Sign in with
Sign up | Sign in
Your question

What to do after seizing FSMO Role?

Tags:
  • Domain
  • Infrastructure
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
December 29, 2004 1:17:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network without
demoting with DCPromo. It appears that the Infrastructure Master was it's
only role. I've seen the documents regarding using Ntdsutil to seize FSMO
roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the global catalog
DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

More about : seizing fsmo role

Anonymous
December 29, 2004 4:21:23 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Nothing further needs to be done when seizing the Infrastructure FSMO
since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible when
running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
> Hi,
> I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
> Previously another Win2k DC was physically removed from the network
> without demoting with DCPromo. It appears that the Infrastructure
> Master was it's only role. I've seen the documents regarding using
> Ntdsutil to seize FSMO roles.
> Once I've done that, is there anything else I need to do?
>
> Also, with a single domain is there a problem with having the global
> catalog DC also hold the Infrastructure Master?
> It's a RAID 5 machine versus my second AD DC being a pc clone.
>
> Thanks much,
> Robert
Anonymous
December 29, 2004 4:21:24 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I do not plan on re-introducing the former AD DC back into the network.
Do I need to remove any references of it...e.g. AD CU /System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary messages.
Thanks much Dean.

Robert

"Dean Wells [MVP]" wrote:

> Nothing further needs to be done when seizing the Infrastructure FSMO
> since it maintains virtually no state.
>
> In a single domain, the Infrastructure FSMO and GC ARE compatible when
> running on the same DC.
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
> RHS wrote:
> > Hi,
> > I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
> > Previously another Win2k DC was physically removed from the network
> > without demoting with DCPromo. It appears that the Infrastructure
> > Master was it's only role. I've seen the documents regarding using
> > Ntdsutil to seize FSMO roles.
> > Once I've done that, is there anything else I need to do?
> >
> > Also, with a single domain is there a problem with having the global
> > catalog DC also hold the Infrastructure Master?
> > It's a RAID 5 machine versus my second AD DC being a pc clone.
> >
> > Thanks much,
> > Robert
>
>
>
Related resources
Anonymous
December 29, 2004 4:21:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes. Find and remove all references to the former machine. You will need
to use ADSIEdit to completely remove this server. When you sieze a FSMO
role, you must ensure the old machine never comes back up without formatting
its hard drive.

Mike Ober.

"RHS" <RHS@discussions.microsoft.com> wrote in message
news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
> I do not plan on re-introducing the former AD DC back into the network.
> Do I need to remove any references of it...e.g. AD CU /System/FRS?
> Or in any other locations where it is referenced.
> I'm concerned with the event viewer logs displaying unnecessary messages.
> Thanks much Dean.
>
> Robert
>
> "Dean Wells [MVP]" wrote:
>
> > Nothing further needs to be done when seizing the Infrastructure FSMO
> > since it maintains virtually no state.
> >
> > In a single domain, the Infrastructure FSMO and GC ARE compatible when
> > running on the same DC.
> >
> > --
> > Dean Wells [MVP / Directory Services]
> > MSEtechnology
> > [[ Please respond to the Newsgroup only regarding posts ]]
> > R e m o v e t h e m a s k t o s e n d e m a i l
> >
> > RHS wrote:
> > > Hi,
> > > I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
> > > Previously another Win2k DC was physically removed from the network
> > > without demoting with DCPromo. It appears that the Infrastructure
> > > Master was it's only role. I've seen the documents regarding using
> > > Ntdsutil to seize FSMO roles.
> > > Once I've done that, is there anything else I need to do?
> > >
> > > Also, with a single domain is there a problem with having the global
> > > catalog DC also hold the Infrastructure Master?
> > > It's a RAID 5 machine versus my second AD DC being a pc clone.
> > >
> > > Thanks much,
> > > Robert
> >
> >
> >
>
Anonymous
December 29, 2004 4:21:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

That former server will never be on the network again (already formatted).
How risky is it to run ADSIEdit? Is it really necessary?
MS documentation (Q283595) claims that it is run when you want to return a
DC that previously owned one or more roles of the operations master to the
same network without causing conflict with any new role holder of the
operations master.

This server will never, ever be returned to the network.

