Announcement

Collapse
No announcement yet.

Remove FSMO role?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove FSMO role?

    Hi

    Is it possible to remove the FSMO role from the server?

    The network has 2 DC's, and the FSMO DC wasn't online.
    There was a need to move the FSMO to the second DC.
    Now i can connect the first DC to the network, but FSMO is on it.

    What can I do?


    Thanks
    Yaniv

  • #2
    Re: Remove FSMO role?

    Do not connect it. If you have forced moved the FSMO roles to another DC you will have to flatten the original one, remove it from AD using ntdsutil and then re-dcpromo it as a new DC.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Remove FSMO role?

      I Just seize the role of the PDC emulator.
      is there a way to remove only that?

      Comment


      • #4
        Re: Remove FSMO role?

        No, sorry.

        http://support.microsoft.com/kb/255504

        A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Remove FSMO role?

          I'll try to demote and promote the DC as you suggested

          Thanks

          Comment


          • #6
            Re: Remove FSMO role?

            Just to make sure i understand correctly

            i'll run this command on the second DC ( who now is the new FSMO ) ?
            ntdsutil /metadata cleanup


            Comment


            • #7
              Re: Remove FSMO role?

              If you only have 2 DCs then you need to make sure all of the roles are on the currently running one. You may have to seize the rest as well now. Make sure your DC is a GC and make sure you have a backup.
              You need to run the cleanup to get rid of the old server from AD. Once complete I would also check DNS, sites and services etc to make sure there is nothing left over.
              I would also add the wiped old DC as a new name as well and make sure replication etc are working.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Remove FSMO role?

                Thanks

                I did all that but have some replication problems.
                I can't open active directory users and computers from administrative tools
                ( it says logon failure: unknown username or bad password)
                but if I'm opening it from gpmc, i succeed.

                Comment


                • #9
                  Re: Remove FSMO role?

                  The tool may be pointing to the old server that had the PDC role. If you right click on the Active Directory Users and Computers node it should hopefully give you the choice for connecting to another server.

                  It is always best to point the tool at the PDC role holder as that controls password resets etc.

                  Comment


                  • #10
                    Re: Remove FSMO role?

                    Like yhat it's working

                    but if i'll point it to the pdce, and this server is offline. i'll see nothing.

                    Comment


                    • #11
                      Re: Remove FSMO role?

                      Originally posted by AndyJG247 View Post
                      If you only have 2 DCs then you need to make sure all of the roles are on the currently running one. You may have to seize the rest as well now. Make sure your DC is a GC and make sure you have a backup.
                      You need to run the cleanup to get rid of the old server from AD. Once complete I would also check DNS, sites and services etc to make sure there is nothing left over.
                      I would also add the wiped old DC as a new name as well and make sure replication etc are working.

                      The PDC role should now be on one of your DCs as Andy recommended.

                      Comment


                      • #12
                        Re: Remove FSMO role?

                        i sized all rolls using the second server.
                        after that i promoted the first one back to DC.

                        Comment


                        • #13
                          Re: Remove FSMO role?

                          If I have got this right, you know have 1 DC with all FSMO roles and the other DC was freshly installed and then brought back in to the domain after you had cleaned up all metadata, DNS entries and sites and services?

                          Comment


                          • #14
                            Re: Remove FSMO role?

                            check your roles with netdom query fsmo command
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Remove FSMO role?

                              All working now

                              Network problems failed the replication.
                              Once I've cleared them out, everything is working as expected

                              Thanks to all of you for helping

                              Yaniv

                              Comment

                              Working...
                              X