the metadata cleanup: prompt.
Type select operation target and press ENTER.
Type list domains and press ENTER. This lists all domains in the forest with a number associated with each.
Type select domain number, where number is the number corresponding to the domain in which the failed server was located. Press ENTER.
Type list sites and press ENTER.
Type select site number, where number refers to the number of the site in which the domain controller was a member. Press ENTER.
Type list servers in site and press ENTER. This will list all servers in that site with a corresponding number.
Type select server number and press ENTER, where number refers to the domain controller to be removed.
Type quit and press ENTER. The Metadata cleanup menu is displayed.
Type remove selected server and press ENTER.
At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.
Type quit, and press ENTER until you return to the command prompt.
You must use Ntdsutil.exe to seize the schema master, domain naming master, and RID master roles. When you use Ntdsutil.exe to seize an operations master role, it first attempts a transfer from the current role owner. If the current role owner is unavailable, it performs the seizure.
In the Run dialog box, type ntdsutil and press ENTER.
At the ntdsutil: prompt, type roles and press ENTER.
At the fsmo maintenance: prompt, type connections and press ENTER.
At the server connections: prompt, type connect to server servername, where servername is the name of the domain controller that will assume the operation master role, and press ENTER.
After you receive confirmation of the connection, type quit and press ENTER to exit the menu..
RID Master Domain Admins seize rid master
The system asks for confirmation. It then attempts to transfer the role. When the transfer fails, some error information appears and the system proceeds with the seizure. After the seizure is complete, a list of the roles and the LDAP name of the server that currently holds each role appears.
During seizure of the RID master, the current role holder attempts to synchronize with its replication partners. If it cannot establish a connection with a replication partner during the seizure operation, it displays a warning and confirms that you want the role seizure to proceed. Click Yes to proceed.
Type quit and press ENTER. Type quit and press ENTER to exit ntdsutil.exe.
---------
To get RID of the old Snark object, you should cleanup this metadata. Use the following procedure:
If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller.
At the command line, type ntdsutil and press ENTER.
At the ntdsutil: prompt, type metadata cleanup and press ENTER.
At the metadata cleanup: prompt, type connections and press ENTER.
At the server connections: prompt, type connect to server servername, where servername is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press ENTER.
Type quit and press ENTER to return you to the metadata cleanup: prompt.
Type select operation target and press ENTER.
Type list domains and press ENTER. This lists all domains in the forest with a number associated with each.
Type select domain number, where number is the number corresponding to the domain in which the failed server was located. Press ENTER.
Type list sites and press ENTER.
Type select site number, where number refers to the number of the site in which the domain controller was a member. Press ENTER.
Type list servers in site and press ENTER. This will list all servers in that site with a corresponding number.
Type select server number and press ENTER, where number refers to the domain controller to be removed.
Type quit and press ENTER. The Metadata cleanup menu is displayed.
Type remove selected server and press ENTER.
At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.
Type quit, and press ENTER until you return to the command prompt.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
It doesn't work either, denzmor.
I have tried to transfer and to seize the PDC and the Infraestructure functions to both servers.
One thing, Server1 is the DNS server, and:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Server1
Primary DNS Suffix . . . . . . . : myd.es
Node Type . . . . . . . . . . . . : unknow
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : myd.es
Ethernet adapter Conexión de área local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
Physical Address. . . . . . . . . : ??-??-??-??-??-??
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
And for Server2:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Server2
Primary DNS Suffix . . . . . . . : myd.es
Node Type . . . . . . . . . . . . : unknow
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : myd.es
Ethernet adapter Conexión de área local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : ??-??-??-??-??-??
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
I have tried to transfer and to seize the PDC and the Infraestructure functions to both servers.
One thing, Server1 is the DNS server, and:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Server1
Primary DNS Suffix . . . . . . . : myd.es
Node Type . . . . . . . . . . . . : unknow
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : myd.es
Ethernet adapter Conexión de área local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
Physical Address. . . . . . . . . : ??-??-??-??-??-??
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
And for Server2:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Server2
Primary DNS Suffix . . . . . . . : myd.es
Node Type . . . . . . . . . . . . : unknow
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : myd.es
Ethernet adapter Conexión de área local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : ??-??-??-??-??-??
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
I think your simplest solution, though maybe not the best, is going to be demoting one of the servers to a member server, seize roles on the DC that is left, then DCpromo the other server back as a DC. By running DCpromo it shoud force the server to give up the roles.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
All right, I was scared about this solution (demoting and promoting again the second server), but it seems that it isn't another choice.
I have done it and know I have both computers working as domain servers with an unique PDC emulator master and Infraestructure master. I have had to delete by hand a lot of things after doing the dcpromo /forceremove. The unique error that appears at the Directory Service is a NTDS Replication error (ID 1411), but I will see it next week. :-)
Thank you very much for your help.
Mazaraat, Server2 is not a DSN server, Windows didn't install it when I promote to domain server. This is way it has 192.168.1.2 as primary DNS server. However, I must configure it as a secundary DNS server.
I have done it and know I have both computers working as domain servers with an unique PDC emulator master and Infraestructure master. I have had to delete by hand a lot of things after doing the dcpromo /forceremove. The unique error that appears at the Directory Service is a NTDS Replication error (ID 1411), but I will see it next week. :-)
Thank you very much for your help.
Mazaraat, Server2 is not a DSN server, Windows didn't install it when I promote to domain server. This is way it has 192.168.1.2 as primary DNS server. However, I must configure it as a secundary DNS server.
ahhhh, OK that explains it =) Glad we could help!
Gary
Gary
If lists both, try forcing the transfer from the server that SHOULD have them:
http://www.petri.co.il/seizing_fsmo_roles.htm