Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1230
  • Last Modified:

Seizing FSMO roles

When attempting to transfer all the FSMO roles from one DC to another (currently 1 DC holds all roles) because the AD is corrupted on the DC that holds all the roles...

I log on to the good DC that I want to transfer the FSMO roles to and upon attempting to transfer it gives me an error that tt can not transfer the role because it can not contact the role holder.  

Does that mean my only option is to seize roles?  If I do that , I've heard that the computer that the original DC that held the FSMO roles can not never be brought back online?

Is this the case even if I run metadata clean up?  The machine i seize the roles from can't be dcpromo /forceremoval and be promoted again back online?

Please advice.  Thanks!
0
digi_net
Asked:
digi_net
  • 2
  • 2
  • 2
2 Solutions
 
KCTSCommented:
Yes - if you seize the roles then you MUST NOT connect the original role holder back onto the domain - even after a metadata cleanup intil you have at least removed its domain controller role - normally just rebuild the machine - or you could do a DCPROMO /forceremoval (while is is physcially disconnected), and then DCPROMO it again back into the domain
0
 
digi_netAuthor Commented:
Should I seize the roles first or do the dcpromo /forceremoval first?

Do I need to do the metadata cleanup on all good DC?

After doing the dcpromo /forceremoval while it is physically unplugged on the bad dc, can I then reboot it and keep its same computer name and the promote it again to a DC after the reboot?  Is there any other thing I need to do?


Thanks!





0
 
Darius GhassemCommented:
Seize the roles then you can do the dcpromo /forceremoval. Honestly it doesn't matter what this is the proceed I do myself.

You need to do a metadata cleanup on the DC you seize the roles too.

After doing the metadata cleanup go through DNS to make sure you don't have any records still listed for the failed dc. Remove the DC from the domain then join back to the domain. Make sure the primary DNS is pointing to a working DC. You can then dcpromo to promote to a dc.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
KCTSCommented:
If the first DC is dead then disconnect it from the domain - it does not matter then what order you do the processes in. You once the old DC has been removed from the domain then  you can add it back in with the same name - however I would err on the safe side and rebuild with machine from new by re-installing windows again to make sure that windows itself was in good condition
0
 
digi_netAuthor Commented:
So if I have 3 domain controllers and 1 is the down one.  I only have to perform the metadata clean up on one of the good dc left or both 2 dc that are still good?  thanks.
0
 
Darius GhassemCommented:
Just one of the good ones. The best one to run the metadata cleanup on is the PDC emulator. You want to remove any reference of the failed dc.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now