Re: FSMO - can I turn on a DC after its PDCe role has been seized?

Hi
here's a link so you know what are you dealing with.
Have a loo in the Operations Master Role Functionality Risk Assessment section:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx?mfr=true
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message news:%23LMQcewEHHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
"Phillip" <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2DB363D8-BE37-496E-8E30-452B661E7DC0@xxxxxxxxxxxxxxxx
Herb and KJ,
Thanks for your responses. I think I'll go the safe way and seize all the
roles and rebuild the old DC from scratch. I don't want to risk AD
corruption - I wouldn't know how to recover from corruption.

Rebuilding the server is NOT part of the safe way.

Doing the demotion and redoing the DCPromo is
sufficient.

I only have 170 machines and I know what's going on in my domain, I'm the
only admin, so based on your prior post I think I would be safe with turning
on the fixed DC but I don't want to take the risk.

Good bet.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Herb Martin" wrote:

"kj" <kj@xxxxxxxxxxx> wrote in message
news:uXGZLZrEHHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
> We're substantially in agreement on all points.
>
> A good stable DC should just be demoted/promoted, especially if it's
> history is known and solid. I guess I just come across too many > upgraded
> from NT -> 2K -> 2K3 machines with who knows what SW added and removed
> untold times. Of course these things all have their own > "peculiarities"
> and IMHO are ripe for a "fresh" start in life.

A crappy DC is not the same issue as one where a
role was simply seized.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> -- > /kj
> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
> news:uLbRG3qEHHA.4280@xxxxxxxxxxxxxxxxxxxxxxx
>> "kj" <kj@xxxxxxxxxxx> wrote in message
>> news:%236zQQQnEHHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
>>> Overlapping RID pools are the concern with the Ridmasters since the
>>> pools have already been issued to the DC's and the old RIDMaster >>> knows
>>> nothing of any new pools issued.
>>
>> I generally agree with this, but if the domain is small
>> and you can be reasonably sure that no (or very few)
>> new objects will be re-created in the 5-10 minutes the
>> process will take it is not very dangerous. No DC
>> will be requesting new RIDs unless it exhausts the
>> current supply. (Gun goes here <grin>)
>>
>>> Reformat and re-install from scratch if forceremoval fails, or in >>> the
>>> case of a pure DC, or just more convenient.
>>
>> A waste of time and effort to re-install as well
>> as an opportunity to misconfigure something that
>> is otherwise working just fine.
>>
>>> But then unless a gun is at my head I'd go with below;
>>>> Better to seize the other roles and do the /forceremoval
>>>> as you suggest -- while keeping the old role holder offline.
>>
>> No gun should be necessary for THIS method -- it is the
>> right way to do it.
>>
>>
>> -- >> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>> -- >>> /kj
>>> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
>>> news:ekIceAnEHHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
>>>> "kj" <kj@xxxxxxxxxxx> wrote in message
>>>> news:uomMZ5mEHHA.1304@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> It is a bad idea, no dispute there. But returning DC's with >>>>> different
>>>>> seized FSMO's represent different risks. From my research and lab
>>>>> testing PDCe's are minimal risk. RID Masters such an excessive >>>>> risk
>>>>> that I would NEVER do it to a domain I intended to keep in >>>>> production.
>>>>
>>>> We agree in general here.
>>>>
>>>>> BTW, once brought back on to the network likely any damage has >>>>> already
>>>>> been done.
>>>>
>>>> Actually not. Even the RID master is not likely giving out
>>>> (and even less likely duplicating) RIDs immediately since
>>>> each DC has a cache of several hundred. (Could vary
>>>> in a giant domain however.)
>>>>
>>>>> Either reformat and rebuild from scratch or dcpromo /foreceremoval
>>>>> while OFF the network (&do metadata cleanup).
>>>>
>>>> Reformatting is totally unnecessary here and generally
>>>> poor advice.
>>>>
>>>> The DCPromo cycle is sufficient for ALL DC purposes
>>>> which is the only issue here.
>>>>
>>>> Better to seize the other roles and do the /forceremoval
>>>> as you suggest -- while keeping the old role holder offline.
>>>>
>>>>
>>>>
>>>> -- >>>> Herb Martin, MCSE, MVP
>>>> Accelerated MCSE
>>>> http://www.LearnQuick.Com
>>>> [phone number on web site]
>>>>
>>>>> -- >>>>> /kj
>>>>> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
>>>>> news:e7pFNtmEHHA.4380@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> It's a bad idea, and a strong case can be made that
>>>>>> it should NEVER be brought back onto the network.
>>>>>>
>>>>>> If you DO (and I am not necessarily recommending
>>>>>> this) bring it only, do so ONLY to perform the DCPromo
>>>>>> to make it a non-DC.
>>>>>>
>>>>>>
>>>>>> "Phillip" <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>> news:C866DB54-BD06-4FE0-B6AB-497289137F00@xxxxxxxxxxxxxxxx
>>>>>>> FSMO transfer question
>>>>>>>
>>>>>>> I have a Native Mode Window 2003 AD (no service pack) network >>>>>>> and
>>>>>>> while on
>>>>>>> vacation the domain controller that holds all of my FSMO roles
>>>>>>> experienced a
>>>>>>> hardware failure. This server also hosted my DHCP server. >>>>>>> Folks
>>>>>>> DHCP
>>>>>>> registrations started to time out so only the PDCe role was
>>>>>>> transferred to
>>>>>>> another domain controller so DHCP could be installed and >>>>>>> authorized
>>>>>>> on the
>>>>>>> Domain Controller that still worked.
>>>>>>
>>>>>> [PDC Emulator has nothing to do with being a
>>>>>> DHCP server, so the above 'reason' ("so...") makes
>>>>>> little sense however.]
>>>>>>
>>>>>>> My question is:
>>>>>>> Now that the hardware has been fixed on the failed server can I >>>>>>> turn
>>>>>>> it back
>>>>>>> on and will it sync with the domain controller which now has the
>>>>>>> PDCe role?
>>>>>>
>>>>>> No, one of them (the original) must be DCPromo
>>>>>> 'cycled' (to non-DC and back.)
>>>>>>
>>>>>>> Or
>>>>>>>
>>>>>>> Do I have to seize the rest of the FSMO roles to the box the >>>>>>> PDCe
>>>>>>> was moved
>>>>>>> to, re-install windows on the box that is now fixed and join it >>>>>>> back
>>>>>>> to the
>>>>>>> domain and finally promote it to a DC?
>>>>>>
>>>>>> You do NOT need to re-install. Just seize the roles
>>>>>> and DCPromo the former role holder.
>>>>>>
>>>>>> Optionally (if you like to live dangerously): Bring it
>>>>>> online, do the DCPromo to remove the DC as a DC
>>>>>> and transfer the roles.
>>>>>>
>>>>>> The two "masters" will NOT play well on the net
>>>>>> together -- it will generally not give you immediate
>>>>>> and catastrophic problems so you may run into people
>>>>>> who naively tell you that "I did this and it's ok" so
>>>>>> don't believe them.
>>>>>>
>>>>>> -- >>>>>> Herb Martin, MCSE, MVP
>>>>>> Accelerated MCSE
>>>>>> http://www.LearnQuick.Com
>>>>>> [phone number on web site]
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>






.

Loading