Seizing Domain FSMO Roles in windows server 2003 domain

Greetings...

I have a scenario  that one of our client has issue with one of their domain controller.  This domain controller has schema master and Domain role owner.

This DC is not completely down.    It is up and running and looks like the Sysvol and Netlogin folders are also available.  But the other domain controllers are not able to replicate with the affected domain controller.  Also when you tried to move the two above roles from the GUI, it says that the FSMO roles cannot be moved because the server is not available.

The network configuration is perfectly but it looks like the Active Directory is corrupted.

 This domain controller has been tried to repair by installing Service pack 2 and windows update but it didn't help at all.

So it looks like the only option left to Seize these two roles from this domain controller and move it to another server.  

Following articles have been suggested:
1. http://www.petri.co.il/transferring_fsmo_roles.htm
2. http://technet.microsoft.com/en-us/library/cc783650(v=ws.10).aspx
3. http://technet.microsoft.com/en-us/library/cc738540(v=ws.10).aspx#2

Also some other sites also suggests similar steps.  There are some questions which needs to be answered before the above steps are taken.

Q1. The affected domain controller still needs to be removed manually using NTSDL utility.
Q2. What about the Netlogon and sysvol folders.  What will happen if the these folders are still working.  How this needs to be moved to another domain controller or it will be moved automatically with the process of manual movement of these roles.
Q3. What kind of other issues the network or Systems running on the network can face in these circumstances.
Q4. The above procedure of seizing will not affect anything running on the rest of the domains.
Q5. All the documents suggested that if you are seizing these roles manually, then have to be careful otherwise your AD partially or completely stopped working.  If you type correctly everything what could go wrong.
Q6. All the working domain controllers will have Active Directory backup.

There is a test setup already in place to test the NTSDL utility.

An early reply will be highly appreciated.
elawAsked:
Who is Participating?
 
ChrisConnect With a Mentor Commented:
I have been in this scenario many times with different customers. I've carried out the procedure countless times which is how I can confidently assure you it's not that big a deal. In direct response to your questions.

1) Yes you must run NTDSUTIL to clear references to the old DC
2) NTDSUTIL will clean up references to the old DC, this includes sysvol replicas.
3) I've never seen any issues as a result of this process.
4) No, you're literally just letting another DC take control of the roles. As long as the original DC doesn't come back online it will be fine.
5) The act of seizing the roles shouldn't cause any issues. If you do something wrong in NTDSUTIL you could see issues but as long as you are careful and follow the instructions carefully everything should be fine.
0
 
Mike ThomasConnect With a Mentor ConsultantCommented:
Q1 Try and move the roles before you seize them
Q2 Netlogn and Sysvol folder should exist on all domain controllers and are replicas of each other so you should not have to do anything.
Q3 The Domain controller might be running other services required by clients, such as DNS, DHCP, possibly even file shares, these need to be moved if you are going to flatten the domain controller.
Q4 Seizing is a procedure for failed domain controllers, as per Q1 you should be tryong to move the roles.
Q5 Move the roles
0
 
ChrisCommented:
@MojoTech elaw has already mentioned that he is unable to move the roles and has been left with no choice but to seize.

Although seizing roles isn't ideal it's not really that big a deal. it's just a case of marking a different DC as the role holder then clearing all references to the old DC using ntdsutil. What you need to be VERY careful of is that once you've run through the process you never bring the old DC back onto the network as it will still believe it's a DC and that it holds the FSMO roles. If you need to reuse the server then you need to flatten it first.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
elawAuthor Commented:
Thanks Mojotech.
There is no other services are running except netlogon and sysvol, i beleive.
0
 
elawAuthor Commented:
Thanks Demented_Goose
I understand that this is simply a marking a domain controller with these roles.  Yes it is true once the roles are seized then this DC should not be on the network until it is formatted.

I am still looking for the answers for the question i have asked above.
I will appreciate some comments from someone who had similar scenario
0
 
Mike ThomasConsultantCommented:
I have dealt with many failed DC's if you have another functioning domain controller then simply switch off the problematic DC and go through the seize process, just make sure the failed DC never comes back online.

Another option you could try is to demote the domain controller, this will move the roles for you.
0
 
elawAuthor Commented:
i thought about the second option but I have a feeling that since the AD is some how corrupted or not working properly on the problmatic domain controller, it would end up with some errors.  

Please confirm once the seize process is completed, do I still have to remove the DC manually as well using NTSDL util
0
 
elawAuthor Commented:
Thanks Demented_Goose for your answers.  So according to your answer to question1, I should follow separately the procedure of a failed domain controller using NTDS util

This gives me some confidence as well.

I have created test domain and will test the procedure in the test environment before hit the real environment.

One question, it should not affect if I do this during business hours
0
 
Mike ThomasConsultantCommented:
I would try it the dcpromo, you can also use /forceremoval switch, it wont cause you any problems trying

Aside from using NTDSUTIL you will need to delete the DC object from sites and services manually

You do not need to do this sort of thing out of hours.
0
 
elawAuthor Commented:
Thanks MojoTech
0
 
ChrisCommented:
You should be aware that running dcpromo /forceremoval will remove directory services from the failed DC but it will not update the live domain with that information.

You will still need to seize the roles and run ntdsutil cleanup on a functioning DC afterwards.

Also, as mentioned by Mojo, you will need to remove the failed DC from sites and services.
0
 
elawAuthor Commented:
So does that mean that I should run dcpromo/forceremoval. Yes
Please confirm it.
0
 
elawAuthor Commented:
http://kiransawant.wordpress.com/2012/07/19/seizing-fsmo-roles/
I looked the above article it is similar.

So please correct me if I am wrong, I will proceed in the following order.

1. Run the DCpromo /forceremoval on the affected DC
2. Seize the FSMO roles using one of the procedure (infact all same)
3. Run Ntdsutil to remove the affected DC from the Active Directory
4. Remove affected DC from the sites and services
5. Test the replication between the remaining DC's
6. Run DCDiag, netdiag and replication test

Please suggest any step I am missing.
Please suggest any test that I should perform apart I mentioned in point 6.
0
 
ChrisCommented:
You seem to have it all worked out nicely. Good luck.
0
 
elawAuthor Commented:
Thanks Demented_Goose,

Should I take the AD backup of all the working domain controllers.
0
 
ChrisCommented:
No reason not to. Better safe than sorry after all.
0
 
elawAuthor Commented:
I have seized the role of schema master and domain naming master.  I run the command
netdom query fsmo on the server where I run the seizing.  It is showing all correctly but on the other domain controllers on the other site.  Does it long time to replicate
0
 
elawAuthor Commented:
I run the replmon utility and force the replication.  It updated all the roles to all other domain controllers
0
 
elawAuthor Commented:
Thanks guys
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.