Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Sezing FSMO roles...
Sezing FSMO roles... [message #157362] Tue, 07 July 2009 02:07 Go to next message
jprstokato  is currently offline jprstokato
Messages: 28
Registered: September 2009
Junior Member
We have our DC1 in a sorry state, after unsuccessfully rolling back from an
attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to forcibly
remove it from the domain and seize roles to another DC as it is no longer
able to replicate to our other DCs. It holds all master roles.

My question is whether to seize roles first or forcibly demote first and
remove metadata first..
The http://support.microsoft.com/kb/255504 article denotes that the DC
should not be on the domain after FSMO roles are transferred.
NB. However as I say the DC is no longer replicating so I would imagine
there is no danger of creating security principals that have overlapping RID
pools, and other problems.

Can you confirm that I should seize roles to another DC, and them forcibly
demote and then and remove metadata..

Many Thanks.
JPSR.
Re: Sezing FSMO roles... [message #157363 is a reply to message #157362] Tue, 07 July 2009 02:11 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jprstokato,

If the machine is "dead", at least disconnect it from the domain, NEVER connect
it back, then seize the 5 FSMO roles to another DC and run metadata cleanup.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have our DC1 in a sorry state, after unsuccessfully rolling back
> from an attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We
> need to forcibly remove it from the domain and seize roles to another
> DC as it is no longer able to replicate to our other DCs. It holds all
> master roles.
>
> My question is whether to seize roles first or forcibly demote first
> and
> remove metadata first..
> The http://support.microsoft.com/kb/255504 article denotes that the DC
> should not be on the domain after FSMO roles are transferred.
> NB. However as I say the DC is no longer replicating so I would
> imagine
> there is no danger of creating security principals that have
> overlapping RID
> pools, and other problems.
> Can you confirm that I should seize roles to another DC, and them
> forcibly demote and then and remove metadata..
>
> Many Thanks.
> JPSR.
Re: Sezing FSMO roles... [message #157364 is a reply to message #157362] Tue, 07 July 2009 02:20 Go to previous messageGo to next message
Syed Khairuddin  is currently offline Syed Khairuddin  Saudi Arabia
Messages: 77
Registered: June 2009
Member
Hello,

First Forcebily demote the server if possible other wise better
to remove it entirely from the network and then seize the roles to
some other server.


Thanks
RE: Sezing FSMO roles... [message #157366 is a reply to message #157362] Tue, 07 July 2009 02:21 Go to previous messageGo to next message
Jonathan Worsfold  is currently offline Jonathan Worsfold
Messages: 1
Registered: July 2009
Junior Member
Hi

I would disconnect the server from the network then seize the FMSO roles.
You can then clean up the schema to remove the dead DC. It may not appear to
be replicating but I would not recommend having it connected to the network.

Hope this helps.

--
Jonathan Worsfold
Bsc Hons MCITP: Enterprise


"jprstokato" wrote:

> We have our DC1 in a sorry state, after unsuccessfully rolling back from an
> attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to forcibly
> remove it from the domain and seize roles to another DC as it is no longer
> able to replicate to our other DCs. It holds all master roles.
>
> My question is whether to seize roles first or forcibly demote first and
> remove metadata first..
> The http://support.microsoft.com/kb/255504 article denotes that the DC
> should not be on the domain after FSMO roles are transferred.
> NB. However as I say the DC is no longer replicating so I would imagine
> there is no danger of creating security principals that have overlapping RID
> pools, and other problems.
>
> Can you confirm that I should seize roles to another DC, and them forcibly
> demote and then and remove metadata..
>
> Many Thanks.
> JPSR.
Re: Sezing FSMO roles... [message #157369 is a reply to message #157363] Tue, 07 July 2009 02:27 Go to previous messageGo to next message
jprstokato  is currently offline jprstokato
Messages: 28
Registered: September 2009
Junior Member
Thanks Meinholf,

So, to be absolutely clear...(as the DC 'is' still on the network (and
running DHCP) but no longer replicating AD)..so, do I force removal of the DC
from AD 'first'? i.e.

1. force removal of the DC from AD
2. disconnect it from the domain (after moving DHCP of course)
3. seize the 5 FSMO roles to another DC
4. run metadata cleanup.

