Announcement

Collapse
No announcement yet.

Forest Level FSMO Roles preventing AD and DNS starting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forest Level FSMO Roles preventing AD and DNS starting

    Hello,

    I've got a kind of unusual problem in my production environment that I can't seem to find any information online about. Maybe someone on the forum has come across it before. It is as follows:

    In my environment I have 3 domains in 1 forest: abcinc.abc.com; mnoinc.abc.com; xyzinc.abc.com. These 3 domains are sibling domains. There are no servers in the abc.com domain. The 5 FSMO roles are held by a DC in abcinc.abc.com domain.

    While doing a cold site disaster recovery I noticed the server with the 5 FSMO would reboot after the restore and AD and DNS would load fine but on subsequent reboots it would take up to 10 minutes to reach the login screen and then AD and DNS would not load. In this cold site only 1 DC is being restored. In network settings it points to itself for DNS.

    I've finally narrowed it down to the Schema Master and Domain Naming Master roles causing the problem. If any DC in our environment has these roles it will not load AD or DNS if it cannot contact andother DC/DNS server. I narrowed it down this far by restoring another DC in our test environment and that restore went ok so then started transferring FSMO roles to this 2nd recovered DC. The RID, PDC and Infrastructure roles transferred ok and the 2nd DC still loaded AD and DNS. Once I transferred either the Schema Master or Domain Naming master role to this 2nd DC it stopped booting on it's own. I then tried transferring the Schema Master and Domain Naming Master roles to the 2nd DC while leaving the PDC, RID and infrastructure roles on the 1st DC and the 1st DC then was able to load AD and DNS without having to be in contact with another DC/DNS server. The 2nd DC would now not load AD or DNS since it had the 2 forest level FSMO roles.

    This is not a serious problem in our day to day environment as there are a number of DC/DNS servers but it is still troubling and I would like to get to the bottom of it.

    I've tried running Active Directory Schema Diagnose from Windeveloper.com and everything that tested passed ok.

    Has anyone else ever encountered a domain with a DC that would not load AD or DNS due to the Forest Level FSMO roles, Schema and Domain nameing master? Does anyone have any suggestions of some more checks I could run?

  • #2
    Re: Forest Level FSMO Roles preventing AD and DNS starting

    I notice this all the time in test DR cases.

    I don't have any solution but, I notice if you just leave the DC alone for about 45 minutes the AD and DNS services kick in and the server will function normally.

    Comment


    • #3
      Re: Forest Level FSMO Roles preventing AD and DNS starting

      In our cold site DR testing I've left the recovered server online overnight and AD and DNS still didn't come back up. Hasn't come up after leaving it online for long periods of time in my test environment either unfortunately

      Comment


      • #4
        Re: Forest Level FSMO Roles preventing AD and DNS starting

        Once try to seize the roles on any one of the DC if it works.............

        Regards,
        Kapil Sharma
        ~~~~~~~~~~~~~
        Life is too short, Enjoy It.

        Comment


        • #5
          Re: Forest Level FSMO Roles preventing AD and DNS starting

          Found the solution to my problem. Turns out it's a service startup timeing issue introduced with SP1 for Server 2003. The resolution is to add the following registry key:
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters]

          "Repl Perform Initial Synchronizations"=dword:00000000

          This key stops the DC from waiting 6 minutes if it can't contact a DNS server other than it's own. Microsoft doesn't seem to have a KB on it.

          I would not recommend applying this key in a production environment where your DC has access to more than one DC at all times as the delay was for a reason but in a test or single server environment the key could be very useful.

          A more in depth article on it can be found here:
          http://blogs.technet.com/ad/archive/...uirements.aspx

          Comment


          • #6
            Re: Forest Level FSMO Roles preventing AD and DNS starting

            Thanks for posting the solution also.........

            Regards,
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment

            Working...
            X