DC/FSMO

YOlanie_Visser
YOlanie_Visser used Ask the Experts™
on
Hi Guys,

I have run into a bit of an issue, 8 days ago I lost one of the Domain controllers, the drives burnt out and luckily i had another 2 GC DC's onsite. And two other servers in a different location/site were taken out as well. All 3 servers will not be put onto the domain again.

now I'm having  a few issues on replication, I keep getting the following errors:
---
Event Type:      Warning
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      2093
Date:            6/30/2010
Time:            11:48:31 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      EIDBAD001
Description:

The remote server which is the owner of a FSMO role is not responding.  This server has not replicated with the FSMO role owner recently.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=x,DC=internal
FSMO Server DN: CN=NTDS Settings,CN=CINHAD001,CN=Servers,CN=NH,CN=Sites,CN=Configuration,DC=xt,DC=internal
Latency threshold (hours): 24
Elapsed time since last successful replication (hours): 221
 
User Action:
 
This server has not replicated successfully with the FSMO role holder server.
1. The FSMO role holder server may be down or not responding. Please address the problem with this server.
2. Determine whether the role is set properly on the FSMO role holder server. If the role needs to be adjusted, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
3. If the FSMO role holder server used to be a domain controller, but was not demoted successfully, then the objects representing that server are still in the forest. This can occur if a domain controller has its operating system reinstalled or if a forced removal is performed.  These lingering state objects should be removed using the NTDSUTIL.EXE metadata cleanup function.
4. The FSMO role holder may not be a direct replication partner. If it is an indirect or transitive partner, then there are one or more intermediate replication partners through which replication data must flow. The total end to end replication latency should be smaller than the replication latency threshold, or else this warning may be reported prematurely.
5. Replication is blocked somewhere along the path of servers between the FSMO role holder server and this server.  Consult your forest topology plan to determine the likely route for replication between these servers. Check the status of replication using repadmin /showrepl at each of these servers.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

-------------
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1865
Date:            7/1/2010
Time:            1:13:47 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      EIAFAD001
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
 
Sites:
CN=KY,CN=Sites,CN=Configuration,DC=x,DC=internal
CN=NH,CN=Sites,CN=Configuration,DC=x,DC=internal
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      NTDS Replication
Event Category:      Replication
Event ID:      1864
Date:            6/30/2010
Time:            11:48:31 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      EIDBAD001
Description:
This is the replication status for the following directory partition on the local domain controller.
 
Directory partition:
CN=Configuration,DC=cohort,DC=internal
 
The local domain controller has not recently received replication information from a number of domain controllers.   The count of domain controllers is shown, divided into the following intervals.
 
More than 24 hours:
5
More than a week:
5
More than one month:
1
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
60
 Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
 
To identify the domain controllers by name, install the support tools included on the installation  CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest.   The command is "repadmin /showvector /latency <partition-dn>".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Any Ideas? Help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
In Windows 2000 and above, different domain controllers can hold different roles, referred to as FSMO roles.  More about these:
http://technet.microsoft.com/en-us/library/cc773108(WS.10).aspx
If a server that held one of these roles is removed or fails, then AD knows that this role is no longer on the network and will throw errors into the problem is resolved. There are two ways to resolve such a problem:
1) IF the failure is temporary or if the server is down for maintenance, simply restoring a backup or bringing the server back online will resolve the problem. AD detects the role is present again and resumes normal operation.
2) In the case where a server is permanently gone, ideally this would be planned and the roles would have been transferred:
http://support.microsoft.com/kb/324801
However, in rare cases (and I do believe this should be very rare, as a DR plan should include replacing failed servers), a server goes down and either cannot, or it is decided will not, be replaced. In such cases, the role most be "seized" by another server.
 http://support.microsoft.com/kb/255504/EN-US/
You can choose to resolve the issue using any of the methods above, bot to prevent futre AD issues and stop the errors, you msut get the missing FSMO roles onto one of your domain controllers that is or will be back online.
Lee OsborneSenior Infrastructure Engineer
Commented:
Cgaliher is right, if one of the DC's that have gone down was responsible for the FSMO roles, then they need to be seized and allocated to another DC. Or, if you plan on getting the same DC back online (I guess on new hardware), then you will probably be restoring this from backup and in which case, the FSMO roles should come back with your restore.

