Seized FSMO roles did not replicate to second DC

Had and old SBS server that died.  I seized the FSMO roles from the old SBS to the new DC.  However our remote site 2012 r2 server still shows the old SBS server as the FSMO holder and thus having all kinds of replication issues.

Would the best / easiest option be to demote the remote DC and re-join it to the domain?  Or is there some way to get it to see the changes to the FSMO without it trying to take the roles itself using ntdsutil?
Leon NicholsSystem EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
When you seized the roles did you not specify the replacement DC?  What does the output of this command look like?

netdom query fsmo
0
Leon NicholsSystem EngineerAuthor Commented:
Yes I did specify the replacement.  On the new server it shows proper:

C:\Windows\system32>netdom query fsmo
Schema master               SM-SRV-DC.specialty.local
Domain naming master        SM-SRV-DC.specialty.local
PDC                         SM-SRV-DC.specialty.local
RID pool manager            SM-SRV-DC.specialty.local
Infrastructure master       SM-SRV-DC.specialty.local
The command completed successfully.


However on the remote server it looks like this:

C:\Windows\system32>netdom query fsmo
Schema master               SM-SRV-DC.specialty.local
Domain naming master        SM-SRV-SBS.specialty.local
PDC                         SM-SRV-SBS.specialty.local
RID pool manager            SM-SRV-DC.specialty.local
Infrastructure master       SM-SRV-DC.specialty.local
The command completed successfully.
0
Jason CrawfordTransport NinjaCommented:
I'd go with the output from the remaining DC...the one you're replacing the SBS server with.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Leon NicholsSystem EngineerAuthor Commented:
The issues is I need to have the remote server see the new FSMO roles master on the PDC and Domain Naming Master.  Right now users at the remote site cannot access anything on the server at the main site.  Getting The Target account name is incorrect which would normally be DNS issues but I have checked dns and I can access the drives by IP.  

Also when I check Active Directory Replication I get errors that the server is unreachable pointing to the old sbs server.
0
Jason CrawfordTransport NinjaCommented:
Ah I see what you're saying sorry I'm a little slow on the uptake apparently.  What errors do you get when running repadmin /syncall from both DCs?  Any chance you can just spin up a new DC in the same site as the SBS DC?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Run DCDIAG /C /E /V on BOTH DCs and fix any errors found that are not expected.

Clean out ALL references to the SBS server and it's IP (hopefully you didn't try to reuse the SBS IP).
1
Shaun VermaakTechnical Specialist/DeveloperCommented:
Would the best / easiest option be to demote the remote DC and re-join it to the domain?  Or is there some way to get it to see the changes to the FSMO without it trying to take the roles itself using ntdsutil?
Yes, quick to rebuild.

You can also try:
Stop KCC
Run NETDOM RESETPWD
Start KCC
0
Leon NicholsSystem EngineerAuthor Commented:
Sorry for the late update, had other things to attend to.  

Lee, I will try running the DCDIAG on both shortly to see what shows up and post back.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Was still editing

  • Stop KDC
  • Run NETDOM RESETPWD
  • Start KDC

Detailed steps here
https://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leon NicholsSystem EngineerAuthor Commented:
Shawn,

Originally I had issues opening DNS, was getting Access Denied so I performed the KCC steps you mentioned which got me access back to DNS but still showed incorrect FSMO information.

If DCDIAG shows too may error will most likely go with the rebuild.
0
DrDave242Commented:
What does repadmin /showrepl show on the remote DC? Specifically, how long has it been since the last successful replication?
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Instead of
repadmin /showrepl

Open in new window

run
repadmin /showrepl * > out.txt

Open in new window

and post out.txt
0
Leon NicholsSystem EngineerAuthor Commented:
Sorry for the delay in getting back to everyone.   Surprising to me I went ahead and tried running

Stop KCC
Run NETDOM RESETPWD
Start KCC


For a second time and it worked.  Don't know why the first time I ran it did not fix everything but the second time did correct the issue and replication between the DC's worked.

Thank you everyone!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.