Sezing FSMO roles

This topic contains 31 replies, has 3 voices, and was last updated by Avatar Si_Pe 13 years, 3 months ago.

Viewing 30 posts - 1 through 30 (of 32 total)
  • Author
    Posts
  • Avatar
    Si_Pe
    Member
    #113698

    Hello all,

    I have a question about sezing the roles on my dc.

    I am running windows 2000 advance server with SP4 and the operations master is showing ERROR in the box when you try and transfer and I can’t find a lot on where to start looking etc. The server is still working ok but is dying.

    My main question is when I seizing the roles what happens, is another dc forced to take them over?

    Just a little confused about it all.

    Many thanks

    Simon

    JeremyW
    JeremyW
    Moderator
    #267385

    Re: Sezing FSMO roles

    What is the “ERROR” you’re getting?
    Seizing roles is never ideal but if you do, make sure the server you’re seizing the role from is offline and NEVER comes back online. (meaning if you want to use that server again it will need to be reformatted)

    Avatar
    Si_Pe
    Member
    #278065

    Re: Sezing FSMO roles

    JeremyW wrote:
    What is the “ERROR” you’re getting?
    Seizing roles is never ideal but if you do, make sure the server you’re seizing the role from is offline and NEVER comes back online. (meaning if you want to use that server again it will need to be reformatted)

    many thanks for your reply,

    When you look at the FSMO roles within Active Directory all it says where it should list the server name is “ERROR”

    When I rebuild the server can it be called the same name then?

    So will another dc be forced to create the roles?

    Thanks again

    JeremyW
    JeremyW
    Moderator
    #267386

    Re: Sezing FSMO roles

    Quote:
    When you look at the FSMO roles within Active Directory all it says where it should list the server name is “ERROR”

    Do you get this on all your DCs or just the one that’s failing?

    Quote:
    When I rebuild the server can it be called the same name then?

    I believe so, its account will need to be reset and because it was a DC you’ll need to clean up AD (’cause if you seize the role you won’t be able to bring it back online to uninstall AD)

    Quote:
    So will another dc be forced to create the roles?

    I’m not as familiar with 2k as I am with 2k3 but you should be able to use ntdsutil. You can also clean up you AD with ntdsutil. (note the different link)

    Avatar
    Si_Pe
    Member
    #278066

    Re: Sezing FSMO roles

    JeremyW wrote:
    Do you get this on all your DCs or just the one that’s failing?

    It shows on the two dc’s.

    I believe so, its account will need to be reset and because it was a DC you’ll need to clean up AD (’cause if you seize the role you won’t be able to bring it back online to uninstall AD) ok brilliant so looks like this is my only option.

    I’m not as familiar with 2k as I am with 2k3 but you should be able to use ntdsutil. You can also clean up you AD with ntdsutil. (note the different link)

    Do I use to create new roles or to force them to a new server?

    You have been very helpful!

    Thanks

    Avatar
    wullieb1
    Moderator
    #239347

    Re: Sezing FSMO roles

    You would actually seize them if the server is unavailable.

    If the serve is online you can transfer the roles to a new server.

    Avatar
    Si_Pe
    Member
    #278067

    Re: Sezing FSMO roles

    wullieb1 wrote:
    You would actually seize them if the server is unavailable.

    If the serve is online you can transfer the roles to a new server.

    Thanks

    Sorry I am being stupid I think. What about the other dc. Will Ad no longer work without these roles. So would it be a restore from backup for ad?

    Thanks again

    JeremyW
    JeremyW
    Moderator
    #267387

    Re: Sezing FSMO roles

    You need the roles for full functionality and no, you won’t need to restore from backup.

    The best way is to transfer the roles so lets get back to my earlier question; are you getting the error on all DCs or just the one that’s failing?

    Avatar
    Si_Pe
    Member
    #278068

    Re: Sezing FSMO roles

    JeremyW wrote:
    You need the roles for full functionality and no, you won’t need to restore from backup.

    The best way is to transfer the roles so lets get back to my earlier question; are you getting the error on all DCs or just the one that’s failing?

    Ok sorry,

    Yeah I am getting the error on all roles in AD on Both DC’s

    Thanks for your help this has been a issue for a while now and with your help I think I may come to the correct way of fixing it.