"Michael D. Ober" wrote:

> Yes. Find and remove all references to the former machine. You will need
> to use ADSIEdit to completely remove this server. When you sieze a FSMO
> role, you must ensure the old machine never comes back up without formatting
> its hard drive.
>
> Mike Ober.
>
> "RHS" <RHS@discussions.microsoft.com> wrote in message
> news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
> > I do not plan on re-introducing the former AD DC back into the network.
> > Do I need to remove any references of it...e.g. AD CU /System/FRS?
> > Or in any other locations where it is referenced.
> > I'm concerned with the event viewer logs displaying unnecessary messages.
> > Thanks much Dean.
> >
> > Robert
> >
> > "Dean Wells [MVP]" wrote:
> >
> > > Nothing further needs to be done when seizing the Infrastructure FSMO
> > > since it maintains virtually no state.
> > >
> > > In a single domain, the Infrastructure FSMO and GC ARE compatible when
> > > running on the same DC.
> > >
> > > --
> > > Dean Wells [MVP / Directory Services]
> > > MSEtechnology
> > > [[ Please respond to the Newsgroup only regarding posts ]]
> > > R e m o v e t h e m a s k t o s e n d e m a i l
> > >
> > > RHS wrote:
> > > > Hi,
> > > > I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
> > > > Previously another Win2k DC was physically removed from the network
> > > > without demoting with DCPromo. It appears that the Infrastructure
> > > > Master was it's only role. I've seen the documents regarding using
> > > > Ntdsutil to seize FSMO roles.
> > > > Once I've done that, is there anything else I need to do?
> > > >
> > > > Also, with a single domain is there a problem with having the global
> > > > catalog DC also hold the Infrastructure Master?
> > > > It's a RAID 5 machine versus my second AD DC being a pc clone.
> > > >
> > > > Thanks much,
> > > > Robert
> > >
> > >
> > >
> >
>
>
>
>
Anonymous
December 29, 2004 6:11:18 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Great point, I neglected to mention the process of metadata cleanup. My
comment regarding the IM simply meant that the FSMO role itself imposes
no additional requirements once seized.

I would recommend the use of NTDSUTIL over ADSIEDIT since, although it
is cumbersome, it ensures that the task at hand is completed correctly
(including FRS state).

With regard to the statement: "you must ensure the old machine never
comes back up without formatting its hard drive", this is FSMO specific
and does not apply here. The IM, as I said, maintains virtually no
state and as such can be brought back on line (where possible) without
any cause for concern ... assuming other non-related factors are a
non-issue, factors such as downtime not exceeding tombstone lifetime.

Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
introduce the concept of INITSYNC; a requirement that must be met by all
DCs holding FSMO roles. This requirement prevents a DC in possession of
a FSMO role from offering any service at boot time bound to that role
until it has completed a full replication cycle with one of its direct
replication partners. This technique helps to ensure that 2 DCs do not
service the same FSMO role (the assumption being that the DC from which
the old FSMO replicates will already be aware that the role has moved
and will inform the old FSMO of this fact before it begins to offer
those services).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Michael D. Ober wrote:
> Yes. Find and remove all references to the former machine. You will
> need to use ADSIEdit to completely remove this server. When you
> sieze a FSMO role, you must ensure the old machine never comes back
> up without formatting its hard drive.
>
> Mike Ober.
>
> "RHS" <RHS@discussions.microsoft.com> wrote in message
> news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
>> I do not plan on re-introducing the former AD DC back into the
>> network. Do I need to remove any references of it...e.g. AD CU
>> /System/FRS?
>> Or in any other locations where it is referenced.
>> I'm concerned with the event viewer logs displaying unnecessary
>> messages. Thanks much Dean.
>>
>> Robert
>>
>> "Dean Wells [MVP]" wrote:
>>
>>> Nothing further needs to be done when seizing the Infrastructure
>>> FSMO since it maintains virtually no state.
>>>
>>> In a single domain, the Infrastructure FSMO and GC ARE compatible
>>> when running on the same DC.
>>>
>>> --
>>> Dean Wells [MVP / Directory Services]
>>> MSEtechnology
>>> [[ Please respond to the Newsgroup only regarding posts ]]
>>> R e m o v e t h e m a s k t o s e n d e m a i l
>>>
>>> RHS wrote:
>>>> Hi,
>>>> I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
>>>> Previously another Win2k DC was physically removed from the network
>>>> without demoting with DCPromo. It appears that the Infrastructure
>>>> Master was it's only role. I've seen the documents regarding using
>>>> Ntdsutil to seize FSMO roles.
>>>> Once I've done that, is there anything else I need to do?
>>>>
>>>> Also, with a single domain is there a problem with having the
>>>> global catalog DC also hold the Infrastructure Master?
>>>> It's a RAID 5 machine versus my second AD DC being a pc clone.
>>>>
>>>> Thanks much,
>>>> Robert
Anonymous
December 29, 2004 6:11:19 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If I have this straight, I seize the role first, then run NTDSutil metadata
cleanup.
Then I remove any references of the former DC from AD Users and Computers,
etc...

