Schema, Domain Naming Master is down due to hardware failure. Implications in case I seize the roles

  • Thread starter Thread starter Marlon Brown
  • Start date Start date
M

Marlon Brown

Hello,

Schema master, Domain Naming Master, DC, GC is down apparently due to
hardware failure.
Probably I can repair hardware in 3-4 days and bring server up again.

In this circumstance, is that a recommended approach "seize the role" of the
such DC that is down ?
Obviously I can't transfer the role because from the dead server because
NTDSUTIL would tell me the current FSMO role holder is down.
 
In my case, please note that I will probably be able to change the failing
hardware (possibly controller card) and
I won't do OS reinstall; if I seize the Schema master and Domain NM roles
from the dead DC, what will be the best way to approach this and bring the
DC that is down back to life and make it recognize that he no longer retains
any FSMO roles ?
 
not a recommended scenario...

If you're seizing the roles, the original server must NOT come back onto the
network, I know that from keeping an eye on the fora and don't have the
links, but I'm sure others more knowledgeable than I will chime in to
corroberate.

Diane


In my case, please note that I will probably be able to change the failing
hardware (possibly controller card) and
I won't do OS reinstall; if I seize the Schema master and Domain NM roles
from the dead DC, what will be the best way to approach this and bring the
DC that is down back to life and make it recognize that he no longer retains
any FSMO roles ?
 
I thought so to.
Is that OK leaving the Schema Master and Domain naming master, GC for few
days then ?
 
Yes. Only the PDCe directly affects users, and then only with password
changes (legacy clients are a bit different).

If you're machine will be up and running in a couple of days do nothing -
just ensure that you have another GC elsewhere and that you have another DNS
server that the clients can point to.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


I thought so to.
Is that OK leaving the Schema Master and Domain naming master, GC for few
days then ?
 
What pt (and others) said is correct.

If you will return the Schema and DNM shortly then relax.

They are only needed if you will add a Domain (to the forest)
or remove one; or if you will change the Schema (e.g., install
the FIRST Exchange 2000 Server etc.)

RID master is needed if you will (bulk) add LOTS of users;
more than a few hundred probably.

Infrastructure master is pretty irrelevant if you have only one
domain or never rename objects.

PDC Emulator will likely be missed within hours and certainly
within days.

You need a GC available in each site.
 
If the original DC that held the Roles was brought back online what problems
could this potentially cause?

Pierre.
 
Did you see that scene from Indiana Jones where the Arc was opened? --
something like that.

You will spend days and probably money on a support call to clean the AD and
get things working again. You will have replication problems, DNS problems,
problems from your users, your FSMO roles will be all screwed up and it
won't let you do much that involves them like manage GPOs. (I did this back
when 2000 firs came out and I was learning -- that was a very bad week!)

Just don't do it... and keep your gun and whip handy.
 
You can exhaust your RID pool, which will require a domain rebuild (rare,
but not entirely impossible)

You can introduce incorrect schema changes (rare, but not entirely
impossible).

The PDC and IM won't matter -you can just change these again. But as Ryan
said, things can get messy.

Realistically, it's just not worth it (and if you're not tighed to a pole
with your missues, then you might die!).

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Did you see that scene from Indiana Jones where the Arc was opened? --
something like that.

You will spend days and probably money on a support call to clean the AD and
get things working again. You will have replication problems, DNS problems,
problems from your users, your FSMO roles will be all screwed up and it
won't let you do much that involves them like manage GPOs. (I did this back
when 2000 firs came out and I was learning -- that was a very bad week!)

Just don't do it... and keep your gun and whip handy.
 
Just going to throw in my $0.02 worth.

I am pretty sure that everywhere you read that it states that if you have a
DC that holds any FSMO Roles go down ungracefully that you normally have to
use ntdsutil to seize those specific roles to another DC. Furthermore, that
you are never to bring that 'downed' DC online. Otherwise the 'Arc will
open'!

If you were to do this you should probably not be doing what you are doing!
;-)

No, what would happen would be that your AD would have two DCs that hold the
same FSMO Role ( twice! ). Like Ryan said, have a fun time troubleshooting
this....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Actually Windows Server 2003 has detection for this and as far as what I've
read some late service packs for Windows Server 2000 also have detection for
role masters in the domain.

Anyways to make a long story short we brought the Primary DC back online
with no issues. I then transfered all of the roles back to the Primary DC
with no issues. Each DC knows that the Primary DC holds the role masters.

I ran some tests on the domain and the only problem I could see was with
default domain controller sharing on the Backup DC, and they still work.....

It's not like it's a big domain, and that's why we did it. It's just 2 DC's
and that's all, pretty simple...

I guess if there were any problems I would see them by now :)
 
Yeah... when I messed this up it was 50 sites and 6000 users with a nightly
user account synch to an AS/400 using custom ADSI scripts. So, while some
may report that it may be ok in smaller environments, I still wouldn't try
it.
 
Back
Top