Does this sound like the exact correct sequence?

Many thanks, JPSR

"Meinolf Weber [MVP-DS]" wrote:

> Hello jprstokato,
>
> If the machine is "dead", at least disconnect it from the domain, NEVER connect
> it back, then seize the 5 FSMO roles to another DC and run metadata cleanup.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We have our DC1 in a sorry state, after unsuccessfully rolling back
> > from an attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We
> > need to forcibly remove it from the domain and seize roles to another
> > DC as it is no longer able to replicate to our other DCs. It holds all
> > master roles.
> >
> > My question is whether to seize roles first or forcibly demote first
> > and
> > remove metadata first..
> > The http://support.microsoft.com/kb/255504 article denotes that the DC
> > should not be on the domain after FSMO roles are transferred.
> > NB. However as I say the DC is no longer replicating so I would
> > imagine
> > there is no danger of creating security principals that have
> > overlapping RID
> > pools, and other problems.
> > Can you confirm that I should seize roles to another DC, and them
> > forcibly demote and then and remove metadata..
> >
> > Many Thanks.
> > JPSR.
>
>
>
Re: Sezing FSMO roles... [message #157370 is a reply to message #157369] Tue, 07 July 2009 02:33 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jprstokato,

As mentioned before:
1. disconnect it from the domain FIRST (after moving DHCP of course) http://support.microsoft.com/kb/325473
2. seize the 5 FSMO roles to another DC
3. run metadata cleanup and some more http://support.microsoft.com/kb/555846/en-us


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks Meinholf,
>
> So, to be absolutely clear...(as the DC 'is' still on the network (and
> running DHCP) but no longer replicating AD)..so, do I force removal of
> the DC from AD 'first'? i.e.
>
> 1. force removal of the DC from AD
> 2. disconnect it from the domain (after moving DHCP of course)
> 3. seize the 5 FSMO roles to another DC
> 4. run metadata cleanup.
> Does this sound like the exact correct sequence?
>
> Many thanks, JPSR
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello jprstokato,
>>
>> If the machine is "dead", at least disconnect it from the domain,
>> NEVER connect it back, then seize the 5 FSMO roles to another DC and
>> run metadata cleanup.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> We have our DC1 in a sorry state, after unsuccessfully rolling back
>>> from an attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We
>>> need to forcibly remove it from the domain and seize roles to
>>> another DC as it is no longer able to replicate to our other DCs. It
>>> holds all master roles.
>>>
>>> My question is whether to seize roles first or forcibly demote first
>>> and
>>> remove metadata first..
>>> The http://support.microsoft.com/kb/255504 article denotes that the
>>> DC
>>> should not be on the domain after FSMO roles are transferred.
>>> NB. However as I say the DC is no longer replicating so I would
>>> imagine
>>> there is no danger of creating security principals that have
>>> overlapping RID
>>> pools, and other problems.
>>> Can you confirm that I should seize roles to another DC, and them
>>> forcibly demote and then and remove metadata..
>>> Many Thanks.
>>> JPSR.
Re: Sezing FSMO roles... [message #157388 is a reply to message #157362] Tue, 07 July 2009 06:17 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Disconnect from domain and format the drive, unless you have something on
the disk that needs to be saved. Once this is complete clean up your
metadata.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
news:6ABE6EE6-9229-4600-AE18-4BB06A482CAD@microsoft.com...
> We have our DC1 in a sorry state, after unsuccessfully rolling back from
> an
> attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to
> forcibly
> remove it from the domain and seize roles to another DC as it is no longer
> able to replicate to our other DCs. It holds all master roles.
>
> My question is whether to seize roles first or forcibly demote first and
> remove metadata first..
> The http://support.microsoft.com/kb/255504 article denotes that the DC
> should not be on the domain after FSMO roles are transferred.
> NB. However as I say the DC is no longer replicating so I would imagine
> there is no danger of creating security principals that have overlapping
> RID
> pools, and other problems.
>
> Can you confirm that I should seize roles to another DC, and them forcibly
> demote and then and remove metadata..
>
> Many Thanks.
> JPSR.
Re: Sezing FSMO roles... [message #157431 is a reply to message #157388] Tue, 07 July 2009 09:55 Go to previous messageGo to next message
markdmac  is currently offline markdmac  United States
Messages: 139
Registered: July 2009
Senior Member
Paul Bergson [MVP-DS] wrote:

> Disconnect from domain and format the drive, unless you have
> something on the disk that needs to be saved. Once this is complete
> clean up your metadata.

Here is a nice VBScript I got from Microsoft that will do the metadata
cleanup. It WON'T do the cleanup in DNS, so you will need to do that
manually, but this can save you from using NTDSUTIL which is rather
daunting. Sadly Clay left Microsoft before he added that functionality.



REM    ==========================================================
REM                GUI Metadata Cleanup Utility
REM             Written By Clay Perrine - clayp@microsoft.com
REM                          Version 2.5
REM    ==========================================================
REM     This tool is furnished "AS IS". NO warranty is expressed or
Implied.

on error resume next
dim
objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,
ODCPath,ckdcPath,myObj,comparename

rem =======This gets the name of the computer that the script is run on
======

Set sh = CreateObject("WScript.Shell")
key= "HKEY_LOCAL_MACHINE"
computerName = sh.RegRead(key &
"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerNam
e")

rem === Get the default naming context of the domain====

set objRoot=GetObject("LDAP://RootDSE")
sPath = "LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")

rem === Get the list of domain controllers====

Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
outval = outval & vbtab &  objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "")

rem ==Retrieve the name of the broken DC from the user and verify it's
not this DC.===

oDCSelect= InputBox (outval,"Type the Name of the Problem Domain
Controller","")
comparename = UCase(oDCSelect)



if comparename = computerName then
msgbox "The Domain Controller you entered is the machine that is
running this script." & vbcrlf & "You cannot clean up the metadata for
the machine that is running the script!",,"Metadata Cleanup Utility
Error."
wscript.quit
End If


sPath = "LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
Err.Clear
ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
set myObj=GetObject(ckdcPath)
If err.number <>0 Then
errval= 1
End If
Next
If errval = 1 then
msgbox "The Domain Controller you entered was not found in the Active
Directory",,"Metadata Cleanup Utility Error."
wscript.quit
End If
abort = msgbox ("You are about to remove all metadata for the server "
& oDCSelect & "! Are you sure?",4404,"WARNING!!")
if abort <> 6 then
msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
wscript.quit
end if
oDCSelect = "CN=" & oDCSelect
ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
sSitelist = "LDAP://CN=Sites,CN=Configuration," &
objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
Err.Clear
sitePath = "LDAP://" & oDCSelect & ",CN=Servers," &  objContainer.Name
& ",CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(sitePath)
If err.number = 0 Then
siteval = sitePath
End If    
Next
sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sFRSSysvolList)
For Each objContainer in objConfiguration
Err.Clear
SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL
share),CN=File Replication Service,CN=System," &
objRoot.Get("defaultNamingContext")
set myObj=GetObject(SYSVOLPath)
If err.number = 0 Then
SYSVOLval = SYSVOLPath
End If
Next
SiteList = Replace(sSitelist, "LDAP://", "")
VarSitelist = "LDAP://CN=Sites,CN=Configuration," &
objRoot.Get("defaultNamingContext")
Set SiteConfiguration = GetObject(VarSitelist)

For Each SiteContainer in SiteConfiguration
Sitevar = SiteContainer.Name
VarPath ="LDAP://OU=Domain Controllers," &
objRoot.Get("defaultNamingContext")
Set DCConfiguration = GetObject(VarPath)
    For Each DomContainer in DCConfiguration
    DCVar = DomContainer.Name
    strFromServer = ""
    NTDSPATH =  DCVar & ",CN=Servers," & SiteVar & "," & SiteList
    GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH 
    Set objCheck = GetObject(NTDSPATH)
        For Each CheckContainer in objCheck

rem ====check for valid site paths =======================
        ldapntdspath = "LDAP://" & NTDSPATH
        Err.Clear
        set exists=GetObject(ldapntdspath)
            If err.number = 0 Then
                Set oGuidGet = GetObject(GuidPath)

                For Each objContainer in oGuidGet
                oGuid = objContainer.Name
                oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," &
NTDSPATH
                Set objSitelink = GetObject(oGuidPath)
                objSiteLink.GetInfo
                strFromServer = objSiteLink.Get("fromServer")
                ispresent = Instr(1,strFromServer,oDCSelect,1)


                    if ispresent <> 0 then

                    Set objReplLinkVal = GetObject(oGuidPath)
                    objReplLinkVal.DeleteObject(0)
                    else
                    end if
                next

                sitedelval = "CN=" & comparename & ",CN=Servers," &
SiteVar & "," & SiteList
                if sitedelval = ntdspath then
                    Set objguidpath = GetObject(guidpath)
                    objguidpath.DeleteObject(0)
                    Set objntdspath = GetObject(ldapntdspath)
                    objntdspath.DeleteObject(0)
                    else
                end if
            End If
        next
    next
next


Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get ("userAccountControl")
AccountObject.Put "userAccountControl", "4096"
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, "CN=", "")
msgval = "Metadata Cleanup Completed for " & oDCSelect
msgbox  msgval,,"Notice."
wscript.quit




Hope this helps,

Mark D. MacLachlan
--
Re: Sezing FSMO roles... [message #157440 is a reply to message #157431] Tue, 07 July 2009 10:39 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Mark D. MacLachlan" <markdmac@live.com> wrote in message news:OZlePtx$JHA.2824@TK2MSFTNGP03.phx.gbl...
> Paul Bergson [MVP-DS] wrote:
>
>> Disconnect from domain and format the drive, unless you have
>> something on the disk that needs to be saved. Once this is complete
>> clean up your metadata.
>
> Here is a nice VBScript I got from Microsoft that will do the metadata
> cleanup. It WON'T do the cleanup in DNS, so you will need to do that
> manually, but this can save you from using NTDSUTIL which is rather
> daunting. Sadly Clay left Microsoft before he added that functionality.
>
>
> [code]

[snipped]

Nice script. However I would rather run it manually, because I like to see what other objects are out there in case there are other things that either may need to be removed or addressed. I guess if the script would show you the DCs/Sites/Domains, etc, and allow you to choose, such as if you were in an ntdsutil prompt, that may be cool.

Ace
Re: Sezing FSMO roles... [message #157468 is a reply to message #157362] Tue, 07 July 2009 15:58 Go to previous messageGo to next message
newsgroups  is currently offline newsgroups
Messages: 126
Registered: July 2009
Senior Member
JPRS,

How did you roll back the upgrade to W2K8?

Did you restore a previous vm image(s)?

--
Mark Parris
MVP-Active Directory-Directory Services:Architecture

[ADUG] UK Active Active Directory User Group
http://adug.co.uk



"jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
news:6ABE6EE6-9229-4600-AE18-4BB06A482CAD@microsoft.com...
> We have our DC1 in a sorry state, after unsuccessfully rolling back from
> an
> attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to
> forcibly
> remove it from the domain and seize roles to another DC as it is no longer
> able to replicate to our other DCs. It holds all master roles.
>
> My question is whether to seize roles first or forcibly demote first and
> remove metadata first..
> The http://support.microsoft.com/kb/255504 article denotes that the DC
> should not be on the domain after FSMO roles are transferred.
> NB. However as I say the DC is no longer replicating so I would imagine
> there is no danger of creating security principals that have overlapping
> RID
> pools, and other problems.
>
> Can you confirm that I should seize roles to another DC, and them forcibly
> demote and then and remove metadata..
>
> Many Thanks.
> JPSR.
Re: Sezing FSMO roles... [message #157477 is a reply to message #157440] Wed, 08 July 2009 00:21 Go to previous messageGo to next message
markdmac  is currently offline markdmac  United States
Messages: 139
Registered: July 2009
Senior Member
Ace Fekay [Microsoft Certified Trainer] wrote:

