cassini12
asked on
FSMO ROLE transfer, Did I miss the window of oppertunity?
Long story short, single 2003 DC was replaced with a 2008 R2 Server, At that time approx. late February if Im correct. The 2003 was shut off and they let they 2008 "bake" until now when I had some time to look into de-moting the old box and shutting it down for good. SYSVOL and NETLOGON are all there and have been since day 1 of 2008 coming up, 2008DC shows as GC as well and other than some clean up of local machines DNS addresses being pointed to new server all in the office has been well.. Some slowness here and there that I always think is DNS related.
anyways today I fired up the 2003DC again and wanted to confirm FSMO roles, turns out ALL are still located on old 2003DC, If I go the norma
l way of GUI transferring via AD SS, UC,Schema they all fail with error "the requested FMSO operation failed. The current FSMO holder could not be contacted" No changes can be made..
to verify, I can PING and \\2003DC and get to this server, DNS on both machines point to themselves first then each other then outward.
Not sure what I can do? I see some stuff online about "seize" roles but assume this is very last resort, although it must be what people do a lot when their only servers die and are not upgraded properly?
TY for any help. I did a replmon just to see what it showed and it is below, maybe has something to do with it?
also: I have NOT completed the DCPROMO on 2003 to demote it as I figure I need to transfer the 5 FSMO roles FIRST, then demote?? correct?
TY ALL
anyways today I fired up the 2003DC again and wanted to confirm FSMO roles, turns out ALL are still located on old 2003DC, If I go the norma
l way of GUI transferring via AD SS, UC,Schema they all fail with error "the requested FMSO operation failed. The current FSMO holder could not be contacted" No changes can be made.. to verify, I can PING and \\2003DC and get to this server, DNS on both machines point to themselves first then each other then outward.
Not sure what I can do? I see some stuff online about "seize" roles but assume this is very last resort, although it must be what people do a lot when their only servers die and are not upgraded properly?
TY for any help. I did a replmon just to see what it showed and it is below, maybe has something to do with it?
also: I have NOT completed the DCPROMO on 2003 to demote it as I figure I need to transfer the 5 FSMO roles FIRST, then demote?? correct?
TY ALL
Peter Hutchison
If the original DC is not contactable or available you you need to seize the FSMO roles to the new server using the NtdsUtil.exe tool. Its not a too hard a job to do. Once the roles are moved, you can safely try to demote the old server and remove it from the domain. You may need to clean it up afterwards using AD tools and/or Ntdsutil no problem.
ASKER
If I power it on, I can ping it and access from the 2008DC... So it should have no issue communicating with it. That's why I feel im missing something.
What are the "negatives" of seizing the roles? and I thought once I do any of the steps involved, I have to make certain to never power on the old server on the network again? TY
What are the "negatives" of seizing the roles? and I thought once I do any of the steps involved, I have to make certain to never power on the old server on the network again? TY
From the 2008 domain controller start powershell right-click and run as administrator
1. type the command import-module ActiveDirectory
2. type the command Move-ADDirectoryServerOper
3. Type the command netdom query fsmo to see if it moved all the roles gracefully.
4. If it didn't and you have to seize type this command Move-ADDirectoryServerOper
1. type the command import-module ActiveDirectory
2. type the command Move-ADDirectoryServerOper
3. Type the command netdom query fsmo to see if it moved all the roles gracefully.
4. If it didn't and you have to seize type this command Move-ADDirectoryServerOper
If you had to seize, attempt to gracefully dcpomo down the 2003 domain controller. If the dcpromo down doesn't work. Just unplug it from the network, turn it off and.
Remove any entries of the 2003 domain controller from
Active Directory Users and Computers
Active Directory Sites and Services
DNS- forward and reverse lookups
Remove any entries of the 2003 domain controller from
Active Directory Users and Computers
Active Directory Sites and Services
DNS- forward and reverse lookups
If you are using a dhcp server pointing dns to that 2003 server open dhcp >select your server>expand ipv4>scope>highlight scope options...on the right pane select dns servers and make sure you remove the ip of the 2003 server if it is in there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
IS the "servername" above, the 2k3 or 2k8 server?TY
"Servername" is to which server you are going seize the role. I mean, your healthy server; 2008DC.
Then, to seize other roles other than PDC, use below commands in "fsmo maintenance: " prompt.
fsmo maintenance: Seize domain naming master
fsmo maintenance: Seize infrastructure master
fsmo maintenance: Seize RID master
fsmo maintenance: Seize schema master
Then, to seize other roles other than PDC, use below commands in "fsmo maintenance: " prompt.
fsmo maintenance: Seize domain naming master
fsmo maintenance: Seize infrastructure master
fsmo maintenance: Seize RID master
fsmo maintenance: Seize schema master
Cassini, you can also use the one liner I mentioned to seize the roles. You will run the command from powershell on the 2008 dc, scroll up and see instructions.
ASKER
I just got this error when I attempted using PS: note: the 2k3 server is currently powered OFF... should it be ON for this?
[Move Operation Master Role
Do you want to move role 'PDCEmulator' to server '2k8dc.domain.local' ?
[Y] Yes [A] Yes to All [N] No [L] No to All Suspend [?] Help (default is "Y"): Y
Move-ADDirectoryServerOper
At line:1 char:42
+ Move-ADDirectoryServerOper
+ CategoryInfo : NotSpecified: (Microsoft.Activ...Directo
tionMasterRole], ADException
+ FullyQualifiedErrorId : The directory service is unavailable,Microsoft.Acti
DDirectoryServerOperationM
[Move Operation Master Role
Do you want to move role 'PDCEmulator' to server '2k8dc.domain.local' ?
[Y] Yes [A] Yes to All [N] No [L] No to All Suspend [?] Help (default is "Y"): Y
Move-ADDirectoryServerOper
At line:1 char:42
+ Move-ADDirectoryServerOper
+ CategoryInfo : NotSpecified: (Microsoft.Activ...Directo
tionMasterRole], ADException
+ FullyQualifiedErrorId : The directory service is unavailable,Microsoft.Acti
DDirectoryServerOperationM
Are you still looking for help??