Seizing the roles is a last resort really, if it were me, I'd be looking to restore the DC back to full functionality as quickly as possible!

Lee

Author

Commented:
I cannot bring the server back up, because the backups available are very old. And im not quite sure what effect it will have on the AD...
So my plan is to promote one of my DC's as the master

Which of the following steps will I have to proceed with?

Transfer the Schema Master Role
Transfer the Domain Naming Master Role
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

I assume  any of my DC's could be promoted as Master?

Author

Commented:
Will I need to seize the role before transferring it to another server?
Distinguished Expert 2018
Commented:
You cannot transfer the role because transferring roles is a collaberative process (both servers agree and transfer the role.)
Since one of the servers is gone, the transfer will fail.
You will need to SEIZE the role (the last link I posted) and you will perform this process on the domain controller you whish to own the role. It will be te one "seizing" the role. If you later decide to transfer that role then you can do so becuase, as I said above, transferring is collaberative and the machine that seized the role will be able to participate in the transfer process.
Lee OsborneSenior Infrastructure Engineer
Commented:
There is another step by step guide here too -

http://www.petri.co.il/seizing_fsmo_roles.htm

Lee

Author

Commented:
ok I understand now, so basically by using ntdsutil, i connect to the DC that i want to take control of all the roles and then seize all 5 roles, it will automatically take control of all these roles and be considered master  of all 5 roles.

There is one question though, in the last few days i have made changes/created users etc on the Exchange server,these changes seem to have replicated to this DC that I want to take control of the Roles (same site), but have not replicated to other sites. can this be a problem? what are the risks of this process?
Lee OsborneSenior Infrastructure Engineer
Commented:
Once you have seized the roles to a new server, the replications will start again. The other DC's are looking for the currently failed DC. But once the FSMO roles are available again, replications will start too.

Lee

Author

Commented:
Ok, have seized all the roles to one DC for now. how long will the replication take?
 I have run a dcdiag on one of the servers and it is still looking for the old FSMO master

Author

Commented:
i see there is an issue in transferring  the infrastructure master to a GC server, what are the consequences? because the server that I transferred everything to is both.

Author

Commented:
Guys this is getting a little scary now... after seizing, all these errors are popping up l the DC's. each DC can ping each other by ip and DNS... the only DC's that recognize the new master are the one's i the same site...


Errors:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
 
Sites:

CN=NH,CN=Sites,CN=Configuration,DC=x,DC=internal

All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
 
Site:
CN=NH,CN=Sites,CN=Configuration,DC=x,DC=internal
Directory partition:
CN=Configuration,DC=x,DC=internal
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=x,DC=internal

Lee OsborneSenior Infrastructure Engineer
Commented:
This is probably happening because the other DC's no longer exist in the domain.

This page is to do with the error you are getting:

http://technet.microsoft.com/en-us/library/cc756648(WS.10).aspx

...and this page should help you clean up your now non-existent DC's:

http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx
Lee OsborneSenior Infrastructure Engineer
Commented:
You'll also need to tidy up the replication partners in Active Directory Sites and Services.

This will show you how to find out what connections are used for replication, and what replications occur between which DC's -

http://technet.microsoft.com/en-us/library/cc759774(WS.10).aspx

Have a look and see if any existing objects still exist for the non-existent DC and update them accordingly to the new DC holding the FSMO's.

Lee

Author

Commented:
the problem is that its claiming that it can't find existing sites... and the DC's still don't recognize the new server as the master FSMO. The only one's working fine are the DC's on the same site!
Lee OsborneSenior Infrastructure Engineer

Commented:
Have you updated your site links in ADS&S?

Lee

Author

Commented:
yes, do i delete the former FSMO  master from the site links?
Lee OsborneSenior Infrastructure Engineer

Commented:
Yes, because they no longer exist, and won't exist anymore.

Lee

Author

Commented:
Thanks guys! Still a few errors, but AD is replicating between sites. will start the metadata cleanup and see how it goes.
Lee OsborneSenior Infrastructure Engineer

Commented:
Well done Yolanie, glad you got it sorted!

Lee

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial