FSMO ROLES

I just promoted a 2008R server to DC, I transfer all FSMO roles from the old 2008 standard edition to this server but now when I check I see error on the different roles (see attach). Users are not able to authenticate to the domain through this server. Is there a way to recover the roles to the new server?
Thanks.
FSMO.PNG
narce100Asked:
Who is Participating?
 
narce100Connect With a Mentor Author Commented:
The netlogon service was not started on the server, this is what I get when I try to start it (see attach)
FSMO5.PNG
0
 
narce100Author Commented:
The old 2008 server was demoted and turn down. I still have it but don't know if that will be of any help
0
 
Tony MassaCommented:
RID master shouldn't cause authentication issues.  Check all of the roles with DSQUERY from the new DC:
http://metalsushi.blogspot.com/2010/01/how-to-determine-fsmo-holders-via_09.html

Just seize the roles using NTDSUTIL.  http://support.microsoft.com/kb/255504

Also, check AD Sites and Services to be sure the old DC is properly removed from AD and that the new DC is in the same site as the client subnets.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Andrew DavisManagerCommented:
you should be able to bring the old server back up and then follow through this guide.
https://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server-2008.aspx

make sure all roles transferred successfully then decommission old server.

Cheers
Andrew
0
 
tsaicoCommented:
It could be just some cleanup needed.

I had a similar problem with me, where I didn't give the AD enough time to process everything.  I ended up seizing control with the new GC and used this article to clean up the remnants.

Cleaning up:
 http://social.technet.microsoft.com/Forums/windowsserver/en-US/3f49ddbc-c948-43ac-af21-2f5a4f3dce9b/active-directory-operations-master-shows-error-in-ridpdc-and-infra-tab?forum=winserverDS

Seizing and cleaning up:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3f14e3c4-20dc-4645-88ff-524b4fd094d0/operations-master-shows-error-on-the-rid-tab-only?forum=winserverDS

Another time, I had a similar thing, and simply forgot to update the DHCP pool to reflect the new DNS settings, since the old DC was also the DNS primary, and I had made 8.8.8.8 as a secondary for redundancy.  So in my case, the internet still worked since it could resolve external names from Google's server, but internal failed, and if you had logged off, you would be stuck off.  It was resolved by updating the DHCP server settings and ipconfig /renew any clients, or just restart them.
0
 
narce100Author Commented:
The problem is that the old server have been demoted and I don't know if it lost the roles, when I tried to run dcquery to check the roles I get "server not operational" see (attach)
FSMO2.PNG
0
 
Tony MassaCommented:
Is your new DC a DNS server also?  Does your new DC only have itself as a DNS server?  How many DCs do you have remaining in your AD?  Make sure DNS is pointed to itself (or another functioning DNS server).  

Try these other methods (GUI and NTDSUTIL)  http://www.petri.co.il/determining_fsmo_role_holders.htm

Seems that DNS isn't also working as intended...make sure the old sever references (and IP) is removed from the new DC/DNS server.
0
 
narce100Author Commented:
I have a secondary DC 2008 standard that I will also intend to decommission but for now thanks to this server users are being authenticated, no FSMO roles in this server.
0
 
Andrew DavisConnect With a Mentor ManagerCommented:
"server not operational" seems like it cannot see the network correctly. Check and make sure all DNS entries are correct (They may have moved to the new server).

As per tmassa99 second link, you can sieze the roles and then cleanup, but where possible you should try to transfer from the old server if possible.

Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles

if this is not possible then follow that KB and make sure you cleanup the metadata.

Cheers
Andrew
0
 
Andrew DavisManagerCommented:
sorry for posting the same as tmassa99 (seems we are thinking the same) the two comments above mine were not there when i started typing ;)

Cheers.
Andrew
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
On the server that you transferred the roles do the following...
- Open cmd
- type ntdsutil
- Type roles
- type connections
- type connect to server <servername>
- type quit (brings you back to the screen previous)
- type "Seize RID Master"
- click yes to proceed

If you have any other roles that have the same error go through the steps again and Seize the roles back to this server.

I would also recommend running "DCDIAG /v" and checking event logs for more details. If Seizing the roles do not work I hope you have a system state backup to restore to a new DC.

Will.
0
 
narce100Author Commented:
I was able to recover the FSMO roles to my secondary DC see attach. Would demote or even remove the new server and install the OS again help with this problem?. The Goal is to go from 2008 standard to 2008R2
FSMO3.PNG
0
 
Tony MassaCommented:
You should be fine now.  The last things to do are to check AD Sites and Services to ensure the demoted DC info is out of the directory.  

In addition, check the DNS settings to be sure that the old server information is not still listed in the "DNS Servers" tab of the AD DNS zone properties.  As someone else indicated, make sure your DHCP scopes don't include the IP address of any of the old servers.
0
 
narce100Author Commented:
I also get this if I try to demote the new server (see attach)
FSMO4.PNG
0
 
narce100Author Commented:
Yes but I'm also left with a 2008R DC that is not functioning; would it be a good idea to remove it and run metadata cleanup? then try to promote it again?
0
 
narce100Author Commented:
Another concern I have is that I ran adprep for forest and domain for 2008R and I wonder If I'm going to have problems staying in 2008 standard while I resolve this problem?
0
 
Tony MassaCommented:
Is the NETLOGON service started on that DC?  Did you reboot it?  There are likely a bunch of error messages in the system event log that may help.  Still sounds like DNS entries are missing/misconfigured on that server.
0
 
Tony MassaConnect With a Mentor Commented:
Generally, I like finding the cause of the issues, but you may be better off demoting and repromoting the domain controller.  Is there another functioning DC with DNS?

If the other domain controller is working properly, you have to ensure all of the FSMO roles are on the remaining DC, demote the "new" DC.  Personally, I'd remove it from the domain, clean up any references to the old computer and add back to AD.

You have to be certain that the other DC(s) are properly functioning before.  You don't want to introduce any other issues.
0
 
narce100Author Commented:
yes, there a secondary DC that holds the FSMO roles but after deleting the primary domain controller, how do I clean AD? metadata?
I need to go but I'll be back in about 10 hrs.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Take a look at the link below to cleanup the metadata. You will also want to be sure that you cleanup the SRV records that are found in DNS under _msdcs zone.

Metadata Cleanup - http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Will.
0
 
narce100Author Commented:
I recreated the 2008 R2 Server from scratch, transferred all the fsmo roles etc. etc. The problem is that the logon service will not start, there’s even a case in expert-exchange regarding this problem that was abandon the error is 0x0000064
0
 
SandeshdubeySenior Server EngineerCommented:
I will recommed to first check the health of old Dc by dcdiag /q and netdom query dc,repadmin /replsum ,it seems that old dc is having some issue and new DC promotion is failing.Can you  post the output.
0
 
narce100Author Commented:
I got the problem resolved. Thank You for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.