Re: Is it safe to seize the Schema Master FSMO Role?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/13/05 

Date: Sun, 13 Feb 2005 07:29:19 -0600

"Corbin O'Reilly" <corbinoreilly@bellsouth.net> wrote in message
news:M8BPd.194$d%2.55@bignews5.bellsouth.net...
> Hi everyone. OK here is the situation. One of my new clients currently has
> three Windows 2000 domain controllers: Server2, Server3, and Server4. A
few
> years ago the domain controller that was the Schema Master, Server1, had
its
> hard disk fail and was completely lost.

Then it is safe to seize the roles it had.

> They built a new server called
> Server4 and promoted it to a domain controller. The reference to Server1
is
> still in Active Directory because it was not properly removed using
DCPROMO.
> OK this is where the problem comes in. They want to upgrade to Exchange
> Server 2003. In order to add Exchange 2003 to the network, changes must be
> made to the Schema. In Active Directory the long dead Server1 is still
> listed as the Schema Master. My question is should I use one of the other
> domain controllers to seize the Schema Master role? Is is safe to do this?
> Will it cause any problems? Thanks for the help.

Never seize a role if you plan on returning (fixing etc)
the previous role holder to the net as a DC.

If you seize a role and the previous holder is returned
to the network, it needs to be "DCPromo 'cycled'"
(DCPromo to non-DC, optionally DCPromo back as a NEW DC.)

If you forego the above your AD will not fail catastrophically
but it will likely experience spurious errors that are difficult
to isolate.

But since your role holder is lost forever there is NO
problem in seizing it.

You might also remove any "dead DCs/Domains" while you
are in NTDSUtil....

Google:

        [ ntdsutil "metadata cleanup" remove DC domain ]

You CONNECT to a working DC.
You SELECT a dead DC or Domain (for the working on to remove)

Relevant Pages

  • Re: FSMO - can I turn on a DC after its PDCe role has been seized?
    ... I don't want to risk AD ... Better to seize the other roles and do the /forceremoval ... do so ONLY to perform the DCPromo ... This server also hosted my DHCP server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: INSUFF_ACCESS_RIGHTS error trying to seize schema master
    ... that owned 4 of the 5 FSMO roles. ... I was able to seize 3 roles but when I attempted ... to seize the schema master role I got the error below. ... Ldap extended error message is 00002098: SecErr: DSID-03151D7D, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cant Demote a DC
    ... Also if that DC held any roles you will have to seize them to another DC. ... | If you have removed a DC from the domain dcpromo w/out the /forceremoval ... | "Paul Bergson" wrote in message ... |>> I am trying to demote a DC after it has been replaced. ...
    (microsoft.public.win2000.active_directory)
  • Re: wheres the schema master?!
    ... They will ALWAYS be in the same forest unless you ... (With rename they may not be parent child ... what's the effect if there's no schema master. ... Sure you can Seize the Schema Master but FIRST make ...
    (microsoft.public.win2000.active_directory)
  • Re: Replacing a windows 2003 DC
    ... I know this for recovery but, can you seize ... > GC and a DNS server. ... If DC01 isn't being removed then you can also have ... > to themselves to verify who is the current role holder. ...
    (microsoft.public.windows.server.active_directory)