Solved

FSMO + Active Directory migration

Posted on 2014-02-05
6
681 Views
Last Modified: 2014-02-05
For active directory migration do I need the FSMO moved over to the new server or does it automatically get put on the new server when it gets promoted?

I'm not really sure what the FSMO does. Looks like when I promoted the 2nd server the active directory list was copied to the new server with all the users. I plan on just turning off the first server and not demoting it.

I'm testing this out all in a Virtual environment before I actually do this just trying to cover the basic procedures.
0
Comment
Question by:easyworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 400 total points
ID: 39836839
Don't just shutoff the first server without demoting, then you also have to go through a metadata cleanup.  you want to have a clean demotion using dcpromo.

It will automatically transfer the FSMO roles but I like doing them myself and making sure it worked with no issues.  More on transferring    http://support.microsoft.com/kb/255690

There are 2 forest wide FSMO roles (Schema master, Domain naming master).  Three FSMOs per domain (PDC emulator, RID master, Infrastructure master).   Search for FSMO and there is a lot of great info out there.

Thanks

Mike
0
 
LVL 1

Author Comment

by:easyworks
ID: 39837162
Yeah, but it complains about "Domain Controller - "DsBindW error 0x6ba (The RPC server is unavailable)" when I try to transfer the fsmo roles using ntdsutil.

Why do I need to worry about demoting the server?
0
 
LVL 1

Author Comment

by:easyworks
ID: 39837173
I just noticed your link has GUI so i'll take another look at that tomorrow.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39837249
If you don't demote there will still be references to it in AD.  Is this a production network.  I'd always try to have two DCs.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 39837673
As stated do NOT just power down the server. It is very important to demote a DC gracefully if possible. If you cannot demote the DC and it has the FSMO roles on it you will need to "Seize" the roles to the working DC. You will also need to do a metadata cleanup (already mentioned), Somethings metadata does not do a good job of cleaning up is removing all of the SRV records present in DNS. SRV records are very important as it tell the clients where to find the proper domain controllers to authenticate to using different types of protocols (ldap, kerberos, global catalog etc). If you do not remove these records manually after seizing the roles and metadata cleanup your clients run the risk of pointing to a DC that no longer exists which can create error messages with the user experience.

SRV records are located under DNS Manager>internal.domain>_msdcs folder. Go through all of the folders and delete any references to the old domain controller.

Another thing you will need to check is the Sites and Services as well to ensure that you remove and computer objects related to the failed DC, and deleting them.

As stated it would be best if you can demote the DC gracefully but if you can't make sure that you follow the above steps.

Will.
0
 
LVL 1

Author Comment

by:easyworks
ID: 39837697
The server that is going to be removed is a file server for a small company of like 5 employees. I really appreciate the input guys.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question