Announcement

Collapse
No announcement yet.

Transfer FSMO back after seize

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Transfer FSMO back after seize

    Hi there.
    I am reading Petri's page on seizing FSMO roles.
    (http://www.petri.com/seizing_fsmo_roles.htm)

    In that document he writes that it is possible to transfer back the PDC emulator role (to the original holder) after it was seized. Anyone who knows how this is done and has anyone tried it ?

    I faced with the following situation.
    Our company has 2 officies in 2 different countries.
    If the WAN link goes down between the 2 I have understood that the only FSMO role that you will start to miss quite soon is the PDC emulator role.

    Given the above, is the following scenario possible ?

    The WAN goes down and we estimate it to be down for quite a long time.
    The country NOT having the DC with the PDC master role performs a seizure of the role onto one of their DC's.
    When the WAN is fixed, and before it is activated, the DC that seized the PDC master role "releases" it so that when the WAN comes alive everything is back to normal.

    Regards
    Banjo

  • #2
    Re: Transfer FSMO back after seize

    In a short answer, no. Once a role has been seized it should not be returned to the original holder unless the original holder has been rebuilt and all traces removed from AD. In your scenario the original holder is still online and when the WAN connection comes back up both DC's will think their the PDC and, I assume, will cause some serious problems.

    Why dont you look into getting a back-up WAN connection between the two offices (ISDN or dial-up) or you could configure the second office to be a child domain of your main office which will automatically configure a parent - child trust between the two domains.

    No doubt others will have possible solutions for you aswell.

    Michael
    Last edited by m80arm; 13th September 2006, 09:23.
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Transfer FSMO back after seize

      Originally posted by m80arm
      In a short answer, no. Once a role has been seized it should not be returned to the original holder unless the original holder has been rebuilt and all traces removed from AD. In your scenario the original holder is still online and when the WAN connection comes back up both DC's will think their the PDC and, I assume, will cause some serious problems.

      Why dont you look into getting a back-up WAN connection between the two offices (ISDN or dial-up) or you could configure the second office to be a child domain of your main office which will automatically configure a parent - child trust between the two domains.

      No doubt others will have possible solutions for you aswell.

      Michael

      Hi Michael.
      We do have a redundant WAN connection AND a third backup connection, so in theory we should not have a problem. I need to investigate what the consequences would be IF the lines vent down for a longer period of time.

      I also understood that once you have transfered a role, the orginal DC must not come back alive, however, when I read the above mentioned page Ūt was said that one could actually transfer it back.

      Anyone else now about this ?

      Regards
      Banjo

      Comment


      • #4
        Re: Transfer FSMO back after seize

        The document you mentioned also says this:

        Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.
        You can transfer a role between servers as many times as you want i.e. one server passes the role across and the other accepts the role but from what I have read you should never seize a role and then re-introduce the server back into the domain

        Michael
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Transfer FSMO back after seize

          Exactly. Michael has made the right point.
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment


          • #6
            Re: Transfer FSMO back after seize

            Originally posted by danielp
            Exactly. Michael has made the right point.
            Shalom Daniel.
            So, just to conclude, when you wrote:
            "PDC Emulator = Can transfer back to original"
            is this incorrect or you where referring to something else ?

            Secondly, is there anyone that has any real-life experience of "living" without a PDC emulator, after how long it starts to effect the users greatly and what the real consequences were (i.e. not the theoretical ones).

            Toda raba
            /Banjo

            Comment


            • #7
              Re: Transfer FSMO back after seize

              Originally posted by Banjo
              Shalom Daniel.

              Toda raba
              /Banjo
              Hej Banjo

              Om dig ska talla Hebraiska her, jag ska svare dej pa svenska

              Tak ska dig har

              Steven

              Sorry Daniel - I know I'm breaking the forum rules here but I just couldn't resist it. Especially as I can't spell in Swedish.
              Consider myself slapped
              TIA

              Steven Teiger [SBS-MVP(2003-2009)]
              http://www.wintra.co.il/
              sigpic
              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

              We donít stop playing because we grow old, we grow old because we stop playing.

              Comment


              • #8
                Re: Transfer FSMO back after seize

                Look, you CAN try to transfer back. You can. And actually, most articles say that nothing really bad will happen if you do it to the PDC emulator. However other FSMO roles such as the Schema and the RID should NEVER be transfered back after a SEIZE.

                Real life? Sure. Get a PDC emulator fast. How fast? It depends on the size of your network. For example, if your servers have bad CMOS batteries and they don't sync their time with the PDC emulator upon rebooting and periodically, you'll start to have Kerberos issues the moment their clocks become out of sync. So get it back, as soon as possible.
                Cheers,

                Daniel Petri
                Microsoft Most Valuable Professional - Active Directory Directory Services
                MCSA/E, MCTS, MCITP, MCT

                Comment

                Working...
                X