Solved

Seizing AD FSMO roles

Posted on 2013-06-18
13
954 Views
Last Modified: 2013-07-06
In the scenario where one Domain Controller completely crashes, I wonder if Seizing the FSMO role is depending on the role that the dead DC had or it does not matter which role it had.

I mean if the DC that crashed had :
Schema Master Role: do we need to seize the role from a working DC?
Domain Naming:do we need to seize the role from a working DC?
Infrastructure/PDC/RID:do we need to seize the role from a working DC ?

OR rebuilding a new DC will , in a certain way, have the roles taken by the crashed DC,  be rebuilt automatically on the new DC?

Thank you
0
Comment
Question by:jskfan
  • 3
  • 2
  • 2
  • +4
13 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 126 total points
ID: 39257139
Yes to all three, you will need to seize those roles on a working DC.  Don't bring that crashed DC back online after you do that.

You will also need to cleanup that dead DC from AD.  In 2008 that is as easy as deleting the old computer object.  (metadata link below)

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 63 total points
ID: 39257216
Use NTDSUtil to seize the required roles to an active DC.
http://bit.ly/11lKTCZ (KB255504)

Wait for the changes to replicate across the forest/domain.

Second: MetaData cleanup using NTDSUtil needs to be completed:
http://bit.ly/11X6QYO (KB216498)

Then, make sure to remove _any_ references to the now gone DC in DNS in:
 _msdcs.domain.local
 domain.local

Remove DNS A records, DNS NS records, GUID in AD partition, and references in AD (_tcp ETC).

Verify that the now defunct DC is no longer present in DSSite.msc.

Wait for these changes to replicate across the domains/forests.

Philip

EDIT: Added the DNS NS records step.

EDIT 2: More specific to your questions: No. Roles need to be seized and references to OLD DC need to be completely expunged before any new DC comes online that shares the same name. Bringing NEWDC online with same name will cause LOTS of grief if clean-up steps above are not completed. BTDT.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 126 total points
ID: 39257221
You can use ntdsutil for metadata cleanup but it is easier in 2008 and higher to just delete the dead computer/DC object.

Thanks


Mike
0
 
LVL 6

Assisted Solution

by:Tonypeswani
Tonypeswani earned 62 total points
ID: 39258811
0
 

Author Comment

by:jskfan
ID: 39275292
Tonypeswani:

in this article, I pasted part of it below.
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
the bullet#8 says :
"if the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown."

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

<<<<If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.

If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.

You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.>>>>
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 62 total points
ID: 39295088
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
In case there's some confusion, you don't ever need to boot a DC into Directory Services Restore Mode in order to seize FSMO roles.  This can be done from a working DC running in normal mode; in fact, I'm fairly certain it can't be done in DSRM, since a DC running in DSRM can't access AD.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 39295092
To clarify...

You seize roles FROM the dead DC TO a working DC.  You do NOT seize roles from a working DC under any circumstances.  If you want to move roles between working DCs, you transfer, not seize.

Once you seize roles from a dead DC, the dead DC must NEVER return to the Active Directory.  It is also important to never give a new DC the same name as the dead DC.

All of the 5 roles are mandatory to a working domain.  If a DC dies which holds one or more of those roles you must seize those roles ASAP using ntdsutil.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 62 total points
ID: 39295155
You need to first understand the difference between seize/transfer of role.Seize of role is done when the dead DC is FSMO role holder and cannot be brought back.So you need to login on online DC and seize the role.If the dead DC is up you need remove the same and reinstall OS and promote the server back as DC if required.

But before promoting the dead server as DC again you need to perfrom metadata cleanup to remove the instances of dead DC from Ad database,DNS,DC OU,etc.
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

You can transfer the FSMO role to online DC.You can keep the all roles on one DC or move to other DC the choice is your.Below link help to understand FSMO placement

FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/kb/223346

How to transfer or seize FSMO roles
http://sandeshdubey.wordpress.com/2011/10/07/how-to-transfer-or-seize-fsmo-roles/

Hope this helps
0
 

Author Comment

by:jskfan
ID: 39303138
in prevision version of windows 2000/2003 servers.
when a DC crashes , we reboot one of the working DCs into AD restore mode, and use NTDSUTIL to seize the roles from the dead DC if it had any roles.
seizing roles, is just a way to say enable roles on a working DC ....there is nothing to seize from a dead stone,,,
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 125 total points
ID: 39303155
You don't need to reboot into AD restore mode to seize roles in 2000 or 2003.  You just open a command prompt and type ntdsutil
0
 

Author Closing Comment

by:jskfan
ID: 39304050
thanks
0

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now