Thanks much Dean.


"Dean Wells [MVP]" wrote:

> Great point, I neglected to mention the process of metadata cleanup. My
> comment regarding the IM simply meant that the FSMO role itself imposes
> no additional requirements once seized.
>
> I would recommend the use of NTDSUTIL over ADSIEDIT since, although it
> is cumbersome, it ensures that the task at hand is completed correctly
> (including FRS state).
>
> With regard to the statement: "you must ensure the old machine never
> comes back up without formatting its hard drive", this is FSMO specific
> and does not apply here. The IM, as I said, maintains virtually no
> state and as such can be brought back on line (where possible) without
> any cause for concern ... assuming other non-related factors are a
> non-issue, factors such as downtime not exceeding tombstone lifetime.
>
> Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
> introduce the concept of INITSYNC; a requirement that must be met by all
> DCs holding FSMO roles. This requirement prevents a DC in possession of
> a FSMO role from offering any service at boot time bound to that role
> until it has completed a full replication cycle with one of its direct
> replication partners. This technique helps to ensure that 2 DCs do not
> service the same FSMO role (the assumption being that the DC from which
> the old FSMO replicates will already be aware that the role has moved
> and will inform the old FSMO of this fact before it begins to offer
> those services).
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
> Michael D. Ober wrote:
> > Yes. Find and remove all references to the former machine. You will
> > need to use ADSIEdit to completely remove this server. When you
> > sieze a FSMO role, you must ensure the old machine never comes back
> > up without formatting its hard drive.
> >
> > Mike Ober.
> >
> > "RHS" <RHS@discussions.microsoft.com> wrote in message
> > news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
> >> I do not plan on re-introducing the former AD DC back into the
> >> network. Do I need to remove any references of it...e.g. AD CU
> >> /System/FRS?
> >> Or in any other locations where it is referenced.
> >> I'm concerned with the event viewer logs displaying unnecessary
> >> messages. Thanks much Dean.
> >>
> >> Robert
> >>
> >> "Dean Wells [MVP]" wrote:
> >>
> >>> Nothing further needs to be done when seizing the Infrastructure
> >>> FSMO since it maintains virtually no state.
> >>>
> >>> In a single domain, the Infrastructure FSMO and GC ARE compatible
> >>> when running on the same DC.
> >>>
> >>> --
> >>> Dean Wells [MVP / Directory Services]
> >>> MSEtechnology
> >>> [[ Please respond to the Newsgroup only regarding posts ]]
> >>> R e m o v e t h e m a s k t o s e n d e m a i l
> >>>
> >>> RHS wrote:
> >>>> Hi,
> >>>> I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
> >>>> Previously another Win2k DC was physically removed from the network
> >>>> without demoting with DCPromo. It appears that the Infrastructure
> >>>> Master was it's only role. I've seen the documents regarding using
> >>>> Ntdsutil to seize FSMO roles.
> >>>> Once I've done that, is there anything else I need to do?
> >>>>
> >>>> Also, with a single domain is there a problem with having the
> >>>> global catalog DC also hold the Infrastructure Master?
> >>>> It's a RAID 5 machine versus my second AD DC being a pc clone.
> >>>>
> >>>> Thanks much,
> >>>> Robert
>
>
>
Anonymous
December 29, 2004 7:33:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

