none
new site, dc promo

    Question

  • i setup a new site in adss, promoted a dc in a new site. but the ad dns zones is not showing up. Alsi when i run 

    ad domain and trusts, I am unable to bring up anything. It says 

    the current ops master is offline. 

    any idea?

    Wednesday, April 25, 2012 12:36 AM

Answers

  • Hi,

    It seems that the FSMO role owner is in offline state. Did you perform any DC upgrade?

    Post dcdiag /q and repadmin /replsum result.

    Run netdom query fsmo to verify the FSMO role owner. If you are getting error you will need to seize the FSMO roles to healthy DC.
    Sezing FSMO roles: http://support.microsoft.com/default.aspx?scid=kb;en-us;255504


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 25, 2012 1:13 AM
  • Hello,

    the "netdom query fsmo" will help us to verify the FSMO holders. If a listed DC doesn't exist anymore they must be seized and also metadata cleanup is required.

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    But therefore we need more information from you about the complete setup, amount of DCs etc.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, April 25, 2012 4:41 AM
  • Hello,

    This means that the current FSMO holders are not reachable or offline.

    Please start by determining the FSMO holders: http://support.microsoft.com/kb/234790

    Once done, check that these DCs are still available and reachable.

    If not then a resizing of FSMO roles should be done.

    Please note that once you seized FSMO roles, the owners of the following FSMO roles should never be back online:

    • Schema Master
    • RID Master
    • Domain Naming Master

    If they are back then this may cause harmful impacts on your AD domain like AD Schema corruption and duplicated SIDs.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Wednesday, April 25, 2012 7:51 AM
  • If you are getting "ops master is offline" it seems that FMSO role holder server is not reachable.It could be due FSMO role is missing/offline or not reachable due to dns misconfig or n/w connectivity issue between the sites or necessary port not open for AD replication.

    On the online DC run netdom query fsmo to check the FSMO role holder status.If any of the role is missing you need to seize the role.

    Check the dns setting on DC.
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

    Active Directory Firewall Ports.
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx.

    Run dcdiag /q and repadmin /replsum to check the health of DC's.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 25, 2012 8:26 AM
  • You need to provide more information. Regarding the DNS zone not showing up in the new DC is this DNS zone is AD-Integrated or nor non AD-Integrated zone? Is all your DC is also a DNS and GC?

    How is the connectivity for the branch site? How many domain/forest and DC's are there in your environment? Is new site is connected via VPN or dedicated lease line? You can also run below tool to verify the overall health of the domain. Also, post the  below information

    Netdom query DC

    Netdom Query FSMO

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, April 25, 2012 10:11 AM
    Moderator

All replies

  • Hi,

    It seems that the FSMO role owner is in offline state. Did you perform any DC upgrade?

    Post dcdiag /q and repadmin /replsum result.

    Run netdom query fsmo to verify the FSMO role owner. If you are getting error you will need to seize the FSMO roles to healthy DC.
    Sezing FSMO roles: http://support.microsoft.com/default.aspx?scid=kb;en-us;255504


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 25, 2012 1:13 AM
  • Hello,

    the "netdom query fsmo" will help us to verify the FSMO holders. If a listed DC doesn't exist anymore they must be seized and also metadata cleanup is required.

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    But therefore we need more information from you about the complete setup, amount of DCs etc.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, April 25, 2012 4:41 AM
  • Hello,

    This means that the current FSMO holders are not reachable or offline.

    Please start by determining the FSMO holders: http://support.microsoft.com/kb/234790

    Once done, check that these DCs are still available and reachable.

    If not then a resizing of FSMO roles should be done.

    Please note that once you seized FSMO roles, the owners of the following FSMO roles should never be back online:

    • Schema Master
    • RID Master
    • Domain Naming Master

    If they are back then this may cause harmful impacts on your AD domain like AD Schema corruption and duplicated SIDs.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Wednesday, April 25, 2012 7:51 AM
  • If you are getting "ops master is offline" it seems that FMSO role holder server is not reachable.It could be due FSMO role is missing/offline or not reachable due to dns misconfig or n/w connectivity issue between the sites or necessary port not open for AD replication.

    On the online DC run netdom query fsmo to check the FSMO role holder status.If any of the role is missing you need to seize the role.

    Check the dns setting on DC.
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

    Active Directory Firewall Ports.
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx.

    Run dcdiag /q and repadmin /replsum to check the health of DC's.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, April 25, 2012 8:26 AM
  • You need to provide more information. Regarding the DNS zone not showing up in the new DC is this DNS zone is AD-Integrated or nor non AD-Integrated zone? Is all your DC is also a DNS and GC?

    How is the connectivity for the branch site? How many domain/forest and DC's are there in your environment? Is new site is connected via VPN or dedicated lease line? You can also run below tool to verify the overall health of the domain. Also, post the  below information

    Netdom query DC

    Netdom Query FSMO

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, April 25, 2012 10:11 AM
    Moderator
  • Hi,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, April 27, 2012 1:20 AM
    Moderator
  • yes I fixed this issue by changing the default replication interval to 15mins. also change the cost as well.
    Tuesday, May 01, 2012 12:00 AM
  • Good to hear issue has been resolved and thanks for the update.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 01, 2012 5:43 AM
    Moderator