Announcement

Collapse
No announcement yet.

Missing FSMO>1year/Unable to find failed DC in metadata

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Missing FSMO>1year/Unable to find failed DC in metadata

    Hi folks,

    Need some advise here on a situation which i have found myself in when taking over the Active Directory Infrastructure for a company.

    They had 2 W2003 DCs running in W2K mixed mode:
    DC1(FSMO roles holder) and DC2

    DC1 crashed in Oct last year and not sure what was done, but all FSMO roles except for the domain naming master got transfered to DC2. From then on, they lived with 1 DC with 4 roles. No metadata cleanup was done.

    A new AD engineer joins in Apr, and deleted the DC1 object from the DC container in ADUC, as well as the FRS container.

    Seeing only 1 domain controller in place, he attempted to promote another member server to act as a redundant server, but failed. He was prompted to run ADPREP/FORESTPREP and ADPREP/DOMAINPREP, and he did. This is highly irregular right? He managed to get this DC3 up, but the FRS will never work!

    I came in under a vendor to assess the situation, as they suddenly realise the severity of the issue. A few questions i appreciate any help on.

    1) Tried to use metadata cleanup from NTDSUTIL, but cannot find the failed DC1 object. What other recommended ways would there be to ensure that there are no traces of the DC1 object left?

    2) I had hope to get 1) done, then seize the domain naming master role. Does the long timeframe make this risky? Also, if 1) is not done, should i go ahead with this?

    3) In the worst event that we want to start a new forest and migrate the objects from this single forest, single domain structure into, will existance of condition 1) and 2) prevent use of ADMT v3 for a interforest migration?

    4) Can LDIFDE be used to export objects from one AD forest and reimport into another?

    Really appreciate your help folks!

  • #2
    Re: Missing FSMO>1year/Unable to find failed DC in metadata

    Note: I'm still a bit of a noob so I could be off the mark! Proceed with caution :P

    1) removing object
    Remove the server from Sites and Services
    Remove Server from Domain Controllers OU in AD Users and Computers (if still there)
    Remove server references from DNS
    Read this article: http://www.petri.com/delete_failed_dcs_from_ad.htm
    (Note: when ive removed failed DC's in the past there were DNS entries *everywhere* - not just in the location mentioned in that article... wether or not the other entries matter or not I dont know but bury deep into dns and remove all references to that DC)

    2) are there multiple domains in the forrest? If it is a single domain - I dont think the length of time without the domain naming fsmo will matter too much.. if your considering rebuilding the forrest its certainly worth trying (after backing everything up etc first).

    3) cleanup the objects from AD using 1) and it wont matter.

    4) no idea sorry


    I would cleanup the leftovers of the original DC, run all the standard checks to confirm the forrest is healthy and then get another DC up asap.

    I guess when the other AD engineer was trying to install a second DC he was getting the adprep prompts because the dom naming fsmo was unavailable.. (as adprep must have been done already if the only DC left is 2k03) - once thats seized promoting a 2nd dc should be ok.

    Comment


    • #3
      Re: Missing FSMO>1year/Unable to find failed DC in metadata

      2) are there multiple domains in the forrest? If it is a single domain - I dont think the length of time without the domain naming fsmo will matter too much.. if your considering rebuilding the forrest its certainly worth trying (after backing everything up etc first).

      Just to add to this, even if there are multiple domains it shouldnt matter.. because no new domain/s will have been added since the problems - or old domains removed because the fsmo didnt exist to facilitate this. So all the info will be in AD for you to seize and no changes could have been made to it in that time..

      (please someone with more experience confirm/deny this!)

      Comment


      • #4
        Re: Missing FSMO>1year/Unable to find failed DC in metadata

        Thanks mate, no go still...More details are as follows:

        1) SRV records, FRS objects, sites, DNS....All done. Unfortunately, it's still in the metadata, and the almighty NTDSUTIL cannot see it. LDP perhaps?

        2) Single domain currently. There are plans to add a new domain to this, not possible at the moment without the Domain Naming master... Also, no DC can be promoted or demoted properly as a sidenote

        3) Sure hope this works without cleaning up the metadata, cos i have no other idea on what else can be done to clear that stray object. Will share my findings here when i manage to test ADMT to migrate this forest

        4) Any comments from fellow AD admins? I really appreciate alternatives on this, in the event that ADMT cannot be used here to perform inter forest migration...

        In the meantime, hope to have more views on this matter..Much appreciated!

        Comment


        • #5
          Re: Missing FSMO>1year/Unable to find failed DC in metadata

          are you using ntdsutil from the 2003 support tools SP1?

          then following this doc?
          http://support.microsoft.com/kb/216498

          Not sure why it wouldnt be picking up the old objects, ldp or adsiedit would surely pick up old objects but I wouldnt know whats safe to remove and whats not..

          does ntdsutil rely upon the domain naming fsmo somehow?
          therefore using ldp/adsiedit could find the object?

          Comment


          • #6
            Re: Missing FSMO>1year/Unable to find failed DC in metadata

            Oh yes, latest and greatest enhanced version of NTDSUTIL, to no avail.

            At said point of time, still on the lookout for alternatives, though it appears that a forest migration will be inevitable...Thankfully, it is a small forest....

            Comment

            Working...
            X