> "Mark D. MacLachlan" <markdmac@live.com> wrote in message
> news:OZlePtx$JHA.2824@TK2MSFTNGP03.phx.gbl...
> > Paul Bergson [MVP-DS] wrote:
> >
> >> Disconnect from domain and format the drive, unless you have
> >> something on the disk that needs to be saved. Once this is
> complete >> clean up your metadata.
> >
> > Here is a nice VBScript I got from Microsoft that will do the
> > metadata cleanup. It WON'T do the cleanup in DNS, so you will need
> > to do that manually, but this can save you from using NTDSUTIL
> > which is rather daunting. Sadly Clay left Microsoft before he
> > added that functionality.
> >
> >
> > [code]
>
> [snipped]
>
> Nice script. However I would rather run it manually, because I like
> to see what other objects are out there in case there are other
> things that either may need to be removed or addressed. I guess if
> the script would show you the DCs/Sites/Domains, etc, and allow you
> to choose, such as if you were in an ntdsutil prompt, that may be
> cool.
>
> Ace
>

The script will show you all the DCs that are int eh metadata. It then
lets you remove a DC fromt he metadata just by typing the name.

--
Re: Sezing FSMO roles... [message #157481 is a reply to message #157468] Wed, 08 July 2009 03:16 Go to previous messageGo to next message
jprstokato  is currently offline jprstokato
Messages: 28
Registered: September 2009
Junior Member
Rolled back to VM snapshot - which didn't work!!
Any way many thanks to all for your help...

Cheers,
JPSR..

"Mark Parris [ADUG][MVP-DS:Architecture]" wrote:

> JPRS,
>
> How did you roll back the upgrade to W2K8?
>
> Did you restore a previous vm image(s)?
>
> --
> Mark Parris
> MVP-Active Directory-Directory Services:Architecture
>
> [ADUG] UK Active Active Directory User Group
> http://adug.co.uk
>
>
>
> "jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
> news:6ABE6EE6-9229-4600-AE18-4BB06A482CAD@microsoft.com...
> > We have our DC1 in a sorry state, after unsuccessfully rolling back from
> > an
> > attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to
> > forcibly
> > remove it from the domain and seize roles to another DC as it is no longer
> > able to replicate to our other DCs. It holds all master roles.
> >
> > My question is whether to seize roles first or forcibly demote first and
> > remove metadata first..
> > The http://support.microsoft.com/kb/255504 article denotes that the DC
> > should not be on the domain after FSMO roles are transferred.
> > NB. However as I say the DC is no longer replicating so I would imagine
> > there is no danger of creating security principals that have overlapping
> > RID
> > pools, and other problems.
> >
> > Can you confirm that I should seize roles to another DC, and them forcibly
> > demote and then and remove metadata..
> >
> > Many Thanks.
> > JPSR.
>
Re: Sezing FSMO roles... [message #157483 is a reply to message #157481] Wed, 08 July 2009 03:22 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jprstokato,

You should NEVER use snapshots for backup, this is not supported from MS
and will result in USN rollback.
http://support.microsoft.com/kb/875495

