Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Seizing Domain FSMO Roles in windows server 2003 domain

Posted on 2012-08-15
19
Medium Priority
?
1,067 Views
Last Modified: 2012-08-22
Greetings...

I have a scenario  that one of our client has issue with one of their domain controller.  This domain controller has schema master and Domain role owner.

This DC is not completely down.    It is up and running and looks like the Sysvol and Netlogin folders are also available.  But the other domain controllers are not able to replicate with the affected domain controller.  Also when you tried to move the two above roles from the GUI, it says that the FSMO roles cannot be moved because the server is not available.

The network configuration is perfectly but it looks like the Active Directory is corrupted.

 This domain controller has been tried to repair by installing Service pack 2 and windows update but it didn't help at all.

So it looks like the only option left to Seize these two roles from this domain controller and move it to another server.  

Following articles have been suggested:
1. http://www.petri.co.il/transferring_fsmo_roles.htm
2. http://technet.microsoft.com/en-us/library/cc783650(v=ws.10).aspx
3. http://technet.microsoft.com/en-us/library/cc738540(v=ws.10).aspx#2

Also some other sites also suggests similar steps.  There are some questions which needs to be answered before the above steps are taken.

Q1. The affected domain controller still needs to be removed manually using NTSDL utility.
Q2. What about the Netlogon and sysvol folders.  What will happen if the these folders are still working.  How this needs to be moved to another domain controller or it will be moved automatically with the process of manual movement of these roles.
Q3. What kind of other issues the network or Systems running on the network can face in these circumstances.
Q4. The above procedure of seizing will not affect anything running on the rest of the domains.
Q5. All the documents suggested that if you are seizing these roles manually, then have to be careful otherwise your AD partially or completely stopped working.  If you type correctly everything what could go wrong.
Q6. All the working domain controllers will have Active Directory backup.

There is a test setup already in place to test the NTSDL utility.

An early reply will be highly appreciated.
0
Comment
Question by:elaw
  • 11
  • 5
  • 3
19 Comments
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 1000 total points
ID: 38295100
Q1 Try and move the roles before you seize them
Q2 Netlogn and Sysvol folder should exist on all domain controllers and are replicas of each other so you should not have to do anything.
Q3 The Domain controller might be running other services required by clients, such as DNS, DHCP, possibly even file shares, these need to be moved if you are going to flatten the domain controller.
Q4 Seizing is a procedure for failed domain controllers, as per Q1 you should be tryong to move the roles.
Q5 Move the roles
0
 
LVL 12

Expert Comment

by:Chris
ID: 38295181
@MojoTech elaw has already mentioned that he is unable to move the roles and has been left with no choice but to seize.

Although seizing roles isn't ideal it's not really that big a deal. it's just a case of marking a different DC as the role holder then clearing all references to the old DC using ntdsutil. What you need to be VERY careful of is that once you've run through the process you never bring the old DC back onto the network as it will still believe it's a DC and that it holds the FSMO roles. If you need to reuse the server then you need to flatten it first.
0
 

Author Comment

by:elaw
ID: 38296099
Thanks Mojotech.
There is no other services are running except netlogon and sysvol, i beleive.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:elaw
ID: 38296115
Thanks Demented_Goose
I understand that this is simply a marking a domain controller with these roles.  Yes it is true once the roles are seized then this DC should not be on the network until it is formatted.

I am still looking for the answers for the question i have asked above.
I will appreciate some comments from someone who had similar scenario
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 38296161
I have dealt with many failed DC's if you have another functioning domain controller then simply switch off the problematic DC and go through the seize process, just make sure the failed DC never comes back online.

Another option you could try is to demote the domain controller, this will move the roles for you.
0
 
LVL 12

Accepted Solution

by:
Chris earned 1000 total points
ID: 38296197
I have been in this scenario many times with different customers. I've carried out the procedure countless times which is how I can confidently assure you it's not that big a deal. In direct response to your questions.

1) Yes you must run NTDSUTIL to clear references to the old DC
2) NTDSUTIL will clean up references to the old DC, this includes sysvol replicas.
3) I've never seen any issues as a result of this process.
4) No, you're literally just letting another DC take control of the roles. As long as the original DC doesn't come back online it will be fine.
5) The act of seizing the roles shouldn't cause any issues. If you do something wrong in NTDSUTIL you could see issues but as long as you are careful and follow the instructions carefully everything should be fine.
0
 

Author Comment

by:elaw
ID: 38296200
i thought about the second option but I have a feeling that since the AD is some how corrupted or not working properly on the problmatic domain controller, it would end up with some errors.  

Please confirm once the seize process is completed, do I still have to remove the DC manually as well using NTSDL util
0
 

Author Comment

by:elaw
ID: 38296220
Thanks Demented_Goose for your answers.  So according to your answer to question1, I should follow separately the procedure of a failed domain controller using NTDS util

This gives me some confidence as well.

I have created test domain and will test the procedure in the test environment before hit the real environment.

One question, it should not affect if I do this during business hours
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 38296235
I would try it the dcpromo, you can also use /forceremoval switch, it wont cause you any problems trying

Aside from using NTDSUTIL you will need to delete the DC object from sites and services manually

You do not need to do this sort of thing out of hours.
0
 

Author Comment

by:elaw
ID: 38296260
Thanks MojoTech
0
 
LVL 12

Expert Comment

by:Chris
ID: 38296435
You should be aware that running dcpromo /forceremoval will remove directory services from the failed DC but it will not update the live domain with that information.

You will still need to seize the roles and run ntdsutil cleanup on a functioning DC afterwards.

Also, as mentioned by Mojo, you will need to remove the failed DC from sites and services.
0
 

Author Comment

by:elaw
ID: 38298595
So does that mean that I should run dcpromo/forceremoval. Yes
Please confirm it.
0
 

Author Comment

by:elaw
ID: 38298891
http://kiransawant.wordpress.com/2012/07/19/seizing-fsmo-roles/
I looked the above article it is similar.

So please correct me if I am wrong, I will proceed in the following order.

1. Run the DCpromo /forceremoval on the affected DC
2. Seize the FSMO roles using one of the procedure (infact all same)
3. Run Ntdsutil to remove the affected DC from the Active Directory
4. Remove affected DC from the sites and services
5. Test the replication between the remaining DC's
6. Run DCDiag, netdiag and replication test

Please suggest any step I am missing.
Please suggest any test that I should perform apart I mentioned in point 6.
0
 
LVL 12

Expert Comment

by:Chris
ID: 38299341
You seem to have it all worked out nicely. Good luck.
0
 

Author Comment

by:elaw
ID: 38299363
Thanks Demented_Goose,

Should I take the AD backup of all the working domain controllers.
0
 
LVL 12

Expert Comment

by:Chris
ID: 38299379
No reason not to. Better safe than sorry after all.
0
 

Author Comment

by:elaw
ID: 38318755
I have seized the role of schema master and domain naming master.  I run the command
netdom query fsmo on the server where I run the seizing.  It is showing all correctly but on the other domain controllers on the other site.  Does it long time to replicate
0
 

Author Comment

by:elaw
ID: 38318810
I run the replmon utility and force the replication.  It updated all the roles to all other domain controllers
0
 

Author Closing Comment

by:elaw
ID: 38319304
Thanks guys
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question