Dead DC, FSMO Transfer, Replication?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've got a dead DC which is the FSMO, still 'running' but I can't ping it
nor access it in any way. I've got two other DCs and have, of course been
getting replication errors as neither can communicate with the 'dead'
server. I've set both the other DCs to have Global Catalogs (rebooted,
proper records show up in DNS). To add to the mix I'm also getting 5719 -
no dc for domain - from Netlogon (this appears to be intermittent, no logon
problems noticed).

So the plan is to seize the FSMO roles using Ntdsutil but there's a couple
of questions:

1. in KB255204 it says do not put the Infrastructure role on a DC which has
the GC; however the TechNet 'Managing Domain Controllers document says that
the Infra role is 'insignificant' if all the DCs are GC servers because 'GCs
replicate the updated info regardless of the domain to which they belong',
it also says 'if the forest has only 1 domain the dc that hosts the Infra
role is not needed'

I have only 1 domain so does the above mean I can seize the Infra role with
impunity or does it mean I don't need an Infra role at all unless I'm adding
more domains? What will be the impact of putting the I role onto a GC
server in my scenario?

2. once the seizure is done do I use 'ntdsutil /metadata cleanup' to get
rid of info in the AD which references the dead server? If not how do I
get rid of the info or is it just a matter of turning the 'dead' machine off
and going away?

3. once the seizure is done and the old server out of the way will my
replication and netlogon msgs disappear?

sorry if I sound a bit thick but I don't want to spend my weeked creating a
new AD!

thanks for any help
 
in-line....

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



I've got a dead DC which is the FSMO, still 'running' but I can't ping it
nor access it in any way. I've got two other DCs and have, of course been
getting replication errors as neither can communicate with the 'dead'
server. I've set both the other DCs to have Global Catalogs (rebooted,
proper records show up in DNS). To add to the mix I'm also getting 5719 -
no dc for domain - from Netlogon (this appears to be intermittent, no
logon problems noticed).

So the plan is to seize the FSMO roles using Ntdsutil but there's a couple
of questions:

1. in KB255204 it says do not put the Infrastructure role on a DC which
has the GC; however the TechNet 'Managing Domain Controllers document says
that the Infra role is 'insignificant' if all the DCs are GC servers
because 'GCs replicate the updated info regardless of the domain to which
they belong', it also says 'if the forest has only 1 domain the dc that
hosts the Infra role is not needed'

I have only 1 domain so does the above mean I can seize the Infra role
with impunity or does it mean I don't need an Infra role at all unless I'm
adding more domains? What will be the impact of putting the I role onto a
GC server in my scenario?

If you have only one domain then you will never have 'phantom objects' so
that whole issue is moot. However, were you to ever add a second domain
then this issue would be very pertinent.

So, if all of the DCs are Global Catalog Servers the issue is moot.
Regardless of how many domains you have. The issue there would be the
placement of GCs.

2. once the seizure is done do I use 'ntdsutil /metadata cleanup' to get
rid of info in the AD which references the dead server? If not how do I
get rid of the info or is it just a matter of turning the 'dead' machine
off and going away?

If you just turn it off and do nothing then you will forever have all of
these problems. You will need to do the metadata cleanup. You might also
want to use ADSIEdit and clean things us....as well as make sure that
everything in DNS is correct. You might also have to delete the object in
AD Sites and Services...
3. once the seizure is done and the old server out of the way will my
replication and netlogon msgs disappear?

That is the general plan!
 
Hello,

Thank you for using newsgroup!

Appreciate Cary's great information and further clarification!

At this moment, also I'd like to provide some additional information for
your reference:

Seize the infrastructure master role
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a4bfbb35-25cf-496f-97af-4b7f14ea39e4.mspx>

Transfer the infrastructure master role
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a7b2a55c-84e7-4bdc-bf42-8d2a35469604.mspx>

Transfer the PDC emulator role
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/c3a082ac-d855-48ba-a3d9-3b3a945cd726.mspx>

Usage of Ntdsutil
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/91559a2b-b666-442c-bdd2-df4b7c46983c.mspx>

How the Active Directory Replication Model Works
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Tech
Ref/1465d773-b763-45ec-b971-c23cdc27400e.mspx>

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662


--------------------
| Reply-To: "Cary Shultz [A.D. MVP]" <[email protected]>
| From: "Cary Shultz [A.D. MVP]" <[email protected]>
| References: <[email protected]>
| Subject: Re: Dead DC, FSMO Transfer, Replication?
| Date: Tue, 23 Aug 2005 18:48:46 -0400
| Lines: 72
| Organization: NKD Solutions, Inc.
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Response
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 0-1pool120-17.nas98.washington1.dc.us.da.qwest.net
65.135.120.17
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:32860
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| in-line....
|
| --
| Cary W. Shultz
| Roanoke, VA 24012
| Microsoft Active Directory MVP
|
| http://www.activedirectory-win2000.com
| http://www.grouppolicy-win2000.com
|
|
|
| > I've got a dead DC which is the FSMO, still 'running' but I can't ping
it
| > nor access it in any way. I've got two other DCs and have, of course
been
| > getting replication errors as neither can communicate with the 'dead'
| > server. I've set both the other DCs to have Global Catalogs (rebooted,
| > proper records show up in DNS). To add to the mix I'm also getting
5719 -
| > no dc for domain - from Netlogon (this appears to be intermittent, no
| > logon problems noticed).
| >
| > So the plan is to seize the FSMO roles using Ntdsutil but there's a
couple
| > of questions:
| >
| > 1. in KB255204 it says do not put the Infrastructure role on a DC which
| > has the GC; however the TechNet 'Managing Domain Controllers document
says
| > that the Infra role is 'insignificant' if all the DCs are GC servers
| > because 'GCs replicate the updated info regardless of the domain to
which
| > they belong', it also says 'if the forest has only 1 domain the dc that
| > hosts the Infra role is not needed'
| >
| > I have only 1 domain so does the above mean I can seize the Infra role
| > with impunity or does it mean I don't need an Infra role at all unless
I'm
| > adding more domains? What will be the impact of putting the I role
onto a
| > GC server in my scenario?
|
| If you have only one domain then you will never have 'phantom objects' so
| that whole issue is moot. However, were you to ever add a second domain
| then this issue would be very pertinent.
|
| So, if all of the DCs are Global Catalog Servers the issue is moot.
| Regardless of how many domains you have. The issue there would be the
| placement of GCs.
|
|
| > 2. once the seizure is done do I use 'ntdsutil /metadata cleanup' to
get
| > rid of info in the AD which references the dead server? If not how do
I
| > get rid of the info or is it just a matter of turning the 'dead'
machine
| > off and going away?
|
| If you just turn it off and do nothing then you will forever have all of
| these problems. You will need to do the metadata cleanup. You might
also
| want to use ADSIEdit and clean things us....as well as make sure that
| everything in DNS is correct. You might also have to delete the object
in
| AD Sites and Services...
|
| > 3. once the seizure is done and the old server out of the way will my
| > replication and netlogon msgs disappear?
|
| That is the general plan!
|
| > sorry if I sound a bit thick but I don't want to spend my weeked
creating
| > a new AD!
| >
| > thanks for any help
| >
| >
| >
| >
| >
|
|
|
 
Back
Top