    Thanks

    JeremyW
    JeremyW
    Moderator
    #267389

    Re: Sezing FSMO roles

    Have you checked the Event logs to see if there’s any errors there?
    You could also try transfering the roles (not seizing) using ntdsutil.
    See:
    http://www.petri.com/transferring_fsmo_roles.htm
    http://www.petri.com/determining_fsmo_role_holders.htm

    Avatar
    Si_Pe
    Member
    #278069

    Re: Sezing FSMO roles

    JeremyW wrote:
    Have you checked the Event logs to see if there’s any errors there?
    You could also try transfering the roles (not seizing) using ntdsutil.
    See:
    http://www.petri.com/transferring_fsmo_roles.htm
    http://www.petri.com/determining_fsmo_role_holders.htm

    I have looked there and checked DNS and it seems to be working ok, I would like to transfer the roles or seize them and then rebuild this server. Is transfering the best option then?

    If I use NTDSUTIL to transfer the roles is it more likely to work even though it has the error and the GUI wont move them?

    I will check the logs again now to see what new items are in there.

    Thanks again! Your helping me on the road to recovery.

    Cheers

    JeremyW
    JeremyW
    Moderator
    #267390

    Re: Sezing FSMO roles

    Transferring is definitely the way to go. Seizing is when all else fails.

    I did a quick google search on the error and didn’t find anything. Maybe someone more experienced had come across this before…?

    I would determine if ntdsutil can see which server is holding which role. If it can then my guess would be that you’d be able to use ntdsutil to transfer the roles. These are only guesses and and it may make matters worse so make sure you have a current backup of all the servers.

    Avatar
    Si_Pe
    Member
    #278070

    Re: Sezing FSMO roles

    Si_Pe wrote:
    I have looked there and checked DNS and it seems to be working ok, I would like to transfer the roles or seize them and then rebuild this server. Is transfering the best option then?

    If I use NTDSUTIL to transfer the roles is it more likely to work even though it has the error and the GUI wont move them?

    I will check the logs again now to see what new items are in there.

    Thanks again! Your helping me on the road to recovery.

    Cheers

    Hello again,

    I have used NTDSUTIL To see what server holds the roles and it has come back with the following results which I am cofused by as the roles seem to be held on the other dc.

    E:Documents and Settingslocaladmin>netdom query /domain:endsnet fsmo
    The system cannot find the file specified.

    The command failed to complete successfully.

    E:Documents and Settingslocaladmin>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server endscs1
    Binding to endscs1 …
    Connected to endscs1 using credentials of locally logged on user
    server connections: q
    fsmo maintenance: select operation target
    select operation target: list roles for connected server
    Server “endscs1” knows about 5 roles
    Schema – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Domain – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    PDC – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    RID – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Infrastructure – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    select operation target:

    The server we are having problems with is Endscs2.

    So I am guessing that along the way Endscs1 has been rebuilt and AD wasnt removed correctly.

    What do I need to do next.

    Thanks very much.

    Si

    Avatar
    Si_Pe
    Member
    #278071

    Re: Sezing FSMO roles

    JeremyW wrote:
    Transferring is definitely the way to go. Seizing is when all else fails.

    I did a quick google search on the error and didn’t find anything. Maybe someone more experienced had come across this before…?

    I would determine if ntdsutil can see which server is holding which role. If it can then my guess would be that you’d be able to use ntdsutil to transfer the roles. These are only guesses and and it may make matters worse so make sure you have a current backup of all the servers.

    Thanks,

    So I guess in theory what I should be able to do seeing as NTDSUTIL has come back knowing of the 5 roles that I should be able to transfer them using NTDSUTIL to server2 and then transfer them back to server1?

    Thanks
    Si

    Avatar
    Si_Pe
    Member
    #278072

    Re: Sezing FSMO roles

    Hello me again,

    I have tried to transfer the roles but has come up with the following error when trying to transfer.

