[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 847
  • Last Modified:

Transferring FSMO server roles

The client has 2 x servers, PDC (all 5 roles) and BDC
As the PDC will be replaced with a new server shortly, I dediced to transfer the FSMO roles to the "BDC" server, making it the PDC.
I transferred the following roles successfully, RID, PDC & Domain Naming Master
(I received a message after each role was transferred, that the operation was completed successfully)

The problem is, if I check the server roles (after the transfer), it shows "ERROR" at all three these roles - as being transferred.  

Because of the "ERROR" status, It is not allowing me to undo the transfer either
(transferring the roles back is not possible)

1.  Could this be a DNS issue?  Is there a quick way to make sure that the DNS is correct?
2.  Why would I have received the message that the processes were completed successfully, if something went wrong in the back-ground?
2.  The last resort would be to Seize the roles, and I would much rather try a few alternatives, before going that route ...

Any help will be appreciated.  
Regards
0
Rupert Eghardt
Asked:
Rupert Eghardt
  • 17
  • 16
  • +1
1 Solution
 
MidnightOneCommented:
Use NTDSUTIL on botht he DCs to see what each of them thinks the role-holders are first. Once that's known we can figure out how to proceed.
0
 
Netman66Commented:
Is the second DC a Global Catalog?  Have you pointed your servers and clients to the remaining DNS server?

What happened to the Infrastructure and Schema Master roles?  You'll have to seize those now.

0
 
kmotawehCommented:
this be a DNS issue or a global catalouge one
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
Rupert EghardtAuthor Commented:
Ok Guys, I've done the following:
1.  Transferred the Schema Master to the new PDC
2.  Transferred the Infrastructure Master to the new PDC
3.  I've also made the new PDC a Global Cateloque

If I connect to the old DC, it still shows an error under the RID, PDC and Infrastucture tabs
However, If I connect to the new DC, it does recognise that the roles has been transferred and shows the RID, PDC, Infrastructure, DNM and SM to be on the new DC

Using NTDSUTIL I cannot connect to the new DC ...
Get an error message:  "DSBindW error 0x6b9 (The RPC server is unavailable)"

However, when I try to connect to the old DC, I can connect to it via NTDUTIL and view the server roles:
It identifies that Schema, Domain, PDC, RID and ISM is with the new server.  CN=new server

Problems:
1.  Previous DC shows all roles as ERROR
2.  Cannot connect to new PDC via NTDSUTIL because of RPC error, but connecting to the old DC, shows that roles are with new PDC?



0
 
Rupert EghardtAuthor Commented:
DNS:
My DNS still runs on the old DC
My new PDC points to the DNS on the old DC (no other DNS settings defined on new PDC)
0
 
Netman66Commented:
Now is the time you remove the old DC.

You likely can't DCPROMO it cleanly out - but try first.
If it doesn't run properly, then simply remove it from the network and do the following:

1) Delete all DNS records for the old server.
2) Delete the Account from AD.
3)  Delete the account from AD Sites and Services.
4)  Do a Metadata Cleanup using this: http://support.microsoft.com/kb/216498

0
 
Rupert EghardtAuthor Commented:
I see when running DCDIAG on the new DC it also reports a problem with the RPC
Get an error message:  "DSBindW error 0x6b9 (The RPC server is unavailable)"

Should I not try to fix this error first, before breaking the old DC away from the domain?
0
 
Netman66Commented:
It's got a binding error most likely due to the fact that DNS is still referring the tools to a server that is not functioning.

By removing the server and cleaning up you should fix this problem.

0
 
Rupert EghardtAuthor Commented:
I will create a new DNS server on the new DC server.
This should give me an indication whether the problem is DNS/old server related.

If all proves well, I will then break away the old DC.
0
 
Netman66Commented:
That's really not going to help you.  DNS will replicate from the other servers - bringing with it all the entries for the old machine.  It's not likley going to be of any value to you.

If there's nothing left on that machine, shut it down and clean up DNS and AD - there's nothing evil in that.

0
 
Rupert EghardtAuthor Commented:
The client had Exchange installed on the old DC
We had setup a new Exchange server in the meantime, but I was reluctant to break away the DC as then access to the old Exchange boxes will no longer be possible.
0
 
Netman66Commented:
That changes things a bit....

When you change the role of that server (DC to non-DC or vice-versa) you will break Exchange.  It's an unsupported process.

Make sure you don't need that Exchange install before you rip out that server.

