No announcement yet.

HELP! EMail down due to FSMO problems!

  • Filter
  • Time
  • Show
Clear All
new posts

  • HELP! EMail down due to FSMO problems!

    This is going to be a command line solution, I'm sure but I've hosed our Exchange server as follows:

    Over the weekend we run Acronis on our DC1 machine running Exchange 2003 (Windows Server 2003). The Exchange server was the primary DC and FSMO role holder. We have DC2 as a backup server and handles some file sharing, etc. Both house a GC. We're a small network so this works OK with us.

    Anyway, on Saturday we converted the Exchange server to a Virtual Server (using XenSource as the Hypervisor) and Acronis. After restoring the Exchange (DC1) to a virtual machine we noticed that there were replication errors and DC2 could not 'find' the AD roles on DC1. After playing with it for a while we ran NTDSUtil to Seize the rolls from DC1 to DC2. DC2 now shows that it is the FSMO roll holder for all 5 rolls. Unfortunately, DC1 does also! If we run NTDSUtil on DC1 to take them BACK from DC2 the NTDSUtil (Seize command) shows that it was successfully transfered, that Seize was not necessary (sounded good to me) but on DC2, the rolls were STILL assigned to DC2! Now I have 2 DC's with FMSO rolls, nobody can authenticate to Exchange (presumably because of the PDC confusion?)

    Attempts to demote the Exchange DC fail.

    Can I demote the DC using ADSIEdit or NTDSUtil, and re-join it as a DC to fix this? Or will the old records come back to haunt? I really need to get this server back into operations!

    We're hosed

  • #2
    Re: HELP! EMail down due to FSMO problems!

    Retoring a DC from a image based backup is a huge no. Thats what it sound like you did since you mentioned Acronis.

    Do you have the orignal physical server? If so I would shut down the current virtual server and DC2 and turn that back on.


    • #3
      Re: HELP! EMail down due to FSMO problems!

      We do have the original machine but we have a problem with DC2 being the FSMO master AND DC1 thinking it still is. This leads me to believe that AD is in need of repairs.

      We have restored physical to virtual systems like this before using Acronis (remember, we were simply moving a physical server to a virtual system) but never an exchange server. I'm not sure what happened with this instance but it goes without saying that I certainly compounded issues with my NTDSUtil work.

      Is there anything out there that can analyze AD and determine how to repair these issues?

      In any case, our e-mail server is still down and we really need to get that back to being part of the domain.

      Any assistance in fixing this issue is greatly appreciated!


      • #4
        Re: HELP! EMail down due to FSMO problems!

        I would not go any further with trying to repair AD, migrations like this should be thought out, backed up and have a bullet proof rollback plan.

        At this point I would:

        1. Shut down the virtual DC1
        2. Isolate DC2
        3. Isolate physical DC1 and bring it back online.
        4. Forcefully remove any references to DC2 on DC1
        5. Demote D2, forcefully if needed.
        6. Take DC1 and DC2 out of isolation from eachother then rejoin DC2 to the domain and DCPROMO it back to a DC.

        Please understand a few things.

        1. Virtualizing a DC is risky business.
        2. Converting a image based backup of a DC to a virtual server is something I would never even think of doing.
        3. Trying to attempt the above two with the ADDITION of Exchange on a DC is NUTS!

        I've never ran into this situtation so I'm definitely not the best person to get help for on the matter but I can't think of much else.
        Last edited by Garen; 29th January 2008, 22:39.


        • #5
          Re: HELP! EMail down due to FSMO problems!

          Good idea on the isolation steps, thanks!

          On the idea of virtualization, we have been running a DC on a virtual server for well over a year. This works great (provided you're using a hypervisor...I would not try this on Windows Virtual Server.) It was with this level of comfortability that we decided to move our exchange server. It was MY mistake in the problems with the server roles.

          As for using Acronis images to move DC's from physical to Virtual, i have not had a problem with this in the past (we have tried this successfully on three servers to date.) While there may be changes to something on the virtual server we're not aware of (I"m not an AD engineer, obviously) the swap out from physical to virtual using this technique has truly been a godsend. I was amazed the first time I tried this and it worked so well. Naturally you cannot have both running on the LAN at the same time but once you change the IP settings on the VM (they're dynamic by default) everything has fallen into place.

          There could very well be reasons why this is a risky proposition but to date we have been VERY pleased with our use of Virtual Servers (we currently use XenSource) and based on Microsoft's foray into this world, it will be taking the server management world by storm by 2009.

          Thanks again for all your help! I'll let you know how it goes
          Last edited by ISDPCMAN; 30th January 2008, 02:31.


          • #6
            Re: HELP! EMail down due to FSMO problems!

            DC's on ESX work without a problem.
            Leave 'reputation' when deserved :


            • #7
              Re: HELP! EMail down due to FSMO problems!

              It turns out that the problem was one that was waiting to bite us regardless. The migration of our mail server to XenServer was just the catalyst.

              Since redoing our AD setup at the office we have learned a great many things, most of which we got off of here. But we also learned that when it comes to virtualization platforms we prefer to work with XenSource (now a Citrix product.)

              We played with ESX server from VMWare but found that it will run on a very limited selection of hardware and was cumbersome to install and manage. It was this and other difficulties that forced us to look elsewhere for alternative VM solutions (since Microsoft is STILL not ready with a VM solution it made the search narrower.) We ran across the Xen initiative a couple of years ago and although nice, took too much effort to be practical in a production environment...until Citrix got into the picture and made this a viable commercial product.

              We downloaded a copy of XenServer 4.0 (the Express [free] version supports 4 VM's right off the bat.) Within 10 minutes we had it installed on a modest quad core system. Within another 30 minutes we had our first VM running. We have since migrated our other systems off of VMWare and onto this platform. To put this all into perspective, we spent over 60 man hours over the course of 90 days working with vendors [Adaptec, Tyan, SuperMicro, Kingston, Seagate and Hitachi] to get the ESX server to run on our hardware. This never worked. While the hardware all worked well together it was, in one way or another, unsupported by some part of ESX server.

              We have had none of the issues that I read in the Microsoft article about running a DC in a VM. I was curious if others had experienced the problems Microsoft warned about. What else made me wonder was at the last Longhorn Road Show we attended, they were touting the use of Server 2003 and 2008 on hypervisors. I just found it odd that they would warn against this on their technet site.
              Last edited by ISDPCMAN; 22nd February 2008, 22:15.