That will do ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
> If I have this straight, I seize the role first, then run NTDSutil
> metadata cleanup.
> Then I remove any references of the former DC from AD Users and
> Computers, etc...
>
> Thanks much Dean.
>
>
> "Dean Wells [MVP]" wrote:
>
>> Great point, I neglected to mention the process of metadata cleanup.
>> My comment regarding the IM simply meant that the FSMO role itself
>> imposes no additional requirements once seized.
>>
>> I would recommend the use of NTDSUTIL over ADSIEDIT since, although
>> it is cumbersome, it ensures that the task at hand is completed
>> correctly (including FRS state).
>>
>> With regard to the statement: "you must ensure the old machine never
>> comes back up without formatting its hard drive", this is FSMO
>> specific and does not apply here. The IM, as I said, maintains
>> virtually no state and as such can be brought back on line (where
>> possible) without any cause for concern ... assuming other
>> non-related factors are a non-issue, factors such as downtime not
>> exceeding tombstone lifetime.
>>
>> Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
>> introduce the concept of INITSYNC; a requirement that must be met by
>> all DCs holding FSMO roles. This requirement prevents a DC in
>> possession of a FSMO role from offering any service at boot time
>> bound to that role until it has completed a full replication cycle
>> with one of its direct replication partners. This technique helps
>> to ensure that 2 DCs do not service the same FSMO role (the
>> assumption being that the DC from which the old FSMO replicates will
>> already be aware that the role has moved and will inform the old
>> FSMO of this fact before it begins to offer those services).
>>
>> --
>> Dean Wells [MVP / Directory Services]
>> MSEtechnology
>> [[ Please respond to the Newsgroup only regarding posts ]]
>> R e m o v e t h e m a s k t o s e n d e m a i l
>>
>> Michael D. Ober wrote:
>>> Yes. Find and remove all references to the former machine. You
>>> will need to use ADSIEdit to completely remove this server. When
>>> you sieze a FSMO role, you must ensure the old machine never comes
>>> back up without formatting its hard drive.
>>>
>>> Mike Ober.
>>>
>>> "RHS" <RHS@discussions.microsoft.com> wrote in message
>>> news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
>>>> I do not plan on re-introducing the former AD DC back into the
>>>> network. Do I need to remove any references of it...e.g. AD CU
>>>> /System/FRS?
>>>> Or in any other locations where it is referenced.
>>>> I'm concerned with the event viewer logs displaying unnecessary
>>>> messages. Thanks much Dean.
>>>>
>>>> Robert
>>>>
>>>> "Dean Wells [MVP]" wrote:
>>>>
>>>>> Nothing further needs to be done when seizing the Infrastructure
>>>>> FSMO since it maintains virtually no state.
>>>>>
>>>>> In a single domain, the Infrastructure FSMO and GC ARE compatible
>>>>> when running on the same DC.
>>>>>
>>>>> --
>>>>> Dean Wells [MVP / Directory Services]
>>>>> MSEtechnology
>>>>> [[ Please respond to the Newsgroup only regarding posts ]]
>>>>> R e m o v e t h e m a s k t o s e n d e m a i l
>>>>>
>>>>> RHS wrote:
>>>>>> Hi,
>>>>>> I've got a single domain, two Win2k DC's mixed with some NT
>>>>>> BDC,s. Previously another Win2k DC was physically removed from
>>>>>> the network without demoting with DCPromo. It appears that the
>>>>>> Infrastructure Master was it's only role. I've seen the
>>>>>> documents regarding using Ntdsutil to seize FSMO roles.
>>>>>> Once I've done that, is there anything else I need to do?
>>>>>>
>>>>>> Also, with a single domain is there a problem with having the
>>>>>> global catalog DC also hold the Infrastructure Master?
>>>>>> It's a RAID 5 machine versus my second AD DC being a pc clone.
>>>>>>
>>>>>> Thanks much,
>>>>>> Robert
Anonymous
December 29, 2004 7:33:47 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Dean, appreciate it.

