• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1105
  • Last Modified:

Seizing AD FSMO roles

In the scenario where one Domain Controller completely crashes, I wonder if Seizing the FSMO role is depending on the role that the dead DC had or it does not matter which role it had.

I mean if the DC that crashed had :
Schema Master Role: do we need to seize the role from a working DC?
Domain Naming:do we need to seize the role from a working DC?
Infrastructure/PDC/RID:do we need to seize the role from a working DC ?

OR rebuilding a new DC will , in a certain way, have the roles taken by the crashed DC,  be rebuilt automatically on the new DC?

Thank you
0
jskfan
Asked:
jskfan
  • 3
  • 2
  • 2
  • +4
8 Solutions
 
Mike KlineCommented:
Yes to all three, you will need to seize those roles on a working DC.  Don't bring that crashed DC back online after you do that.

You will also need to cleanup that dead DC from AD.  In 2008 that is as easy as deleting the old computer object.  (metadata link below)

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Use NTDSUtil to seize the required roles to an active DC.
http://bit.ly/11lKTCZ (KB255504)

Wait for the changes to replicate across the forest/domain.

Second: MetaData cleanup using NTDSUtil needs to be completed:
http://bit.ly/11X6QYO (KB216498)

Then, make sure to remove _any_ references to the now gone DC in DNS in:
 _msdcs.domain.local
 domain.local

Remove DNS A records, DNS NS records, GUID in AD partition, and references in AD (_tcp ETC).

Verify that the now defunct DC is no longer present in DSSite.msc.

Wait for these changes to replicate across the domains/forests.

Philip

EDIT: Added the DNS NS records step.

EDIT 2: More specific to your questions: No. Roles need to be seized and references to OLD DC need to be completely expunged before any new DC comes online that shares the same name. Bringing NEWDC online with same name will cause LOTS of grief if clean-up steps above are not completed. BTDT.
0
 
Mike KlineCommented:
You can use ntdsutil for metadata cleanup but it is easier in 2008 and higher to just delete the dead computer/DC object.

Thanks


Mike
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
TonypeswaniCommented:
0
 
jskfanAuthor Commented:
Tonypeswani:

in this article, I pasted part of it below.
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
the bullet#8 says :
"if the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown."

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

<<<<If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.

If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.

You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.>>>>
0
 
DrDave242Commented:
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
In case there's some confusion, you don't ever need to boot a DC into Directory Services Restore Mode in order to seize FSMO roles.  This can be done from a working DC running in normal mode; in fact, I'm fairly certain it can't be done in DSRM, since a DC running in DSRM can't access AD.
0
 
Craig BeckCommented:
To clarify...

You seize roles FROM the dead DC TO a working DC.  You do NOT seize roles from a working DC under any circumstances.  If you want to move roles between working DCs, you transfer, not seize.

Once you seize roles from a dead DC, the dead DC must NEVER return to the Active Directory.  It is also important to never give a new DC the same name as the dead DC.

All of the 5 roles are mandatory to a working domain.  If a DC dies which holds one or more of those roles you must seize those roles ASAP using ntdsutil.
0
 
SandeshdubeyCommented:
You need to first understand the difference between seize/transfer of role.Seize of role is done when the dead DC is FSMO role holder and cannot be brought back.So you need to login on online DC and seize the role.If the dead DC is up you need remove the same and reinstall OS and promote the server back as DC if required.

But before promoting the dead server as DC again you need to perfrom metadata cleanup to remove the instances of dead DC from Ad database,DNS,DC OU,etc.
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

You can transfer the FSMO role to online DC.You can keep the all roles on one DC or move to other DC the choice is your.Below link help to understand FSMO placement

FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/kb/223346

How to transfer or seize FSMO roles
http://sandeshdubey.wordpress.com/2011/10/07/how-to-transfer-or-seize-fsmo-roles/

Hope this helps
0
 
jskfanAuthor Commented:
in prevision version of windows 2000/2003 servers.
when a DC crashes , we reboot one of the working DCs into AD restore mode, and use NTDSUTIL to seize the roles from the dead DC if it had any roles.
seizing roles, is just a way to say enable roles on a working DC ....there is nothing to seize from a dead stone,,,
0
 
Craig BeckCommented:
You don't need to reboot into AD restore mode to seize roles in 2000 or 2003.  You just open a command prompt and type ntdsutil
0
 
jskfanAuthor Commented:
thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now