You have 3 domain controllers, single domain, lets call them DC01, DC02, and DC03.
The FSMO roles are setup this way:
DC01 (GC) - RID, PDC, Infrastructure
DC02 (GC)- Schema Master, Domain Naming Master
DC03 (NON GC) - No roles assigned
Then one day, DC02 decides to go on permanent vacation for whatever reason. Power supplies died, 2 RAID 5 hard drives died, somebody spills coke all over your server, etc.
Now you have this scenario, 2 live DC's 1 non live DC. You have a server that has 2 FSMO roles on it. Not good. Meaning if you try to change the schema with ADSIEDIT.MSC, you will get an error. If you try to add a new domain to your forest, you will get an error. Not good...not REAL bad, but not a good situation to be in.
Not so fast there, here's how you fix it.
Lets cleanup, do this from DC01, or DC02
- Remove the replication links to and from this server in AD Sites and Services
- Remove the GC functionality from this server in AD Sites and Services
- Force remove DC02 from AD Users and Computers. Tell it "yes this DC is no longer functional, whatever..."
- Remove the NTDS settings node from AD Sites and Services
- Remove the DC02 Server Node from the site, if you get prompted tell it "yes this DC is no longer function, whatever...again"
**If you run into any problems doing these, then you may have to get into ADSIEDIT.msc and manually make some changes. I would suggest you try to test these out before doing any of this in a production environment.**
Now we have to seize the roles (in this case Schema and Domain Naming Master)
- Make sure your account is part of Schema Admins. - otherwise you will get an "access denied"
- Get on a server, open up a command line.
- Run NTDSUTIL
- type "roles" - at the ntdsutil: prompt
- type "connections" - at the fsmo maintenance: prompt
- type "connect to server %servername%" - sub an active DC name for the %servername% (dc03) - this is for the server that you want to be the new FSMO role masters.
- type "q" - to get back to the fsmo maintenance: prompt.
- type "seize domain naming master" - to seize the domain naming master role
- type "seize schema master" - to seize the schema master role
**If you get any errors running these, you will have to investigate the error and find out why. The error I had was an access denied error. Put my account in Schema Admins and logged out/in and it worked.
Verification and Testing:
- Make sure all the Operations Masters are correct.
- -RID, PDC, and Infrastructure - Use AD Users and Computers
- -Schema Master - Use schmmgmt.msc
- -Domain Naming Master - Use AD Domains and Trusts
- Check replication - Replication Monitor
- Check your event log and make sure you're no longer getting the 2091 errors in the
- Directory Service. You might have to wait a while.
No comments:
Post a Comment