Robert


"Dean Wells [MVP]" wrote:

> That will do ...
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
> RHS wrote:
> > If I have this straight, I seize the role first, then run NTDSutil
> > metadata cleanup.
> > Then I remove any references of the former DC from AD Users and
> > Computers, etc...
> >
> > Thanks much Dean.
> >
> >
> > "Dean Wells [MVP]" wrote:
> >
> >> Great point, I neglected to mention the process of metadata cleanup.
> >> My comment regarding the IM simply meant that the FSMO role itself
> >> imposes no additional requirements once seized.
> >>
> >> I would recommend the use of NTDSUTIL over ADSIEDIT since, although
> >> it is cumbersome, it ensures that the task at hand is completed
> >> correctly (including FRS state).
> >>
> >> With regard to the statement: "you must ensure the old machine never
> >> comes back up without formatting its hard drive", this is FSMO
> >> specific and does not apply here. The IM, as I said, maintains
> >> virtually no state and as such can be brought back on line (where
> >> possible) without any cause for concern ... assuming other
> >> non-related factors are a non-issue, factors such as downtime not
> >> exceeding tombstone lifetime.
> >>
> >> Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
> >> introduce the concept of INITSYNC; a requirement that must be met by
> >> all DCs holding FSMO roles. This requirement prevents a DC in
> >> possession of a FSMO role from offering any service at boot time
> >> bound to that role until it has completed a full replication cycle
> >> with one of its direct replication partners. This technique helps
> >> to ensure that 2 DCs do not service the same FSMO role (the
> >> assumption being that the DC from which the old FSMO replicates will
> >> already be aware that the role has moved and will inform the old
> >> FSMO of this fact before it begins to offer those services).
> >>
> >> --
> >> Dean Wells [MVP / Directory Services]
> >> MSEtechnology
> >> [[ Please respond to the Newsgroup only regarding posts ]]
> >> R e m o v e t h e m a s k t o s e n d e m a i l
> >>
> >> Michael D. Ober wrote:
> >>> Yes. Find and remove all references to the former machine. You
> >>> will need to use ADSIEdit to completely remove this server. When
> >>> you sieze a FSMO role, you must ensure the old machine never comes
> >>> back up without formatting its hard drive.
> >>>
> >>> Mike Ober.
> >>>
> >>> "RHS" <RHS@discussions.microsoft.com> wrote in message
> >>> news:25369FD9-D392-49D9-B4E7-2567A1175FEC@microsoft.com...
> >>>> I do not plan on re-introducing the former AD DC back into the
> >>>> network. Do I need to remove any references of it...e.g. AD CU
> >>>> /System/FRS?
> >>>> Or in any other locations where it is referenced.
> >>>> I'm concerned with the event viewer logs displaying unnecessary
> >>>> messages. Thanks much Dean.
> >>>>
> >>>> Robert
> >>>>
> >>>> "Dean Wells [MVP]" wrote:
> >>>>
> >>>>> Nothing further needs to be done when seizing the Infrastructure
> >>>>> FSMO since it maintains virtually no state.
> >>>>>
> >>>>> In a single domain, the Infrastructure FSMO and GC ARE compatible
> >>>>> when running on the same DC.
> >>>>>
> >>>>> --
> >>>>> Dean Wells [MVP / Directory Services]
> >>>>> MSEtechnology
> >>>>> [[ Please respond to the Newsgroup only regarding posts ]]
> >>>>> R e m o v e t h e m a s k t o s e n d e m a i l
> >>>>>
> >>>>> RHS wrote:
> >>>>>> Hi,
> >>>>>> I've got a single domain, two Win2k DC's mixed with some NT
> >>>>>> BDC,s. Previously another Win2k DC was physically removed from
> >>>>>> the network without demoting with DCPromo. It appears that the
> >>>>>> Infrastructure Master was it's only role. I've seen the
> >>>>>> documents regarding using Ntdsutil to seize FSMO roles.
> >>>>>> Once I've done that, is there anything else I need to do?
> >>>>>>
> >>>>>> Also, with a single domain is there a problem with having the
> >>>>>> global catalog DC also hold the Infrastructure Master?
> >>>>>> It's a RAID 5 machine versus my second AD DC being a pc clone.
> >>>>>>
> >>>>>> Thanks much,
> >>>>>> Robert
>
>
>
!