Monday, June 8, 2009

Using NTDSUTIL to Seize FSMO Roles

Ok, here's the scenario.

You have 3 domain controllers, single domain, lets call them DC01, DC02, and DC03.
The FSMO roles are setup this way:
DC01 (GC) - RID, PDC, Infrastructure
DC02 (GC)- Schema Master, Domain Naming Master
DC03 (NON GC) - No roles assigned

Then one day, DC02 decides to go on permanent vacation for whatever reason. Power supplies died, 2 RAID 5 hard drives died, somebody spills coke all over your server, etc.

Now you have this scenario, 2 live DC's 1 non live DC. You have a server that has 2 FSMO roles on it. Not good. Meaning if you try to change the schema with ADSIEDIT.MSC, you will get an error. If you try to add a new domain to your forest, you will get an error. Not good...not REAL bad, but not a good situation to be in.

Not so fast there, here's how you fix it.

Lets cleanup, do this from DC01, or DC02

  • Remove the replication links to and from this server in AD Sites and Services
  • Remove the GC functionality from this server in AD Sites and Services
  • Force remove DC02 from AD Users and Computers. Tell it "yes this DC is no longer functional, whatever..."
  • Remove the NTDS settings node from AD Sites and Services
  • Remove the DC02 Server Node from the site, if you get prompted tell it "yes this DC is no longer function, whatever...again"

**If you run into any problems doing these, then you may have to get into ADSIEDIT.msc and manually make some changes. I would suggest you try to test these out before doing any of this in a production environment.**

Now we have to seize the roles (in this case Schema and Domain Naming Master)

  • Make sure your account is part of Schema Admins. - otherwise you will get an "access denied"
  • Get on a server, open up a command line.
  • type "roles" - at the ntdsutil: prompt
  • type "connections" - at the fsmo maintenance: prompt
  • type "connect to server %servername%" - sub an active DC name for the %servername% (dc03) - this is for the server that you want to be the new FSMO role masters.
  • type "q" - to get back to the fsmo maintenance: prompt.
  • type "seize domain naming master" - to seize the domain naming master role
  • type "seize schema master" - to seize the schema master role

**If you get any errors running these, you will have to investigate the error and find out why. The error I had was an access denied error. Put my account in Schema Admins and logged out/in and it worked.

Verification and Testing:

  • Make sure all the Operations Masters are correct.
  • -RID, PDC, and Infrastructure - Use AD Users and Computers
  • -Schema Master - Use schmmgmt.msc
  • -Domain Naming Master - Use AD Domains and Trusts
  • Check replication - Replication Monitor
  • Check your event log and make sure you're no longer getting the 2091 errors in the
  • Directory Service. You might have to wait a while.

This is basically what I did this past weekend. Other than that, it was all good, pretty simple and straight forward. Hope this helps.

No comments:

Post a Comment