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Rolled back to VM snapshot - which didn't work!!
> Any way many thanks to all for your help...
> Cheers,
> JPSR..
> "Mark Parris [ADUG][MVP-DS:Architecture]" wrote:
>
>> JPRS,
>>
>> How did you roll back the upgrade to W2K8?
>>
>> Did you restore a previous vm image(s)?
>>
>> --
>> Mark Parris
>> MVP-Active Directory-Directory Services:Architecture
>> [ADUG] UK Active Active Directory User Group
>> http://adug.co.uk
>> "jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
>> news:6ABE6EE6-9229-4600-AE18-4BB06A482CAD@microsoft.com...
>>
>>> We have our DC1 in a sorry state, after unsuccessfully rolling back
>>> from
>>> an
>>> attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to
>>> forcibly
>>> remove it from the domain and seize roles to another DC as it is no
>>> longer
>>> able to replicate to our other DCs. It holds all master roles.
>>> My question is whether to seize roles first or forcibly demote first
>>> and
>>> remove metadata first..
>>> The http://support.microsoft.com/kb/255504 article denotes that the
>>> DC
>>> should not be on the domain after FSMO roles are transferred.
>>> NB. However as I say the DC is no longer replicating so I would
>>> imagine
>>> there is no danger of creating security principals that have
>>> overlapping
>>> RID
>>> pools, and other problems.
>>> Can you confirm that I should seize roles to another DC, and them
>>> forcibly demote and then and remove metadata..
>>>
>>> Many Thanks.
>>> JPSR.
Re: Sezing FSMO roles... [message #157491 is a reply to message #157481] Wed, 08 July 2009 06:08 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Bad idea, as you found out, the snapshot is not AD aware.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
news:A2EB5F47-F84F-408E-AA35-78072AE436AC@microsoft.com...
> Rolled back to VM snapshot - which didn't work!!
> Any way many thanks to all for your help...
>
> Cheers,
> JPSR..
>
> "Mark Parris [ADUG][MVP-DS:Architecture]" wrote:
>
>> JPRS,
>>
>> How did you roll back the upgrade to W2K8?
>>
>> Did you restore a previous vm image(s)?
>>
>> --
>> Mark Parris
>> MVP-Active Directory-Directory Services:Architecture
>>
>> [ADUG] UK Active Active Directory User Group
>> http://adug.co.uk
>>
>>
>>
>> "jprstokato" <jprstokato@discussions.microsoft.com> wrote in message
>> news:6ABE6EE6-9229-4600-AE18-4BB06A482CAD@microsoft.com...
>> > We have our DC1 in a sorry state, after unsuccessfully rolling back
>> > from
>> > an
>> > attempt to upgrade it to W2k8 Ent. IT s a Win2k8 Std VM. We need to
>> > forcibly
>> > remove it from the domain and seize roles to another DC as it is no
>> > longer
>> > able to replicate to our other DCs. It holds all master roles.
>> >
>> > My question is whether to seize roles first or forcibly demote first
>> > and
>> > remove metadata first..
>> > The http://support.microsoft.com/kb/255504 article denotes that the DC
>> > should not be on the domain after FSMO roles are transferred.
>> > NB. However as I say the DC is no longer replicating so I would imagine
>> > there is no danger of creating security principals that have
>> > overlapping
>> > RID
>> > pools, and other problems.
>> >
>> > Can you confirm that I should seize roles to another DC, and them
>> > forcibly
>> > demote and then and remove metadata..
>> >
>> > Many Thanks.
>> > JPSR.
>>
Re: Sezing FSMO roles... [message #157514 is a reply to message #157477] Wed, 08 July 2009 08:27 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Mark D. MacLachlan" <markdmac@live.com> wrote in message news:%23x5MHR5$JHA.2604@TK2MSFTNGP03.phx.gbl...
>
> The script will show you all the DCs that are int eh metadata. It then
> lets you remove a DC fromt he metadata just by typing the name.


Oh, I see. I haven't run it yet, but from perusing through it, I thought you had to specifiy the DC you want to remove without it providing a list. Nice to know, and thanks for pointing that out!!

I will definitely share it out to others to make it easier, especially some folks are daunted by the ntdsutil.

Thanks!

Ace

Re: Sezing FSMO roles... [message #157535 is a reply to message #157514] Wed, 08 July 2009 13:28 Go to previous message
markdmac  is currently offline markdmac  United States
Messages: 139
Registered: July 2009
Senior Member
Ace Fekay [Microsoft Certified Trainer] wrote:

> "Mark D. MacLachlan" <markdmac@live.com> wrote in message
> news:%23x5MHR5$JHA.2604@TK2MSFTNGP03.phx.gbl...
> >
> > The script will show you all the DCs that are int eh metadata. It
> > then lets you remove a DC fromt he metadata just by typing the name.
>
>
> Oh, I see. I haven't run it yet, but from perusing through it, I
> thought you had to specifiy the DC you want to remove without it
> providing a list. Nice to know, and thanks for pointing that out!!
>
> I will definitely share it out to others to make it easier,
> especially some folks are daunted by the ntdsutil.
>
> Thanks!
>
> Ace
>
>

Yes, that is one of the features I like best about the script. You can
run it to just get an enumeration of the DCs that are in the metadata
if need be, or you can remove what you want. The script takes no
action until you tell it what to delete, so it can be a great way to
just verify if a DC demotion was successful or not.

--
Previous Topic:Login.bat issue
Next Topic:Domain root MX records do not work with DNS STUB zones
Goto Forum:
  


Current Time: Thu Jan 18 20:43:05 MST 2018

Total time taken to generate the page: 0.06066 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software