Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 701
  • Last Modified:

FSMO + Active Directory migration

For active directory migration do I need the FSMO moved over to the new server or does it automatically get put on the new server when it gets promoted?

I'm not really sure what the FSMO does. Looks like when I promoted the 2nd server the active directory list was copied to the new server with all the users. I plan on just turning off the first server and not demoting it.

I'm testing this out all in a Virtual environment before I actually do this just trying to cover the basic procedures.
0
easyworks
Asked:
easyworks
  • 3
  • 2
2 Solutions
 
Mike KlineCommented:
Don't just shutoff the first server without demoting, then you also have to go through a metadata cleanup.  you want to have a clean demotion using dcpromo.

It will automatically transfer the FSMO roles but I like doing them myself and making sure it worked with no issues.  More on transferring    http://support.microsoft.com/kb/255690

There are 2 forest wide FSMO roles (Schema master, Domain naming master).  Three FSMOs per domain (PDC emulator, RID master, Infrastructure master).   Search for FSMO and there is a lot of great info out there.

Thanks

Mike
0
 
easyworksAuthor Commented:
Yeah, but it complains about "Domain Controller - "DsBindW error 0x6ba (The RPC server is unavailable)" when I try to transfer the fsmo roles using ntdsutil.

Why do I need to worry about demoting the server?
0
 
easyworksAuthor Commented:
I just noticed your link has GUI so i'll take another look at that tomorrow.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Mike KlineCommented:
If you don't demote there will still be references to it in AD.  Is this a production network.  I'd always try to have two DCs.

Thanks

Mike
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
As stated do NOT just power down the server. It is very important to demote a DC gracefully if possible. If you cannot demote the DC and it has the FSMO roles on it you will need to "Seize" the roles to the working DC. You will also need to do a metadata cleanup (already mentioned), Somethings metadata does not do a good job of cleaning up is removing all of the SRV records present in DNS. SRV records are very important as it tell the clients where to find the proper domain controllers to authenticate to using different types of protocols (ldap, kerberos, global catalog etc). If you do not remove these records manually after seizing the roles and metadata cleanup your clients run the risk of pointing to a DC that no longer exists which can create error messages with the user experience.

SRV records are located under DNS Manager>internal.domain>_msdcs folder. Go through all of the folders and delete any references to the old domain controller.

Another thing you will need to check is the Sites and Services as well to ensure that you remove and computer objects related to the failed DC, and deleting them.

As stated it would be best if you can demote the DC gracefully but if you can't make sure that you follow the above steps.

Will.
0
 
easyworksAuthor Commented:
The server that is going to be removed is a file server for a small company of like 5 employees. I really appreciate the input guys.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now