Link to home
Create AccountLog in
Avatar of SCAIT
SCAITFlag for United States of America

asked on

Domain Controller failed; how can I transfer FSMO/RID roles?

Hi all,

I need some help with the following scenario.

Our primary domain controller failed, and I did not get a chance to demote via dcpromo.  I built a replacement running Windows Server 2008 Enterprise R2 x64, ran dcpromo, and received some errors at first that stated I could not create an additional domain controller as DC2 was still setup as the RID master but was offline.  I transferred some FSMO roles (schema, domain naming, etc) to another DC via AD DS.  I've rebooted the new DC and confirmed it is now a global catalogue server running DNS.

My questions to this community are:

-- How can I ensure the new DC is properly configured on the forest to be the main DC?  

-- How can I transfer those FSMO roles over to this new DC, and verify it is the RID master, and how can I verify the AD replication?  (I see that the NTDS connection settings are only replicating to 2 other domain controllers/member servers, rather to all 9.)

-- Is DC2 now an orphan controller?  What do I do to ensure that it is off of our forest?  Do I need to use Ntdsutil?

Thanks, and I appreciate your help with this.
--
Dan
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
As the instances of faulty DC is not removed you need to run metadata clean as Mike suggested.As you have seize the role and new DC is promoted you can transfer the role from GUI or ntdsutil command to new DC:http://www.petri.co.il/transferring_fsmo_roles.htm.

You need to first verify the FSMO role holder before you proceed if any role is missing you need to seize the role.

You can run repadmin /replsum ,repadmin /showreps,etc to verify the replication.More see this:http://technet.microsoft.com/en-us/library/cc770963(v=ws.10).aspx

You also need to configure authorative time server role on PDC role holder server:http://support.microsoft.com/kb/816042

Point the dns setting of clients and member server to new DC IP address this may in TCP/IP or DHCP setting assuming new DC is assigned different IP address.

Note:There is no primary and backup DCs. All DCs are RW except RODCs. However, your DCs can be holder of FSMO roles:http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
1. Seize the all 5 FSMO roles to any healthy DC
2. Meta data clean up failed FSMO server (http://www.petri.co.il/delete_failed_dcs_from_ad.htm)
3.Meta data cleanup DC2 also
4.Check the new FSMO server is operational by netdom query fsmo
5.Rebuild DC2 and promote is as DC and wait for the replication
6.If DC2 replicating to all the DC move the FSMO role to DC2(if req)
Avatar of SCAIT

ASKER

Thanks Mike, and all who provided help.  This worked and got us exactly where we need to be.  I appreciate the help.
--
Dan
Excellent work, glad you got things back up and running.