0
 
Rupert EghardtAuthor Commented:
OK, here's the result;
I ran NTDSUTIL, and tried to transfer / seize the roles
Every time I was prompted that the roles were successfully moved, and will not be seized, however when checking the old DC server, is still indicated ERROR at RID, PDC and ISM

* I used the method of metadata cleanup and deleted the server from the AD

:-) Everything seemed fine, I checked the roles on the new DC server = all OK

:-( However, the problem occurred after restart, logged in successfully, but won't open AD users & computer
Gives the following message:
----------------------------------------------------------
Naming information cannot be located because:
The specified domain either does not exist or could not be contacted Contact your system administrator to very that your domain is properly configured and is currenlty online
----------------------------------------------------------
I don't have any operational DC now, please help!

Regards
0
 
Netman66Commented:
This is DNS now.

Are all the DCs registered correctly in DNS?
Point all the servers to a DNS server you have local.
Restart the Netlogon service on them.
Run ipconfig /registerdns from each as well.

If you want, I can remote in and fix this easily.  You can contact me at my alias here at gmail.
0
 
Rupert EghardtAuthor Commented:
This DC is unfortunately not open on the internet ..

Yes, the previous DNS was on the old DC, which is now seperated ..
Can I point the new DC to a DNS server on a different domain on the LAN?
If I point the server to the DNS and run the ipconfig /registerdns will it update the server in the DNS on the other domain?

Should I restart Netlogon on the DNS server as well as the new DC?
0
 
Netman66Commented:
No.

I thought I mentioned making sure you had another DNS server?

You'll need to install DNS on another DC in your domain, then recreate the zones as follows:

Forward Lookup Zone:

_msdcs.yourdomain.local  << replace youdomain.local with the DNS suffix of the DC.
>> this is a Primary zone, AD Integrated, replicates to all dns servers in the forest.  If you have this zone on another dns server in the forest then don't create it as it should recreate from the other servers.

yourdomain.local  << same applies to the name of this zone.
>> this is a Primary zone, AD Integrated, replicates to all dns servers in the domain.

Reverse Lookuo Zone:

create one for your subnet.
Primary, ADI and replicates to all dns servers in the domain.

Once everything is done and the _msdcs zone is there, follow the last post to get the servers registered.
0
 
Rupert EghardtAuthor Commented:
I have installed DNS on the new DC server
Created the zones as indicated above
Ran the registerdns command

I restarted the server, and tried to access AD Users & Computers
Got an error message "Naming information cannot be located"
"The specified domain either does not exsit or could not be contacted"

AD opened with no objects ...

I then closed AD and tried re-opening, then it worked.

When I double click on the build-in group (members) it gave me an error that some file was deleted, this also is an intermittant problem and occurs every now and then.

I also did the following tests:
nltest /dclist:domain.local
= cannot find DC to get DC list from status = 1355 0x546 error_no_domain

nltest /user:"user"
= cannot open SAM\SAM\domains\account\users\names\"user"
status = 2 0x2 error_file_not_found

* All above errors were very intermittant and sometimes didn't show up ...
I just believe that the DC is not stable and that I need to rectify somewhere?

0
 
Netman66Commented:
Inside the _msdcs zone what containers are listed?  It sounds like all the SRV records aren't being registered.

0
 
Rupert EghardtAuthor Commented:
Yes, you are right, the SRV records are NOT being registered correctly.  I checked the _msdcs zone and there is no records registered under it.
I deleted the zone and re-created ... still no success.

I tried a few more options:
dcdiag /fix (give error about gc not found)
netdiag / fix (command completed successfully)
stop / started netlogon service
ipconfig /registerdns
compared the domain name as part of the suffix for the computer name = correct
confirmed that the dns settings is correct in the TCP/IP properties (set a primary)

It is possible to populate the entries manually?
I've seen a few sites talking about the netlogon.dns file .. but not too sure how this will work?

0
 
Netman66Commented:
To register the records - ensure the zone is AD Integrated, Accepts Secure Dynamic Updates and replicates to all DNS servers in the Forest.

Ensure all your server only point to your DNS server.
On the NIC of each server in the Properties>Advanced section of TCP/IP on the DNS tab, ensure the checkbox is there for register in DNS and that the DNS suffix for this connection is not filled in (blank).
Restart the Netlogon service on each server.
Run IPCONFIG /flushdns and IPCONFIG /registerdns on each server.
See if the records get created.

If not, there is a registry entry that's corrupt and we'll need to recreate it.
0
 
Netman66Commented:
I should add that a SINGLE-LABEL domain name will not register with DNS by default.

