Re: FSMO role issues after demoting and re-promoting server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:ugswN3RFGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
>I thought you needed a new sid (Hence the rebuild on the o/s)?
>

Not that I have even seen (but this whole thing is so goofy that
I am easily prepared to be corrected with specifics.)

BTW, is there even a DC specific SID? I was under the impression
they all used the Domain SID. (But no matter they distinguish
themselves by using GUIDs in any case.)

The issue is not that the ID is the same or not -- the OTHER DCs
all know that the original is NOT the role holder -- but rather
that the "original" still hangs onto some belief that it is the role
holder.

DCPromo cycling the original role holder removes his entire
AD and thus all 'memory' of formerly holding any roles.

FYI:
I have even gone so far as to RE-transfer the roles to the original
and then RE-transfer them back to the current role holder in the
belief that this MIGHT fix it. It didn't.

And while we are on the topic, I am not even sure what the real
problems with seize are -- I have read Microsoft docs that say
we shouldn't do it (return the original) and I have tried and and
remained absolutely convinced it is a BAD THING.

But it causes intermittant and hard to pin down problems (so
someone might THINK they can get away with it since it is not
immediately catastrophic), but I still don't know precisely what
is the (lower level) cause or exactly what symptoms are
repeatably present.

We do know not to do it -- and so I stopped studying the effects
after trying it once or twice out of curiousity.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
> news:%23HTbL5OFGHA.3120@xxxxxxxxxxxxxxxxxxxxxxx
>> "Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
>> news:uB0OB8LFGHA.1396@xxxxxxxxxxxxxxxxxxxxxxx
>>> Don't seize anything!!! When you demote a dc, it will gracefully
>>> transfer any fsmo roles it holds to another available dc. Once you
>>> seize a role the dc should NEVER be put back on line without first
>>> cleaning any metadata problems and rebuilding the o/s.
>>>
>>
>> You don't need to rebuild the OS but you DO NEED to
>> do a DCPromo 'cycle' (non-DC and optionally back) if
>> you wish to return the original DC to the network.
>>
>> Technically it is a new DC then and doesn't cause problems.
>>
>> The OS itself does not need to be re-installed.
>>
>> Listen to Paul about seizing -- don't do this IF you plan to
>> return the former role holder to the net OR if your roles
>> have been transferred to some other DC without you
>> realizing it.
>>
>> First find out WHERE your roles are currently located...
>> then transfer any that are still active IF necessary.
>>
>> Technically a seizure SHOULD turn into a transfer if
>> the role holder is online and DNS is correct but that is
>> NEVER guaranteed so move carefully.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>>
>>> To make sure there aren't any problems
>>>
>>> Run diagnostics against your Active Directory domain.
>>>
>>> If you don't have the tools installed, install them from your server
>>> install disk.
>>> d:\support\tools\setup.exe
>>>
>>> Run dcdiag and netdiag in verbose mode.
>>>
>>> If you download a gui script I wrote it should be simple to set and run.
>>> It also has the option to run individual tests without having to learn
>>> all the switch options.
>>>
>>> The script is at http://pbbergs.dynu.com/windows/windows.htm, download
>>> it and save it to c:\program files\support tools\
>>>
>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>>> the default settings for dcdiag as set when selected)
>>>
>>> When complete search for fail, error and warning messages.
>>>
>>>
>>> --
>>>
>>>
>>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Kremlar" <kremlar@xxxxxxxxxxx> wrote in message
>>> news:OHaZJRKFGHA.1100@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Was in the middle of a migration from a Windows 2000/Exchange 2000
>>>> Server to a Windows 2003/Exchange 2003 server. The plan was to keep
>>>> the old Windows 2000 Server online afterwards as a backup Domain
>>>> Controller, print server, etc.
>>>>
>>>> I joined the new server to the domain, made it a DC, migrated Exchange,
>>>> etc. I also made it a Global Catalog Server and transferred all the
>>>> FSMO roles to it.
>>>>
>>>> I had a problem with it fully replicating the domain, basically not
>>>> replicating the SYSVOL/etc shares. Without thinking, I ran DCPROMO on
>>>> the new server to demote it, then about 30 mins later ran DCPROMO on it
>>>> again to make it a domain controller again to see if the problem would
>>>> be corrected.
>>>>
>>>> The replication problem has now been solved, but I think I made a
>>>> mistake by not transferring the FSMO roles off the server before
>>>> demoting it.
>>>>
>>>> Once I solved all the issues and everything was running well, I went
>>>> ahead and made it a Global Catalog Server again. I figured I'd also
>>>> check the FSMO roles. I checked the Schema Master role and it was set
>>>> back to OLDSERVER. I changed the Domain Controller to NEWSERVER, that
>>>> took fine. I then went to change the Operations Master, and it told me
>>>> it could not locate the source server and I would have to seize the
>>>> role (which it advised against).
>>>>
>>>> I then changed the Domain Controller back to OLDSERVER and it looks
>>>> like the Schema Master is set to OLDSERVER and is working, but I have
>>>> my doubts.
>>>>
>>>> I really don't care which server the FSMO roles are on, but now I'm
>>>> concerned they are not functioning correctly and it will come back to
>>>> haunt me.
>>>>
>>>> I'm afraid to 'seize' the roles because both servers are still online
>>>> and I'm not sure of the ramifications in this situation.
>>>>
>>>> In summary, OLDSERVER was the original FSMO roles owner. I set
>>>> NEWSERVER as the owner for all FSMO roles, then demoted it and
>>>> re-promoted it without moving the FSMO roles first. Now AD thinks
>>>> OLDSERVER is the owner, but it won't allow me to change it to
>>>> NEWSERVER.
>>>>
>>>> Any advice would be greatly appreciated.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: FSMO role issues after demoting and re-promoting server
    ... is a clone of an existing server that now is also a DC... ... but make sure each one has a unique SID. ... > all know that the original is NOT the role holder -- but rather ... > Herb Martin, MCSE, MVP ...
    (microsoft.public.windows.server.active_directory)
  • Re: FSMO role issues after demoting and re-promoting server
    ... The thought process is like the old NT days when a PDC is brought back ... online after being off for a while and there is already another providing ... Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA ... > all know that the original is NOT the role holder -- but rather ...
    (microsoft.public.windows.server.active_directory)
  • Re: deleting user
    ... the SID should turn into a question mark. ... Todd J Heron, MCSE ...
    (microsoft.public.windows.server.general)