Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Seizing AD FSMO roles

Posted on 2013-06-18
13
Medium Priority
?
1,084 Views
Last Modified: 2013-07-06
In the scenario where one Domain Controller completely crashes, I wonder if Seizing the FSMO role is depending on the role that the dead DC had or it does not matter which role it had.

I mean if the DC that crashed had :
Schema Master Role: do we need to seize the role from a working DC?
Domain Naming:do we need to seize the role from a working DC?
Infrastructure/PDC/RID:do we need to seize the role from a working DC ?

OR rebuilding a new DC will , in a certain way, have the roles taken by the crashed DC,  be rebuilt automatically on the new DC?

Thank you
0
Comment
Question by:jskfan
  • 3
  • 2
  • 2
  • +4
13 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 504 total points
ID: 39257139
Yes to all three, you will need to seize those roles on a working DC.  Don't bring that crashed DC back online after you do that.

You will also need to cleanup that dead DC from AD.  In 2008 that is as easy as deleting the old computer object.  (metadata link below)

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Thanks

Mike
0
 
LVL 40

Assisted Solution

by:Philip Elder
Philip Elder earned 252 total points
ID: 39257216
Use NTDSUtil to seize the required roles to an active DC.
http://bit.ly/11lKTCZ (KB255504)

Wait for the changes to replicate across the forest/domain.

Second: MetaData cleanup using NTDSUtil needs to be completed:
http://bit.ly/11X6QYO (KB216498)

Then, make sure to remove _any_ references to the now gone DC in DNS in:
 _msdcs.domain.local
 domain.local

Remove DNS A records, DNS NS records, GUID in AD partition, and references in AD (_tcp ETC).

Verify that the now defunct DC is no longer present in DSSite.msc.

Wait for these changes to replicate across the domains/forests.

Philip

EDIT: Added the DNS NS records step.

EDIT 2: More specific to your questions: No. Roles need to be seized and references to OLD DC need to be completely expunged before any new DC comes online that shares the same name. Bringing NEWDC online with same name will cause LOTS of grief if clean-up steps above are not completed. BTDT.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 504 total points
ID: 39257221
You can use ntdsutil for metadata cleanup but it is easier in 2008 and higher to just delete the dead computer/DC object.

Thanks


Mike
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 6

Assisted Solution

by:Tonypeswani
Tonypeswani earned 248 total points
ID: 39258811
0
 

Author Comment

by:jskfan
ID: 39275292
Tonypeswani:

in this article, I pasted part of it below.
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
the bullet#8 says :
"if the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown."

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

<<<<If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.

If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.

You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.>>>>
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 248 total points
ID: 39295088
It seems like, I do not need to  reboot a working DC into AD Services Restore mode then run NTDSUtil  in order to seize the roles held by the defunct DC, like it used to be in 2003 DCs
In case there's some confusion, you don't ever need to boot a DC into Directory Services Restore Mode in order to seize FSMO roles.  This can be done from a working DC running in normal mode; in fact, I'm fairly certain it can't be done in DSRM, since a DC running in DSRM can't access AD.
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39295092
To clarify...

You seize roles FROM the dead DC TO a working DC.  You do NOT seize roles from a working DC under any circumstances.  If you want to move roles between working DCs, you transfer, not seize.

Once you seize roles from a dead DC, the dead DC must NEVER return to the Active Directory.  It is also important to never give a new DC the same name as the dead DC.

All of the 5 roles are mandatory to a working domain.  If a DC dies which holds one or more of those roles you must seize those roles ASAP using ntdsutil.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 248 total points
ID: 39295155
You need to first understand the difference between seize/transfer of role.Seize of role is done when the dead DC is FSMO role holder and cannot be brought back.So you need to login on online DC and seize the role.If the dead DC is up you need remove the same and reinstall OS and promote the server back as DC if required.

But before promoting the dead server as DC again you need to perfrom metadata cleanup to remove the instances of dead DC from Ad database,DNS,DC OU,etc.
http://sandeshdubey.wordpress.com/2011/10/12/metadata-cleanup-of-a-domain-controller/

You can transfer the FSMO role to online DC.You can keep the all roles on one DC or move to other DC the choice is your.Below link help to understand FSMO placement

FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/kb/223346

How to transfer or seize FSMO roles
http://sandeshdubey.wordpress.com/2011/10/07/how-to-transfer-or-seize-fsmo-roles/

Hope this helps
0
 

Author Comment

by:jskfan
ID: 39303138
in prevision version of windows 2000/2003 servers.
when a DC crashes , we reboot one of the working DCs into AD restore mode, and use NTDSUTIL to seize the roles from the dead DC if it had any roles.
seizing roles, is just a way to say enable roles on a working DC ....there is nothing to seize from a dead stone,,,
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39303155
You don't need to reboot into AD restore mode to seize roles in 2000 or 2003.  You just open a command prompt and type ntdsutil
0
 

Author Closing Comment

by:jskfan
ID: 39304050
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question