See this:
http://support.microsoft.com/kb/300684
0
 
Rupert EghardtAuthor Commented:
I've noticed that ..
But the internal domain name is:  hosa.local (which shouldn't cause a problem)
I neglected to mention that I've tried the nslookup tool, which only reported "unknown domain"

I saw on another forum that the netlogon.dns file holds the records to be added to the DC zone.
How to I know which of those records must be added in the "A" record, PTR, SRV record fields?
0
 
Rupert EghardtAuthor Commented:
To register the records -

1.  Ensure the zone is AD Integrated (HOW DO I CONFIRM THIS?  When I deleted the initial entry, it prompted me:  as it was going to be deleted from the AD as well ...)  I then recreated the zone after removal.

2.  Accepts Secure Dynamic Updates (CONFIRMED = OK)

3.  Replicates to all DNS servers in the Forest (ONLY ONE MORE DNS SERVER IS AVAILABLE, but on another internet domain)  This is a trust-relationship between the two domains.  How do I check replication, does it matter, as it's on a different domain / forest?

4.  The server points to DNS server on the DC as primary, and as secondary to the other DNS on the other internal domain.

5.  I WILL HAVE TO CONFIRM THIS:  On the NIC of each server in the Properties>Advanced section of TCP/IP on the DNS tab, ensure the checkbox is there for register in DNS and that the DNS suffix for this connection is not filled in (blank).

Restart the Netlogon service on each server.
Run IPCONFIG /flushdns and IPCONFIG /registerdns on each server.
See if the records get created.
(HAVE DONE THIS A COUPLE OF TIMES, BUT WILL REDO)

If not, there is a registry entry that's corrupt and we'll need to recreate it.
0
 
Netman66Commented:
When you right click a zone and select Properties, there are some option near the top of the applet with buttons beside them.

One is for Type (Integrating with AD), one is for replication scope and the other to pause the service.

If the other DNS server is NOT part of this forest then remove it from the NICs DNS settings.  Setup the Forwarder tab on the properties of your DNS server to use the ISP as a secondary.  You can also add the other domain as a Conditional Forwarder.

 
0
 
Rupert EghardtAuthor Commented:
OK,  I confirmed that:
1.  Zone is integrated with AD (Type: Active Directory-Integrated)
2.  Replication shows (All DNS servers in Active Directory forest)
3.  I've removed the secondary DNS setting from the network interface(s)
4.  Set to dynamic non-secure and secure updates
5.  Checkbox is ticked for "register in DNS" and the DNS suffix for both connections (blank).
6.  Restarted the netlogon service / did (ipconfig / flushdns, ipconfig /registerdns, nltest /dsregdns)

* The forward lookup zone (I manually created)  "_msdcs.hosa.local" still DOESN'T UPDATE.

What is the registry change that I can try?
0
 
Netman66Commented:
Make sure the DHCP Client service on your servers is set to Automatic and is started - this service is responsible for registering in DNS.

I'll find the registry settings and post.
0
 
Rupert EghardtAuthor Commented:
We are not running DHCP on the server, all client computers are static IP's.
Will this create the problem of not being able to automatically register DNS?
0
 
Netman66Commented:
The DHCP Client service has nothing to do with DHCP addressing, yes it will cause this problem.  

Open Services.msc and look for that service - start it if it's stopped, set it to Auto.
This service is on both servers and workstations.

If you need to start it, then reregister the SRV records as in your step 6 above.
0
 
Netman66Commented:
If it's running, then follow this article and delete and recreate the registry keys specified in the text.  Even if they are there and look correct I still want you to write down the key names, types and values one by one and delete and recreate them manually.

Again, after this is done follow step 6 from your second last post to register the records.
0
 
Netman66Commented:
0
 
Rupert EghardtAuthor Commented:
The DCHP client is running and was set to auto.
I am doing the registry edit now ...
0
 
Rupert EghardtAuthor Commented:
I recreated the following keys as in the article:
- Domain, Hostname, NV Domain, NV Hostname
The Domain and NV domain was different, before I deleted and recreated it.

Again I restarted the netlogon service / did (ipconfig / flushdns, ipconfig /registerdns, nltest /dsregdns)

Is it possible to ISA or other programs binding to the network adapters could prevent the DNS registration?  However, I stopped all services related to ISA, etc. and retried the above,
No luck still ...
0
 
Netman66Commented:
You have ISA on a DC?

If so, that's unsupported and this is one reason why...

The domain name in those keys should have matched the DNS suffix of the domain - and so should the zones in DNS.
0
 
Rupert EghardtAuthor Commented:
Yes, the domain name in the keys matches the DNS suffix and so does the zones in DNS.
0
 
Netman66Commented:
Wow....I'm stumped.

If you want me to remote in, I can look at it for you tonight.

This has me puzzled.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 17
  • 16
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now