Active Directory Roles
Dears
I have three DCs in one forest and on Active Directory , before yesterday one DC failed so we use in another site NTDSUTIL and we seize the infrastructure and PDC now yesterday the server fixed and it,s working fine now i have the following Questions please help me :
1- now i have two server with duplicate roles it,s ok or what i have to do to remove roles from one of this server.
2- after we fixed the server the replication not working what i can do to fix it.
thank you ....
I have three DCs in one forest and on Active Directory , before yesterday one DC failed so we use in another site NTDSUTIL and we seize the infrastructure and PDC now yesterday the server fixed and it,s working fine now i have the following Questions please help me :
1- now i have two server with duplicate roles it,s ok or what i have to do to remove roles from one of this server.
2- after we fixed the server the replication not working what i can do to fix it.
thank you ....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So what you have is the situation where your PDC and infrastructure master was offline.
You seized the roles while the server was down.
The server came back online and now is unaware that its roles were seized.
First you need to find out what roles your other domain domain controller think are held by other servers.
use this command: netdom query /domain:yourdomain /server:DCNAME fsmo
run this against every domain controller in your org. If all of your servers think that the machine that you recently seized the roles holds those roles then
You need to demote the failed domain controller that "came back"
using dcpromo /forceremoval and then do the metadata cleanup mentioned in the article above
Don't forget to clean up DNS as well, removing any reference to it
You seized the roles while the server was down.
The server came back online and now is unaware that its roles were seized.
First you need to find out what roles your other domain domain controller think are held by other servers.
use this command: netdom query /domain:yourdomain /server:DCNAME fsmo
run this against every domain controller in your org. If all of your servers think that the machine that you recently seized the roles holds those roles then
You need to demote the failed domain controller that "came back"
using dcpromo /forceremoval and then do the metadata cleanup mentioned in the article above
Don't forget to clean up DNS as well, removing any reference to it
ASKER
So now first i have to demote the failed DC then while its removing i have to seize the other roles to another DC then after removing the DC i have to install Active directory role again then teransfer the role i want from that DC ?
You first have to get sure that the fsmo are in a functional dc like say the expert, thenyou have to remove the failed dc with dcpromo /forceremoval and then verify that all the metadata for removed server was removed in functional dc, to allow configure it again as a dc and return fsmo to original server.
ASKER
If i make a force removal for the failed DC no problem i mean my network will be ok and users can logon without any problem ,
Have you checked which sever holding all the fsmo roles, If it is failed DC then you need to size those, If it is on other DC then no issues for users to authenticate.
"netdom query fsmo" will help you to identify.
"netdom query fsmo" will help you to identify.
ASKER
Every thing OK i moved all roles to another server on another site , but now i tried to create test user ok it,s created and i joined PC to domain and ok but when i tried to login to this test user to the joined domain PC it,s give me error " there are curently no logon servers avliable to service the logon request" any idea what this ?
I moved all roles to another server on another site - Is trust relationship configured for these 2 sites? Have you enabled Global Gatalog on this server?
ASKER
Why trust relationship it,s in same forest and same domain ,,,, any way it,s working now can any one tell me how to test replications between sites and another thing in active directory sites the new server not configured under NTDS setting should i add it manualy . thx
repadmin
Just type the command at the prompt and it will show you all of the options.
/showrepl Displays the replication status when specified domain controll
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Just type the command at the prompt and it will show you all of the options.
/showrepl Displays the replication status when specified domain controll
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
To solve your problem about replication maybe you would need to move the others fsmo to another server and then uninstall active directory from that server and then add again as a dc. If you have problems remove the dc failed maybe you need to force demotion for this domain with dcpromo and a parameter that i don't remember right now, but you can google for it.