[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 642
  • Last Modified:

Seize the FSMO Roles from a disconnected Domain Controllers

I have 2 DCs in 2 different sites one DC is Schema+Domain Naming Master, the other DC has the 3 remaining roles( I believe I need 2 DCs at least in each site though).
for now my questions are:

1- if a DC that holds any of the FSMO roles crashes + the network connection goes down, can I still seize the roles from the other DC that is in another site ?
2-can a site still work if the DC in that site has no FSMO roles at all, and completely Disconnected from the other site?

Thanks
0
jskfan
Asked:
jskfan
4 Solutions
 
Darius GhassemCommented:
Yes, you can seize the roles.

http://www.petri.co.il/seizing_fsmo_roles.htm

Once you seize the roles you need to do a metadata cleanup on AD.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Make sure you remove all DNS records for this failed DC.

The clients should be now pointed to the other sites DC if there isn't another DC in their site for DNS resolution which will make them authenticate to the DC in the other site.
0
 
Hardeep_SalujaCommented:
Answers to your questions:
1- if a DC that holds any of the FSMO roles crashes + the network connection goes down, can I still seize the roles from the other DC that is in another site ?
Yes, even if whatever happens.. network goes down.. FSMO server crashes, you can still seize FSMO roles on a working server

2-can a site still work if the DC in that site has no FSMO roles at all, and completely Disconnected from the other site?
Yes, Site can work, transfer or seize FSMO to other server
Make sure you have atleast 1 Global Catalog in each site for things to work

After, you seize FSMO roles.. verify new server has all FSMO roles by running following command if you have support tools (download support tools from microsoft website)
netdom query fsmo

If you plan to demote old crashed server, run metadata cleanup of old server, remove all its entries from dns as well as adsiedit.msc (avaliable in support tools)

Hope all these info helps you:)
0
 
tigermattCommented:

If you simply have a trivial failure like the loss of a network connection, DO NOT seize the FSMO roles. The DC is presumed to still be in working order; as such, a seizure of these roles will wreak havoc on the domain.

FSMO seizures should only take place in extreme circumstances, such as if a DC fails; if you seize roles from it, you must format the box and rebuild it as it can never be reconnected to the network.

-Matt
0
 
AmericomCommented:
Before you seize the FSMO, make sure you know that once seized any of the FSMO roles(except the PDCe), you will have to trash the AD completely on that DC. So, before you seize any of the the FSMO, you may want to see if you can reasonabl get your network connection back online first. Hopefully, while your network is not connected, and you have at least one DC with GC at each site then you may be able to afford to run without issue until you have your network connected again.
0
 
AmericomCommented:
Sorry for the collision Matt.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now