For David Brandt

  • Thread starter Thread starter Frank Buechler
  • Start date Start date
F

Frank Buechler

Yes, that is what I am seeing. Is it possible for me to
use ntdsutil to see if there is a tombstoned record in the
metabase? And if there is, can I delete and recreate this
record? How do I do this? My only concern is the fact that
this is an Exchange server (2000). Is DC demotion
supported in this case? I know it is not using Exchange
Server 2003. This is an upgrade effort. Everything we are
discussing is moving to 2003. The main reason I am doing
all of this is so I can run ADPREP against the schema
master so I can start adding 2003 servers. With the AD
being in the state it currently is, would you recommend my
doing that against the server in the DMZ? It will be
coming out here in the next several days, being replaced
by a stand-alone 2003 server/Exchange server.

Thanks for your help David, I really appreciate it.
-----Original Message-----
That dmz dc is going to need to be demoted for one cause or another, and if
what you see below matches up to what you're seeing, notice the DEL:xxxxx
(deleted somehow). I found a few other cases where they were seeing the
same thing, and the end result of all of them was a demotion of the box and
seizure of the role/s to another machine. I don't know the
background/history/politics/etc of this situation, but can only say I
wouldn't want any dc of mine out in a dmz anyway. The other recommendation
that normally comes with the seizure of the schema role (others are fine) is
that the box From which it was seized, not be brought back into the network
again as a dc, so you're going to need to demote it either gracefully or
forcefully.

Some of what I found from other cases;
DCDIAG /test:KnowsOfRoleHolders /V provided
==========================================
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-
Click to expand...
f21749bd168a" said:
ult-Fir
st-Site-
Click to expand...
Name said:
Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-
Click to expand...
 
From what I could see, while the other dc's still believe its the
schema/dnm, the records on it are hosed up, and I'm not aware of a way to
edit AD to delete/add whatever objects it might need to replace the
schema/dnm role info. Not saying that there isn't a way, but never had to
do it, and not sure that I'd want to if I could given that there are other
healthy dc/s. I would be quesy about basing forestprep/domainprep/etc for a
2k3 upgrade on a dc that I had to "patch" up in that manner. I'm not an
Exch engineer, but Exch2k will run on a 2kserver, and in fact is usually
recommended to do so instead of a dc where possible, primarly to free up
resources it might need. As long as it can find a gc, I don't see any
problems with it running on server.
Can't tell you what to do here, but if it were mine, I'd probably demote the
dmz box, then seize the schema/dnm roles to a healthy dc inside and run
adprep against it.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
Frank Buechler said:
Yes, that is what I am seeing. Is it possible for me to
use ntdsutil to see if there is a tombstoned record in the
metabase? And if there is, can I delete and recreate this
record? How do I do this? My only concern is the fact that
this is an Exchange server (2000). Is DC demotion
supported in this case? I know it is not using Exchange
Server 2003. This is an upgrade effort. Everything we are
discussing is moving to 2003. The main reason I am doing
all of this is so I can run ADPREP against the schema
master so I can start adding 2003 servers. With the AD
being in the state it currently is, would you recommend my
doing that against the server in the DMZ? It will be
coming out here in the next several days, being replaced
by a stand-alone 2003 server/Exchange server.

Thanks for your help David, I really appreciate it.
-----Original Message-----
That dmz dc is going to need to be demoted for one cause or another, and if
what you see below matches up to what you're seeing, notice the DEL:xxxxx
(deleted somehow). I found a few other cases where they were seeing the
same thing, and the end result of all of them was a demotion of the box and
seizure of the role/s to another machine. I don't know the
background/history/politics/etc of this situation, but can only say I
wouldn't want any dc of mine out in a dmz anyway. The other recommendation
that normally comes with the seizure of the schema role (others are fine) is
that the box From which it was seized, not be brought back into the network
again as a dc, so you're going to need to demote it either gracefully or
forcefully.

Some of what I found from other cases;
DCDIAG /test:KnowsOfRoleHolders /V provided
==========================================
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-
Click to expand...
f21749bd168a" said:
ult-Fir
st-Site-
Click to expand...
Name said:
Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-
Click to expand...
Click to expand...
 
Back
Top