Solved

FSMO ROLES

Posted on 2013-12-01
23
493 Views
Last Modified: 2013-12-10
I just promoted a 2008R server to DC, I transfer all FSMO roles from the old 2008 standard edition to this server but now when I check I see error on the different roles (see attach). Users are not able to authenticate to the domain through this server. Is there a way to recover the roles to the new server?
Thanks.
FSMO.PNG
0
Comment
Question by:narce100
  • 11
  • 5
  • 3
  • +3
23 Comments
 

Author Comment

by:narce100
ID: 39688819
The old 2008 server was demoted and turn down. I still have it but don't know if that will be of any help
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39688827
RID master shouldn't cause authentication issues.  Check all of the roles with DSQUERY from the new DC:
http://metalsushi.blogspot.com/2010/01/how-to-determine-fsmo-holders-via_09.html

Just seize the roles using NTDSUTIL.  http://support.microsoft.com/kb/255504

Also, check AD Sites and Services to be sure the old DC is properly removed from AD and that the new DC is in the same site as the client subnets.
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 39688832
you should be able to bring the old server back up and then follow through this guide.
https://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server-2008.aspx

make sure all roles transferred successfully then decommission old server.

Cheers
Andrew
0
 
LVL 9

Expert Comment

by:tsaico
ID: 39688833
It could be just some cleanup needed.

I had a similar problem with me, where I didn't give the AD enough time to process everything.  I ended up seizing control with the new GC and used this article to clean up the remnants.

Cleaning up:
 http://social.technet.microsoft.com/Forums/windowsserver/en-US/3f49ddbc-c948-43ac-af21-2f5a4f3dce9b/active-directory-operations-master-shows-error-in-ridpdc-and-infra-tab?forum=winserverDS

Seizing and cleaning up:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3f14e3c4-20dc-4645-88ff-524b4fd094d0/operations-master-shows-error-on-the-rid-tab-only?forum=winserverDS

Another time, I had a similar thing, and simply forgot to update the DHCP pool to reflect the new DNS settings, since the old DC was also the DNS primary, and I had made 8.8.8.8 as a secondary for redundancy.  So in my case, the internet still worked since it could resolve external names from Google's server, but internal failed, and if you had logged off, you would be stuck off.  It was resolved by updating the DHCP server settings and ipconfig /renew any clients, or just restart them.
0
 

Author Comment

by:narce100
ID: 39688863
The problem is that the old server have been demoted and I don't know if it lost the roles, when I tried to run dcquery to check the roles I get "server not operational" see (attach)
FSMO2.PNG
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39688869
Is your new DC a DNS server also?  Does your new DC only have itself as a DNS server?  How many DCs do you have remaining in your AD?  Make sure DNS is pointed to itself (or another functioning DNS server).  

Try these other methods (GUI and NTDSUTIL)  http://www.petri.co.il/determining_fsmo_role_holders.htm

Seems that DNS isn't also working as intended...make sure the old sever references (and IP) is removed from the new DC/DNS server.
0
 

Author Comment

by:narce100
ID: 39688889
I have a secondary DC 2008 standard that I will also intend to decommission but for now thanks to this server users are being authenticated, no FSMO roles in this server.
0
 
LVL 18

Assisted Solution

by:Andrew Davis
Andrew Davis earned 200 total points
ID: 39688893
"server not operational" seems like it cannot see the network correctly. Check and make sure all DNS entries are correct (They may have moved to the new server).

As per tmassa99 second link, you can sieze the roles and then cleanup, but where possible you should try to transfer from the old server if possible.

Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles

if this is not possible then follow that KB and make sure you cleanup the metadata.

Cheers
Andrew
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 39688895
sorry for posting the same as tmassa99 (seems we are thinking the same) the two comments above mine were not there when i started typing ;)

Cheers.
Andrew
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39688928
On the server that you transferred the roles do the following...
- Open cmd
- type ntdsutil
- Type roles
- type connections
- type connect to server <servername>
- type quit (brings you back to the screen previous)
- type "Seize RID Master"
- click yes to proceed

If you have any other roles that have the same error go through the steps again and Seize the roles back to this server.

I would also recommend running "DCDIAG /v" and checking event logs for more details. If Seizing the roles do not work I hope you have a system state backup to restore to a new DC.

Will.
0
 

Author Comment

by:narce100
ID: 39689000
I was able to recover the FSMO roles to my secondary DC see attach. Would demote or even remove the new server and install the OS again help with this problem?. The Goal is to go from 2008 standard to 2008R2
FSMO3.PNG
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 17

Expert Comment

by:Tony Massa
ID: 39689006
You should be fine now.  The last things to do are to check AD Sites and Services to ensure the demoted DC info is out of the directory.  

In addition, check the DNS settings to be sure that the old server information is not still listed in the "DNS Servers" tab of the AD DNS zone properties.  As someone else indicated, make sure your DHCP scopes don't include the IP address of any of the old servers.
0
 

Author Comment

by:narce100
ID: 39689007
I also get this if I try to demote the new server (see attach)
FSMO4.PNG
0
 

Author Comment

by:narce100
ID: 39689035
Yes but I'm also left with a 2008R DC that is not functioning; would it be a good idea to remove it and run metadata cleanup? then try to promote it again?
0
 

Author Comment

by:narce100
ID: 39689038
Another concern I have is that I ran adprep for forest and domain for 2008R and I wonder If I'm going to have problems staying in 2008 standard while I resolve this problem?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39689039
Is the NETLOGON service started on that DC?  Did you reboot it?  There are likely a bunch of error messages in the system event log that may help.  Still sounds like DNS entries are missing/misconfigured on that server.
0
 

Accepted Solution

by:
narce100 earned 0 total points
ID: 39689105
The netlogon service was not started on the server, this is what I get when I try to start it (see attach)
FSMO5.PNG
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 300 total points
ID: 39689124
Generally, I like finding the cause of the issues, but you may be better off demoting and repromoting the domain controller.  Is there another functioning DC with DNS?

If the other domain controller is working properly, you have to ensure all of the FSMO roles are on the remaining DC, demote the "new" DC.  Personally, I'd remove it from the domain, clean up any references to the old computer and add back to AD.

You have to be certain that the other DC(s) are properly functioning before.  You don't want to introduce any other issues.
0
 

Author Comment

by:narce100
ID: 39689192
yes, there a secondary DC that holds the FSMO roles but after deleting the primary domain controller, how do I clean AD? metadata?
I need to go but I'll be back in about 10 hrs.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39689696
Take a look at the link below to cleanup the metadata. You will also want to be sure that you cleanup the SRV records that are found in DNS under _msdcs zone.

Metadata Cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 

Author Comment

by:narce100
ID: 39691284
I recreated the 2008 R2 Server from scratch, transferred all the fsmo roles etc. etc. The problem is that the logon service will not start, there’s even a case in expert-exchange regarding this problem that was abandon the error is 0x0000064
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39692247
I will recommed to first check the health of old Dc by dcdiag /q and netdom query dc,repadmin /replsum ,it seems that old dc is having some issue and new DC promotion is failing.Can you  post the output.
0
 

Author Closing Comment

by:narce100
ID: 39708103
I got the problem resolved. Thank You for your help
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now