    E:Documents and Settingslocaladmin>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server endscs1
    Binding to endscs1 …
    Connected to endscs1 using credentials of locally logged on user
    server connections: q
    fsmo maintenance: transfer domain naming master
    ldap_modify_sW error 0x34(52 (Unavailable).
    Ldap extended error message is 000020AF: SvcErr: DSID-03210227, problem 5002 (UN
    AVAILABLE), data 8

    Win32 error returned is 0x20af(The requested FSMO operation failed. The current
    FSMO holder could not be contacted.)
    )
    Depending on the error code this may indicate a connection,
    ldap, or role transfer error.
    Server “endscs1” knows about 5 roles
    Schema – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Domain – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    PDC – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    RID – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    Infrastructure – CN=”NTDS Settings
    DEL:cd53d892-b33e-4b2f-9934-a46359430699″,CN=”ENDSCS1
    DEL:5609fab6-8f1c-4de3-b588-669ba20fb267″,CN=Servers,CN=Default-First-Site-Name,
    CN=Sites,CN=Configuration,DC=endsnet,DC=local
    fsmo maintenance:

    Looks like a seize is the only way to go? Can I have some help and some suggestions on the next step please?

    Thanks again!

    JeremyW
    JeremyW
    Moderator
    #267391

    Re: Sezing FSMO roles

    Si_Pe wrote:
    So I guess in theory what I should be able to do seeing as NTDSUTIL has come back knowing of the 5 roles that I should be able to transfer them using NTDSUTIL to server2 and then transfer them back to server1?

    In theory. But if you think that someone incorrectly remove a DC from the network that should probably be address first. I think we’re getting beyond my knowledge here. I don’t know how one would handle an improper removal and then reinstalling without cleaning AD.

    Avatar
    Si_Pe
    Member
    #278073

    Re: Sezing FSMO roles

    JeremyW wrote:
    In theory. But if you think that someone incorrectly remove a DC from the network that should probably be address first. I think we’re getting beyond my knowledge here. I don’t know how one would handle an improper removal and then reinstalling without cleaning AD.

    Ok thanks for your help so far!

    Last question though, I cant get around in my head what happens to the remaning dc once i have sezied the roles on the current DC that holds them? Are they re created or do you need to start again.

    Could someone clear this up for me?

    Thanks very.

    JeremyW
    JeremyW
    Moderator
    #267392

    Re: Sezing FSMO roles

    The DC that seizes the roles will assume the responsibility of those roles. That means if you seize, let’s say, the PDC emulator role with “server1” anything requiring the use of the PDC emulator will be serviced by “server1”.

    Avatar
    Si_Pe
    Member
    #278074

    Re: Sezing FSMO roles

    JeremyW wrote:
    The DC that seizes the roles will assume the responsibility of those roles. That means if you seize, let’s say, the PDC emulator role with “server1” anything requiring the use of the PDC emulator will be serviced by “server1”.

    Excllent, thats what I wanted to know!

    Thanks very very much!

    You have been very helpful!

    JeremyW
    JeremyW
    Moderator
    #267394

    Re: Sezing FSMO roles

    Glad to help :D

    Avatar
    Si_Pe
    Member
    #278075

    Re: Sezing FSMO roles

    Just to add to this, I intend to seize the roles on my server soon and the other server will then be the known role holder. I don’t want to take the current role holder offline and rebuild it. Can I just do a meta cleanup on it?

    Many thanks
    Simon

    JeremyW
    JeremyW
    Moderator
    #267400

    Re: Sezing FSMO roles

    If transferring is not working and you’re going to seize the roles, you must take the current role holder offline and then seize all the roles with the other DC. Then, when you’ve seized the roles, DO NOT BRING THE OTHER COMPUTER BACK ONLINE. It MUST reformatted before introducing it back into the network.

    Avatar
    Si_Pe
    Member
    #278076

    Re: Sezing FSMO roles

    JeremyW wrote:
    If transferring is not working and you’re going to seize the roles, you must take the current role holder offline and then seize all the roles with the other DC. Then, when you’ve seized the roles, DO NOT BRING THE OTHER COMPUTER BACK ONLINE. It MUST reformatted before introducing it back into the network.

    Ok Jeremy,

    Thanks very much.

    The server that needs the roles to be seized has only just been rebuilt. Thats where the whole issue has come from I think because it wasn’t demoted first.

    Thanks very much!
    Simon

    JeremyW
    JeremyW
    Moderator
    #267403

    Re: Sezing FSMO roles

    Si_Pe wrote:
    The server that needs the roles to be seized has only just been rebuilt. Thats where the whole issue has come from I think because it wasn’t demoted first.

