Solved

Seizing FSMO roles

Posted on 2008-10-25
6
1,225 Views
Last Modified: 2008-10-25
When attempting to transfer all the FSMO roles from one DC to another (currently 1 DC holds all roles) because the AD is corrupted on the DC that holds all the roles...

I log on to the good DC that I want to transfer the FSMO roles to and upon attempting to transfer it gives me an error that tt can not transfer the role because it can not contact the role holder.  

Does that mean my only option is to seize roles?  If I do that , I've heard that the computer that the original DC that held the FSMO roles can not never be brought back online?

Is this the case even if I run metadata clean up?  The machine i seize the roles from can't be dcpromo /forceremoval and be promoted again back online?

Please advice.  Thanks!
0
Comment
Question by:digi_net
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22802041
Yes - if you seize the roles then you MUST NOT connect the original role holder back onto the domain - even after a metadata cleanup intil you have at least removed its domain controller role - normally just rebuild the machine - or you could do a DCPROMO /forceremoval (while is is physcially disconnected), and then DCPROMO it again back into the domain
0
 

Author Comment

by:digi_net
ID: 22802100
Should I seize the roles first or do the dcpromo /forceremoval first?

Do I need to do the metadata cleanup on all good DC?

After doing the dcpromo /forceremoval while it is physically unplugged on the bad dc, can I then reboot it and keep its same computer name and the promote it again to a DC after the reboot?  Is there any other thing I need to do?


Thanks!





0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 300 total points
ID: 22805085
Seize the roles then you can do the dcpromo /forceremoval. Honestly it doesn't matter what this is the proceed I do myself.

You need to do a metadata cleanup on the DC you seize the roles too.

After doing the metadata cleanup go through DNS to make sure you don't have any records still listed for the failed dc. Remove the DC from the domain then join back to the domain. Make sure the primary DNS is pointing to a working DC. You can then dcpromo to promote to a dc.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 200 total points
ID: 22805114
If the first DC is dead then disconnect it from the domain - it does not matter then what order you do the processes in. You once the old DC has been removed from the domain then  you can add it back in with the same name - however I would err on the safe side and rebuild with machine from new by re-installing windows again to make sure that windows itself was in good condition
0
 

Author Comment

by:digi_net
ID: 22805263
So if I have 3 domain controllers and 1 is the down one.  I only have to perform the metadata clean up on one of the good dc left or both 2 dc that are still good?  thanks.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22805266
Just one of the good ones. The best one to run the metadata cleanup on is the PDC emulator. You want to remove any reference of the failed dc.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question