?
Solved

Seizing FSMO roles

Posted on 2008-10-25
6
Medium Priority
?
1,227 Views
Last Modified: 2008-10-25
When attempting to transfer all the FSMO roles from one DC to another (currently 1 DC holds all roles) because the AD is corrupted on the DC that holds all the roles...

I log on to the good DC that I want to transfer the FSMO roles to and upon attempting to transfer it gives me an error that tt can not transfer the role because it can not contact the role holder.  

Does that mean my only option is to seize roles?  If I do that , I've heard that the computer that the original DC that held the FSMO roles can not never be brought back online?

Is this the case even if I run metadata clean up?  The machine i seize the roles from can't be dcpromo /forceremoval and be promoted again back online?

Please advice.  Thanks!
0
Comment
Question by:digi_net
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22802041
Yes - if you seize the roles then you MUST NOT connect the original role holder back onto the domain - even after a metadata cleanup intil you have at least removed its domain controller role - normally just rebuild the machine - or you could do a DCPROMO /forceremoval (while is is physcially disconnected), and then DCPROMO it again back into the domain
0
 

Author Comment

by:digi_net
ID: 22802100
Should I seize the roles first or do the dcpromo /forceremoval first?

Do I need to do the metadata cleanup on all good DC?

After doing the dcpromo /forceremoval while it is physically unplugged on the bad dc, can I then reboot it and keep its same computer name and the promote it again to a DC after the reboot?  Is there any other thing I need to do?


Thanks!





0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 900 total points
ID: 22805085
Seize the roles then you can do the dcpromo /forceremoval. Honestly it doesn't matter what this is the proceed I do myself.

You need to do a metadata cleanup on the DC you seize the roles too.

After doing the metadata cleanup go through DNS to make sure you don't have any records still listed for the failed dc. Remove the DC from the domain then join back to the domain. Make sure the primary DNS is pointing to a working DC. You can then dcpromo to promote to a dc.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 600 total points
ID: 22805114
If the first DC is dead then disconnect it from the domain - it does not matter then what order you do the processes in. You once the old DC has been removed from the domain then  you can add it back in with the same name - however I would err on the safe side and rebuild with machine from new by re-installing windows again to make sure that windows itself was in good condition
0
 

Author Comment

by:digi_net
ID: 22805263
So if I have 3 domain controllers and 1 is the down one.  I only have to perform the metadata clean up on one of the good dc left or both 2 dc that are still good?  thanks.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22805266
Just one of the good ones. The best one to run the metadata cleanup on is the PDC emulator. You want to remove any reference of the failed dc.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question