    One last thing, if the server was just rebuilt and not demoted first, you will need to clean up the remnants of the previous install that are left in AD. You will also need to do this again if you seize roles from a DC.

    Have you tried demoting the server that’s giving you issues? If not, I’d give that a shot and if it works I’d then clean up AD and see if you’re still getting the error when viewing the Operations Masters. If you still get the error, then seize the roles (since it would be the only DC in the Forest).

    Well that’s my two cents. (more like a dollar)
    Hope this helps.

    Avatar
    Si_Pe
    Member
    #278077

    Re: Sezing FSMO roles

    JeremyW wrote:
    One last thing, if the server was just rebuilt and not demoted first, you will need to clean up the reminisces of the previous install that are left in AD. You will also need to do this again if you seize roles from a DC.

    Have you tried demoting the server that’s giving you issues? If not, I’d give that a shot and if it works I’d then clean up AD and see if you’re still getting the error when viewing the Operations Masters. If you still get the error, then seize the roles (since it would be the only DC in the Forest).

    Well that’s my two cents. (more like a dollar)
    Hope this helps.

    Hello,

    I ended up seizing the roles which went really well.

    I now have new roles sitting on a new server and AD seems ok.

    I have only one problem though which I can hopefully get some help with, I now have 3 DC’s the old one which held the roles which were seized which has been rebuilt and another server and server 2 which was the only server that was working untill I seized the roles etc. Only problem I am having is making any one of the other servers a GC. The only server that is processing logons is server 2 which is the one dying and I want to demote it.

    There is nothing wrong in the event log and when I make one of the other dc’s a GC is says its ok. But it wont process any logons.

    Can anyone suggest things to look at?

    Many thanks

    Simon

    JeremyW
    JeremyW
    Moderator
    #267478

    Re: Sezing FSMO roles

    You can check to make sure all the proper DNS records are there and check to see if the DCs are all in the same site.

    If the DNS is OK you should be able to demote it without any issues.

    If you’re worried about GCs… http://support.microsoft.com/kb/313994/en-us

    Avatar
    Si_Pe
    Member
    #278078

    Re: Sezing FSMO roles

    JeremyW wrote:
    You can check to make sure all the proper DNS records are there and check to see if the DCs are all in the same site.

    If the DNS is OK you should be able to demote it without any issues.

    If you’re worried about GCs… http://support.microsoft.com/kb/313994/en-us

    Thanks very much!

    Will take a look at that doc!

    Cheers

    JeremyW
    JeremyW
    Moderator
    #267479

    Re: Sezing FSMO roles

    Si_Pe wrote:
    Hello,

    I ended up seizing the roles which went really well.

    I now have new roles sitting on a new server and AD seems ok.

    I have only one problem though which I can hopefully get some help with, I now have 3 DC’s the old one which held the roles which were seized which has been rebuilt and another server and server 2 which was the only server that was working untill I seized the roles etc. Only problem I am having is making any one of the other servers a GC. The only server that is processing logons is server 2 which is the one dying and I want to demote it.

    I’m a little hazy on what was done but it seems to me that the DC you seized the roles from is still online.

    I’ll give you this quote and link. You should probably read the section on transfers and seizures:

    Quote:
    Second, the original role holder is not informed that it is no longer the operations master role holder, which is not a problem if the original role holder stays offline. However, if it comes back online (for example, if the hardware is repaired or the server is restored from a backup), it might try to perform the operations master role that it previously owned. This can result in two domain controllers performing the same operations master role simultaneously. Depending on the role that was seized, the severity of duplicate operations master roles varies from no visible effect to potential corruption of the Active Directory database. Seize the operations master role to a domain controller that has the most recent updates from the current role holder to minimize the impact of the role seizure.

    Taken from http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx#w2k3tr_adops_how_qomy

    Avatar
    Si_Pe
    Member
    #278079

    Re: Sezing FSMO roles

    JeremyW wrote:
    I’m a little hazy on what was done but it seems to me that the DC you seized the roles from is still online.

    I’ll give you this quote and link. You should probably read the section on transfers and seizures:

    Taken from http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx#w2k3tr_adops_how_qomy

    Thanks again for your help!

    What should the dns entries look like for the GC’s.

    Thanks

    JeremyW
    JeremyW
    Moderator
Viewing 30 posts - 1 through 30 (of 32 total)

You must be logged in to reply to this topic.