Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Phillip <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Nov 2006 13:34:01 -0800
Great article Jorge... but I didn't wait long enough to see your post.
According to the article I guess it would have been "Safe" to turn on the
previously failed Domain controller even though its PDCe FSMO role had been
siezed. In windows 2003, the article states the server would have figured
out that it no longer held the PDCe role. Ohh well...
Just so you all know and for folks in the future, I ended up calling
microsoft pss since I found a lot of conflicting information on what to do.
Microsoft pss instructed me to seize the rest of the FSMO roles, run metadata
clean up, rebuild the server from scratch, join it back to the domain and
then run dcpromo.
"Herb Martin" wrote:
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message.
news:ORE%2387wEHHA.2312@xxxxxxxxxxxxxxxxxxxxxxx
Hi
here's a link so you know what are you dealing with.
Have a loo in the Operations Master Role Functionality Risk Assessment
section:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx?mfr=true
According to that article it is not even as dangerous
as it was originally (Win2000 release) and as we have
been warning people -- but still too dangerous to be
considered "safe."
Seizing the role still means a DCPromo cycling is in
order -- perhaps with the DC brought online, but that
is dependent on knowing that all DCs are up to date,
and still doing the DCPromo to be safe.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
*************************************************
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA + Exchange + MSCE
*************************************************
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23LMQcewEHHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
"Phillip" <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2DB363D8-BE37-496E-8E30-452B661E7DC0@xxxxxxxxxxxxxxxx
Herb and KJ,
Thanks for your responses. I think I'll go the safe way and seize all
the
roles and rebuild the old DC from scratch. I don't want to risk AD
corruption - I wouldn't know how to recover from corruption.
Rebuilding the server is NOT part of the safe way.
Doing the demotion and redoing the DCPromo is
sufficient.
I only have 170 machines and I know what's going on in my domain, I'm
the
only admin, so based on your prior post I think I would be safe with
turning
on the fixed DC but I don't want to take the risk.
Good bet.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Herb Martin" wrote:
"kj" <kj@xxxxxxxxxxx> wrote in message
news:uXGZLZrEHHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
We're substantially in agreement on all points.
A good stable DC should just be demoted/promoted, especially if it's
history is known and solid. I guess I just come across too many
upgraded
from NT -> 2K -> 2K3 machines with who knows what SW added and
removed
untold times. Of course these things all have their own
"peculiarities"
and IMHO are ripe for a "fresh" start in life.
A crappy DC is not the same issue as one where a
role was simply seized.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:uLbRG3qEHHA.4280@xxxxxxxxxxxxxxxxxxxxxxx
"kj" <kj@xxxxxxxxxxx> wrote in message
news:%236zQQQnEHHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
Overlapping RID pools are the concern with the Ridmasters since the
pools have already been issued to the DC's and the old RIDMaster
knows
nothing of any new pools issued.
I generally agree with this, but if the domain is small
and you can be reasonably sure that no (or very few)
new objects will be re-created in the 5-10 minutes the
process will take it is not very dangerous. No DC
will be requesting new RIDs unless it exhausts the
current supply. (Gun goes here <grin>)
Reformat and re-install from scratch if forceremoval fails, or in
the
case of a pure DC, or just more convenient.
A waste of time and effort to re-install as well
as an opportunity to misconfigure something that
is otherwise working just fine.
But then unless a gun is at my head I'd go with below;
Better to seize the other roles and do the /forceremoval
as you suggest -- while keeping the old role holder offline.
No gun should be necessary for THIS method -- it is the
right way to do it.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ekIceAnEHHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
"kj" <kj@xxxxxxxxxxx> wrote in message
news:uomMZ5mEHHA.1304@xxxxxxxxxxxxxxxxxxxxxxx
It is a bad idea, no dispute there. But returning DC's with
different
seized FSMO's represent different risks. From my research and lab
testing PDCe's are minimal risk. RID Masters such an excessive
risk
that I would NEVER do it to a domain I intended to keep in
production.
We agree in general here.
BTW, once brought back on to the network likely any damage has
already
been done.
Actually not. Even the RID master is not likely giving out
(and even less likely duplicating) RIDs immediately since
each DC has a cache of several hundred. (Could vary
in a giant domain however.)
Either reformat and rebuild from scratch or dcpromo
/foreceremoval
while OFF the network (&do metadata cleanup).
Reformatting is totally unnecessary here and generally
poor advice.
The DCPromo cycle is sufficient for ALL DC purposes
which is the only issue here.
Better to seize the other roles and do the /forceremoval
as you suggest -- while keeping the old role holder offline.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
/kj
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:e7pFNtmEHHA.4380@xxxxxxxxxxxxxxxxxxxxxxx
It's a bad idea, and a strong case can be made that
it should NEVER be brought back onto the network.
If you DO (and I am not necessarily recommending
this) bring it only, do so ONLY to perform the DCPromo
to make it a non-DC.
"Phillip" <Phillip@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C866DB54-BD06-4FE0-B6AB-497289137F00@xxxxxxxxxxxxxxxx
FSMO transfer question
I have a Native Mode Window 2003 AD (no service pack) network
and
while on
vacation the domain controller that holds all of my FSMO roles
experienced a
hardware failure. This server also hosted my DHCP server.
Folks
DHCP
registrations started to time out so only the PDCe role was
transferred to
another domain controller so DHCP could be installed and
authorized
on the
Domain Controller that still worked.
[PDC Emulator has nothing to do with being a
DHCP server, so the above 'reason' ("so...") makes
little sense however.]
My question is:
Now that the hardware has been fixed on the failed server can I
turn
it back
on and will it sync with the domain controller which now has
the
PDCe role?
No, one of them (the original) must be DCPromo
'cycled' (to non-DC and back.)
Or
Do I have to seize the rest of the FSMO roles to the box the
PDCe
was moved
to, re-install windows on the box that is now fixed and join it
back
to the
domain and finally promote it to a DC?
You do NOT need to re-install. Just seize the roles
and DCPromo the former role holder.
Optionally (if you like to live dangerously): Bring it
online, do the DCPromo to remove the DC as a DC
and transfer the roles.
The two "masters" will NOT play well on the net
together -- it will generally not give you immediate
and catastrophic problems so you may run into people
who naively tell you that "I did this and it's ok" so
don't believe them.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
- References:
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Herb Martin
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Phillip
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Herb Martin
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Jorge Silva
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- From: Herb Martin
- Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- Prev by Date: Re: Permissions across 2 Forrest
- Next by Date: Group Policy Error on 2nd DC when trying to use Domain Controller Security Policy
- Previous by thread: Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- Next by thread: Re: FSMO - can I turn on a DC after its PDCe role has been seized?
- Index(es):
Relevant Pages
|
