Solved

Can I seize FSMO Roles if my Root/Parent Domain Controller Died and my Child Domain Controllers are still operational

Posted on 2015-02-24
5
419 Views
Last Modified: 2015-02-25
Good afternoon-

I have one Root Domain Controller (root.com) that just died physically and cannot be repaired - The Root DC had the Schema Role on it, So now when I try to modify group policies, I get an error indicating that no domains are available. I also have Child Domain Controllers (child.root.com)....I wanted to know can I seize roles from the dead Root Domain Controller to a Child Domain controller without mucking up AD, Replication, etc.....?? I have a bunch of errors in event viewer in reference to the Root Domain Controller being unreachable, However, no issues with loging into the network.
0
Comment
Question by:rbonds
5 Comments
 
LVL 6

Accepted Solution

by:
rgorman earned 250 total points
ID: 40629185
From what I know you need the root domain.  You won't be able to get by without it.  Your best bet would be to recreate it and restore from backup.  You should be able to install a new server, virtual or physical, with the same name and IP and do a restore of AD using DCPROMO and the system state backup.
0
 

Author Comment

by:rbonds
ID: 40629205
How would I restore from AD and System State Backup?  I'm sorry I forgot to mention that I'm working with windows server 2003.

I also made a bunch of changes in my child domain without being aware that the root domain was dead for several months.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40629219
I wanted to know can I seize roles from the dead Root Domain Controller to a Child Domain controller without mucking up AD, Replication,

This cannot be done. Schema Master role is a Forest Wide role that the forest root domain holds. You will need to restore the DC from a backup in your root domain. You should always have n+1 DC's per
domain/site for redundancy.

Authoritative Restore from System State
https://technet.microsoft.com/en-us/library/cc961934.aspx

Will.
0
 
LVL 6

Expert Comment

by:rgorman
ID: 40629253
Or you could follow the advanced options here...

https://support.microsoft.com/kb/311078
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40630124
You can transfer forest wide roles to child domain if root domain is alive

OR

You can seize schema master and naming master roles to child domain only if one of the parent DC is available and you are having enterprise admins credentials
Infact if you have one parent DC alive you would seize roles to that DC only and question itself get resolved

In your case root domain is not available, so you cannot do whatever you are trying to do

Only valid option could be restore root domain if you have system state backup
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
802.1X auth setup and configuration 3 35
Redirected folders failing strangely. 8 43
Time sync on Domain 5 37
DNS server pulling non-authorative answer 3 29
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question