Re: FSMO - can I turn on a DC after its PDCe role has been seized?

---

• From: Phillip <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 28 Nov 2006 07:21:01 -0800

---

Herb and KJ,
Thanks for your responses. I think I'll go the safe way and seize all the
roles and rebuild the old DC from scratch. I don't want to risk AD
corruption - I wouldn't know how to recover from corruption.

I only have 170 machines and I know what's going on in my domain, I'm the
only admin, so based on your prior post I think I would be safe with turning
on the fixed DC but I don't want to take the risk.

"Herb Martin" wrote:

"kj" <kj@xxxxxxxxxxx> wrote in message
news:uXGZLZrEHHA.4620@xxxxxxxxxxxxxxxxxxxxxxx

We're substantially in agreement on all points.

A good stable DC should just be demoted/promoted, especially if it's
history is known and solid. I guess I just come across too many upgraded
from NT -> 2K -> 2K3 machines with who knows what SW added and removed
untold times. Of course these things all have their own "peculiarities"
and IMHO are ripe for a "fresh" start in life.

A crappy DC is not the same issue as one where a
role was simply seized.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:uLbRG3qEHHA.4280@xxxxxxxxxxxxxxxxxxxxxxx

"kj" <kj@xxxxxxxxxxx> wrote in message
news:%236zQQQnEHHA.3524@xxxxxxxxxxxxxxxxxxxxxxx

Overlapping RID pools are the concern with the Ridmasters since the
pools have already been issued to the DC's and the old RIDMaster knows
nothing of any new pools issued.

I generally agree with this, but if the domain is small
and you can be reasonably sure that no (or very few)
new objects will be re-created in the 5-10 minutes the
process will take it is not very dangerous. No DC
will be requesting new RIDs unless it exhausts the
current supply. (Gun goes here <grin>)

Reformat and re-install from scratch if forceremoval fails, or in the
case of a pure DC, or just more convenient.

A waste of time and effort to re-install as well
as an opportunity to misconfigure something that
is otherwise working just fine.

But then unless a gun is at my head I'd go with below;

Better to seize the other roles and do the /forceremoval
as you suggest -- while keeping the old role holder offline.

No gun should be necessary for THIS method -- it is the
right way to do it.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ekIceAnEHHA.4464@xxxxxxxxxxxxxxxxxxxxxxx

"kj" <kj@xxxxxxxxxxx> wrote in message
news:uomMZ5mEHHA.1304@xxxxxxxxxxxxxxxxxxxxxxx

It is a bad idea, no dispute there. But returning DC's with different
seized FSMO's represent different risks. From my research and lab
testing PDCe's are minimal risk. RID Masters such an excessive risk
that I would NEVER do it to a domain I intended to keep in production.

We agree in general here.

BTW, once brought back on to the network likely any damage has already
been done.

Actually not. Even the RID master is not likely giving out
(and even less likely duplicating) RIDs immediately since
each DC has a cache of several hundred. (Could vary
in a giant domain however.)

Either reformat and rebuild from scratch or dcpromo /foreceremoval
while OFF the network (&do metadata cleanup).

Reformatting is totally unnecessary here and generally
poor advice.

The DCPromo cycle is sufficient for ALL DC purposes
which is the only issue here.

Better to seize the other roles and do the /forceremoval
as you suggest -- while keeping the old role holder offline.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:e7pFNtmEHHA.4380@xxxxxxxxxxxxxxxxxxxxxxx

It's a bad idea, and a strong case can be made that
it should NEVER be brought back onto the network.

If you DO (and I am not necessarily recommending
this) bring it only, do so ONLY to perform the DCPromo
to make it a non-DC.


"Phillip" <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C866DB54-BD06-4FE0-B6AB-497289137F00@xxxxxxxxxxxxxxxx

FSMO transfer question

I have a Native Mode Window 2003 AD (no service pack) network and
while on
vacation the domain controller that holds all of my FSMO roles
experienced a
hardware failure. This server also hosted my DHCP server. Folks
DHCP
registrations started to time out so only the PDCe role was
transferred to
another domain controller so DHCP could be installed and authorized
on the
Domain Controller that still worked.

[PDC Emulator has nothing to do with being a
DHCP server, so the above 'reason' ("so...") makes
little sense however.]

My question is:
Now that the hardware has been fixed on the failed server can I turn
it back
on and will it sync with the domain controller which now has the
PDCe role?

No, one of them (the original) must be DCPromo
'cycled' (to non-DC and back.)

Or

Do I have to seize the rest of the FSMO roles to the box the PDCe
was moved
to, re-install windows on the box that is now fixed and join it back
to the
domain and finally promote it to a DC?

You do NOT need to re-install. Just seize the roles
and DCPromo the former role holder.

Optionally (if you like to live dangerously): Bring it
online, do the DCPromo to remove the DC as a DC
and transfer the roles.

The two "masters" will NOT play well on the net
together -- it will generally not give you immediate
and catastrophic problems so you may run into people
who naively tell you that "I did this and it's ok" so
don't believe them.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

.

---

• Follow-Ups:
  • Re: FSMO - can I turn on a DC after its PDCe role has been seized?
    • From: Herb Martin

• References:
  • Re: FSMO - can I turn on a DC after its PDCe role has been seized?
    • From: Herb Martin

• Prev by Date: Re: Trying to understand are we using mixed vs native
• Next by Date: Re: Question about multiple sites for DR
• Previous by thread: Re: FSMO - can I turn on a DC after its PDCe role has been seized?
• Next by thread: Re: FSMO - can I turn on a DC after its PDCe role has been seized?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FSMO - can I turn on a DC after its PDCe role has been seized? ... RID Masters such an excessive risk that I would NEVER do ... Either reformat and rebuild from scratch or dcpromo /foreceremoval ... This server also hosted my DHCP server. ... another domain controller so DHCP could be installed and authorized on ... (microsoft.public.windows.server.active_directory) Re: Cant Demote a DC ... Also if that DC held any roles you will have to seize them to another DC. ... | If you have removed a DC from the domain dcpromo w/out the /forceremoval ... | "Paul Bergson" wrote in message ... |>> I am trying to demote a DC after it has been replaced. ... (microsoft.public.win2000.active_directory) Re: Is it safe to seize the Schema Master FSMO Role? ... > years ago the domain controller that was the Schema Master, Server1, had ... Then it is safe to seize the roles it had. ... (DCPromo to non-DC, optionally DCPromo back as a NEW DC.) ... But since your role holder is lost forever there is NO ... (microsoft.public.win2000.active_directory) Re: FSMO Issues ... Should I run the DCPROMO first to demote before I seize the roles. ... >> Unfortunately it is a File and Print server too. ... > You can keep it as a non-DC, ... (microsoft.public.windows.server.active_directory) Re: Can I bring teh DC back on line? ... not used in a single domain scenario), do a metadata cleanup (remove the ... If I seize the IM role onto DC1, what would be the impact if I connect DC2 ... later long enough to DCPROMO it? ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)