Announcement

Collapse
No announcement yet.

Reinstalling 2003 Standard w/AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reinstalling 2003 Standard w/AD

    I'm faced with reinstallation of Windows 2003 Standard server in a small LAN environment (about 10 workstations, handful of remote VPN users). The system has been somehow damaged for the last several months. For example, there is no "Permissions" tab for any item when the Admin tries to adjust folder/file permissions. Or there is no "new" tab in the context menu to create a new folder. Obviously this makes the administration of the system very difficult.

    The system is AD/DC, CG, has DHCP, DNS, WINS, Exchange 2003, and also functions as a file server. There is a secondary server on the network as a backup DC/DC/CG/DNS.

    My question is this: as I would like to avoid losing the linkage between the user accounts and their respective Exchange mailboxes (and perhaps also their files although restoring the correct file permissions is easy), is it sufficient to transfer the FSMO roles to the backup AD/DC/CG server, then demote the server I'm going to reinstall. Or do I need to seize all FSMO roles to the backup server? If I do the latter, then I apparently can't return all of the roles back to the primary server after it's been reinstalled as suggested by the warning on the page that discusses seizing the FSMO roles: »Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.» If I seize the roles to the backup, doesn't the backup then become the "original", and hence it won't relinguish the Schema, Domain Naming, and RID roles back to the primary server without necessitating reinstall of the backup? What if I don't seize (and only "transfer") the roles before I reinstall the primary? Would something be lost in the process thus damaging the AD?

    Thank you very much for any insights and/or tips on this!

  • #2
    Re: Reinstalling 2003 Standard w/AD

    If server A is the damaged server which currently holds the FSMO roles, and server B is your backup server, then my interpretation is that if you seize the FSMO roles onto server B, you must then reinstall the operating system on server A before you can transfer the roles back to that server. However, this is at the limit of my AD knowlege so I cannot guarantee that this is correct.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Reinstalling 2003 Standard w/AD

      Originally posted by gforceindustries View Post
      If server A is the damaged server which currently holds the FSMO roles, and server B is your backup server, then my interpretation is that if you seize the FSMO roles onto server B, you must then reinstall the operating system on server A before you can transfer the roles back to that server.
      That's what I'm thinking, too. My only concern is that if I seize the FSMO roles to the backup server (B), can I "seize them back" once A has been reinstalled and promoted to an AD/DC once again? The warning I quoted...
      Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.
      .. seems to imply that once a server has got all of the FSMO roles, it won't give up RID, Schema, or Domain Naming FSMOs without a fight (i.e. without having to reinstall Windows).

      Comment


      • #4
        Re: Reinstalling 2003 Standard w/AD

        If you seize, MS recommends that you rebuild that domain controller. It is best to transfer the roles if you can.

        MS:
        http://support.microsoft.com/kb/255504/EN-US/
        http://support.microsoft.com/kb/255690

        From here: http://www.petri.com/seizing_fsmo_roles.htm

        Comment


        • #5
          Re: Reinstalling 2003 Standard w/AD

          In other words, before I reinstall the server A, I'll need to seize all FSMO roles to the backup server B. And once I've rebuilt the server A and want to get the roles back to it, I'll seize the the roles back, and then need to reinstall the backup server B? The server B is really just for backup purposes and as such doesn't have a RAID array and it wouldn't be safe to keep the roles (or anything whose loss would in any way be undesirable) on it.

          So, hypothetically speaking, what happens if the primary server that holds the FSMO roles just crashes and burns? Is the "seizure" not actually a transfer but rather a declaration that a specific server takes care of those functions? In other words, if a server that previously held the roles just crashes, can the roles be established on a backup AD/DC/GC server since in such situation "transfering" (or "seizing") them would not be a possibility?

          Sorry to be long-worded with this, but I'm trying to figure out would it be sufficient to transfer, not seize, the roles to the backup so that the backup wouldn't be "locked in" to being holder of the Schema, Domain Naming, and RID roles. The reinstall will happen over the weekend when the server will have minimal use, so I'm not so much worried about continuous availability of the AD/CG/mail, but rather about keeping the AD and the mailbox associations intact if possible (reconnecting mailbox associations or reconnecting user profiles is not exactly fun).
          Last edited by Ville; 15th October 2008, 01:35.

          Comment


          • #6
            Re: Reinstalling 2003 Standard w/AD

            Seizing the roles should only be done as a last resort if you can't move them gracefully. Have you tried moving them the correct way? Does this fail? If you seize you need to look into cleaning up the metadata in AD for the removed server.

            If you are wiping the main server then, personally, I would move the roles and all data etc, wipe, reload with a new server name, and add it to the AD then gracefully move the roles back.

            In the interim you could setup a VM with a temp DC for resilience. Make sure you have a backup once you move the roles.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Reinstalling 2003 Standard w/AD

              Originally posted by Ville View Post
              In other words, before I reinstall the server A, I'll need to seize all FSMO roles to the backup server B. And once I've rebuilt the server A and want to get the roles back to it, I'll seize the the roles back, and then need to reinstall the backup server B? The server B is really just for backup purposes and as such doesn't have a RAID array and it wouldn't be safe to keep the roles (or anything whose loss would in any way be undesirable) on it.

              So, hypothetically speaking, what happens if the primary server that holds the FSMO roles just crashes and burns? Is the "seizure" not actually a transfer but rather a declaration that a specific server takes care of those functions? In other words, if a server that previously held the roles just crashes, can the roles be established on a backup AD/DC/GC server since in such situation "transfering" (or "seizing") them would not be a possibility?

              Sorry to be long-worded with this, but I'm trying to figure out would it be sufficient to transfer, not seize, the roles to the backup so that the backup wouldn't be "locked in" to being holder of the Schema, Domain Naming, and RID roles. The reinstall will happen over the weekend when the server will have minimal use, so I'm not so much worried about continuous availability of the AD/CG/mail, but rather about keeping the AD and the mailbox associations intact if possible (reconnecting mailbox associations or reconnecting user profiles is not exactly fun).
              Seizing is done only once.
              Once you rebuild the Primary DC , you could simply transfer the roles , no need to re-seize them again.
              BTW - even if you try to seize the roles and both DCs are operational, the seizing would not take place , it would transfer the roles, not seize them.
              Basically when you seize roles, the NTDSUtil would try transferring the role gracefully, only if it fails then it would seize the roles.

              Comment


              • #8
                Re: Reinstalling 2003 Standard w/AD

                I see the light now! Thank you Andy and Akila!

                I thought it sounded rather dubious that moving the FSMO roles should damage the relinguishing DC. But since seizing the roles is equivalent to "ripping out the parts on the fly" it makes sense — it's an emergency procedure and there's a better way for normal circumstances (graceful transfer).

                I believe that even though the primary server I'm going to reinstall is limping along, the AD is intact. At least there hasn't been any indications that the AD would be having problems, so graceful transfer should work. And graceful transfer will certainly work coming back from the backup server since the backup server is humming along smoothly. This was my primary concern since I didn't want to neither have the roles stuck on the RAID-less backup server, nor have to reinstall the backup server (as would've been necessitated by seizing the roles back to the primary).

                I'll use one of the workstations on the LAN as a backup DC (which I'll set up in prior of transferring the roles to the backup server "B").

                Thanks again for clearing this up!

                Comment

                Working...
                X