Announcement

Collapse
No announcement yet.

Seizing FSMO Roles from a 2K3 DC to a 2000 DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Seizing FSMO Roles from a 2K3 DC to a 2000 DC

    ENVIRONMENT
    I have a single forest, single domain with two DCs. One is running Windows Server 2K3 w/SP1 and holds all 5 FSMO roles. This DC has AD integrated DNS and is functioning as a GC server. The other DC is running Windows Server 2000 w/SP4 and also has AD integrated DNS and is working as a GC server.

    SCENARIO
    My primary DC (the one holding all 5 roles) has gone down and after a few non-authoritative restores I’ve been unable to bring her back up.

    PLAN OF ACTION
    My next step is to seize the roles using the 2000 DC (the only other DC on my domain/forest) following the steps in this article: http://www.petri.com/seizing_fsmo_roles.htm. Once the roles have been seized I plan on doing a metadata cleanup following the steps in this article: http://www.petri.com/delete_failed_dcs_from_ad.htm. Then, on the DC that went down, do a clean install of Windows Server 2K3, give the machine a new name, run dcpromo and then transfer the roles back.

    FEAR/QUESTIONS
    My only fear is seizing the roles from a 2K3 DC to a 2000 DC. Are there any known issues with doing this? Does it look like I’m taking the proper steps in seizing/bringing the domain/forest back up? Also at the end of the “Seizing FSMO Roles” document (http://www.petri.com/seizing_fsmo_roles.htm) it says:

    Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
    I’ve had the Infrastructure Master role on a GC server before. Is this a big no, no? Should I then not make this new server a GC?

    Thanks in advanced for any posts!
    Last edited by Jar3d; 25th June 2007, 22:52.

  • #2
    Re: Seizing FSMO Roles from a 2K3 DC to a 2000 DC

    Originally posted by Jar3d View Post
    Iíve had the Infrastructure Master role on a GC server before. Is this a big no, no? Should I then not make this new server a GC?
    That doesn't apply when there's only a single domain so you're fine with the way it was setup.

    The plan seems OK to me.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Seizing FSMO Roles from a 2K3 DC to a 2000 DC

      Just wanted to post a follow up. The steps detailed bellow worked out fine. I only ran into one issue while trying to delete the DC in the Domain Controllers OU from AD users and computers. I received the following error:

      The DSA object cannot be deleted.

      I found this article which helped:

      http://computing.fusion13.com/Active...With-LDP.shtml

      Comment


      • #4
        Re: Seizing FSMO Roles from a 2K3 DC to a 2000 DC

        Thanks for posting a follow up! Much appreciated.

        Right now that link isn't working for me. Could you tell me the gist of it?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Seizing FSMO Roles from a 2K3 DC to a 2000 DC

          Yeah no problem. I had documented all this on our internal wiki, here are the steps:

          If you run into the same problem follow the steps detailed bellow. We will be using a Microsoft app called "LDP.exe". In order to proceed you will need support tools installed.

          1. Start -> Run -> LDP
          2. In LDP, Click "Connection" -> "Connect" and type the name of the live DC you are currently on in the "Server:" field. Click OK.
          3. Authenticate and Bind to the DC you are connected to by Clicking "Connection" > "Bind".
          4. Display Active Directory in "Tree View" by Clicking "View" > "Tree".
          Input the Distinguished Name of your entire domain (such as "DC=test,DC=com").
          Click OK.
          5. Navigate to the dead DC by expanding DC=test,DC=com -> OU=Domain Controllers,DC=test,DC=com.
          6. Expand the Dead DC and all containers/sub containers until you see "No Children"
          ***We will now delete the DC. Proceed with extreme CAUTION!***
          7. Individually Right Click and Delete all expanded sub containers. Use the default delete settings (with ONLY "Synchronous" checked!).
          If you do not delete each sub container before attempting to delete its parent container, you will receive an error.
          8. Delete all containers until you are able to delete the "CN=DEADDC,OU=Domain Controllers,DC=test,DC=com" container.
          Note: As you delete each container, LDP will still show this container in the tree view (left panel). In fewer words, the display will not refresh. However, if you have actually deleted the container, you will see as confirmation in the gray left panel stating the container was Deleted.

          We will now Delete from the Configuration -> Default-First-Site-Name > Servers Container

          9. Find the dead DC by Expanding DC=test,DC=com ->
          CN=Configuration,DC=test,DC=com ->
          CN=Sites,CN=Configuration,DC=test,DC=com ->
          CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com ->
          CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com ->
          ***(in fewer words: DC=test,DC=com -> Configuration -> Sites -> Default-First-Site-Name -> Servers)
          10. Individually Expand and Delete each container, including the CD=DEADDC container as described in Step 7 and 8.
          11. Youíre all done. To confirm you changes disconnect and reconnect/bind to verify you actually removed the dead DC using LDP.exe.
          Also go into Active Directory Users and Computers -> Domain Controllers OU -> Verify DC is no longer showing.

          Comment


          • #6
            Re: Seizing FSMO Roles from a 2K3 DC to a 2000 DC

            Again, thanks for the follow up. I'm sure it will help others.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X