none
How to upgrade secondary AD to primary AD RRS feed

  • Question

  • Hi,

    Actually we have post the question on forum under exchange server 2010, however we still waiting feedback for Microsoft expertise. Let me summarize again the problem we facing now:

    We have 2 AD server, 2 mailstore, 2 cas and  2 hub. Currently, our primary AD crash and we do not have any backup. We thinking of convert secondary AD to become primary AD and setup another new AD. Our plan was having 2 AD server to load balance the traffic.

    We found that all the FSMO role Schema, Domain naming, RID, PDC and Infrastructure are running at primary AD. We unable to migrate FSMO to new server as the primary server was crash. Is it possible we can convert secondary AD to primary AD?

    Please advice!

    Thanks!

     

     

     

    Tuesday, July 26, 2011 8:49 AM

Answers

  • Hi Shirobb10

     

    There should be no problem seizing the FSMO roles from the Domain Controller that was holding all the roles.  Infact, seizing the roles is a step that is specifically set for the following situations

    • The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred
    • A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command
    • The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled

    Yours appears to be the first scenario

    The only pre-requisite is that you do not seize the roles whilst the FSMo role holder is online (transfer instead) and that once the FMSO roles have been seized, you do not bring the fomer FSMO role holder back online.   You will need to demote the server first (whilst it is offline) and then join it back to the domain as a member server, if you want it back on your network.

    Follow these steps to seize the role on your currently active Domain Controller

    To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

    1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
    2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
    3. Type roles, and then press ENTER.
    4. Type connections, and then press ENTER.
    5. Type connect to server <var>servername</var>, and then press ENTER, where <var>servername</var> is the name of the domain controller that you want to assign the FSMO role to.
    6. At the server connections prompt, type q, and then press ENTER.
    7. Type seize <var>role</var>, where <var>role</var> is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
    8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to thentdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    For more information that  maybe relevant see the following KB Article http://support.microsoft.com/kb/255504

     

    Regards



    • Proposed as answer by TheMaestro Tuesday, July 26, 2011 10:18 AM
    • Marked as answer by ShiroBB Wednesday, July 27, 2011 4:09 AM
    Tuesday, July 26, 2011 10:17 AM
  • I can tell by your question that you didn´t read the information Notes in the KB

    <COPY>
    Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller.

    <\COPY>

    Just remember that the brooken DC should never ever be brought back "to life" after this without a reinstallation.
    And I dont think I have to tell you that you need to backup Active Directory! :)

    Happy seizing, the commands looks good.

    :Martina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    • Marked as answer by ShiroBB Wednesday, July 27, 2011 4:09 AM
    Tuesday, July 26, 2011 10:19 AM

All replies

  • Shirobb109,
    There is no such thing a primary and secondary AD.
    If you had 2 Domain Controllers in Active Directory and the one with all FSMO-Roles failed, you must Seize all FSMO roles to the DC you have left

    See the section "Seize FSMO Roles"

    This is more a Active Directory problem and Exchange, so it would have been better to post your questions at http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads



    :Martina

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    Tuesday, July 26, 2011 9:34 AM
  • Hi Martina,

    All the FSMO roles are sitting on the first DC was crash, thats why we can not transfer it out to another DC server. We do not have backup as well. Our Global catalog running on both DC, if we run the command below at another DC server, whats is the impact?

     

    Seize domain naming master

    seize infrastructure master

    seize PDC

    seize RID master

    seize schema master

    Please advice,

    Tuesday, July 26, 2011 10:00 AM
  • Hi Shirobb10

     

    There should be no problem seizing the FSMO roles from the Domain Controller that was holding all the roles.  Infact, seizing the roles is a step that is specifically set for the following situations

    • The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred
    • A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command
    • The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled

    Yours appears to be the first scenario

    The only pre-requisite is that you do not seize the roles whilst the FSMo role holder is online (transfer instead) and that once the FMSO roles have been seized, you do not bring the fomer FSMO role holder back online.   You will need to demote the server first (whilst it is offline) and then join it back to the domain as a member server, if you want it back on your network.

    Follow these steps to seize the role on your currently active Domain Controller

    To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

    1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
    2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
    3. Type roles, and then press ENTER.
    4. Type connections, and then press ENTER.
    5. Type connect to server <var>servername</var>, and then press ENTER, where <var>servername</var> is the name of the domain controller that you want to assign the FSMO role to.
    6. At the server connections prompt, type q, and then press ENTER.
    7. Type seize <var>role</var>, where <var>role</var> is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
    8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to thentdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    For more information that  maybe relevant see the following KB Article http://support.microsoft.com/kb/255504

     

    Regards



    • Proposed as answer by TheMaestro Tuesday, July 26, 2011 10:18 AM
    • Marked as answer by ShiroBB Wednesday, July 27, 2011 4:09 AM
    Tuesday, July 26, 2011 10:17 AM
  • I can tell by your question that you didn´t read the information Notes in the KB

    <COPY>
    Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller.

    <\COPY>

    Just remember that the brooken DC should never ever be brought back "to life" after this without a reinstallation.
    And I dont think I have to tell you that you need to backup Active Directory! :)

    Happy seizing, the commands looks good.

    :Martina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    • Marked as answer by ShiroBB Wednesday, July 27, 2011 4:09 AM
    Tuesday, July 26, 2011 10:19 AM
  • Thanks Martina & Maestro your information was very helpful. I managed to run the command Seize for 4 roles at my DC. However, I can not seize domain naming master to my ad2, it return with Invalid Syntax.  FYI, I login using the administrator to run the following command.

     

    fsmo maintenance: seize Domain naming master
    Error parsing Input - Invalid Syntax.

    C:\>netdom query fsmo
    Schema master                   MSG-AD2
    Domain naming master        MSG-AD1
    PDC                                   MSG-AD2
    RID pool manager               MSG-AD2
    Infrastructure master           MSG-AD2
    The command completed successfully.

     Please advice!

     

    Wednesday, July 27, 2011 3:57 AM
  • Hey Guys,

    I manage to seize all my fsmo roles to new DC, realize that the command seize domain naming master is for window 2003 and my server are running on window 2008. I have using the command seize naming master instead.

    Thank you!

     

    Wednesday, July 27, 2011 4:09 AM
  • That was good news shiroob10, Thanks for the update!

    :Martina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    Wednesday, July 27, 2011 6:01 AM
  • Hi Martina,

    Sorry, forgot to ask, as we have migrate all FSMO role to another DC, What are the setting we need to change for the rest of the exchange servers such as CAS, HUB, MAILSTORE? Any others configuration we need to change at exchange servers? we need to make sure all the AD server are able to point to the new DC and not point to the old DC (which already crash) 

    Please advise!

    Monday, August 1, 2011 4:23 AM
  • Hi Shirobb10,
    Nice to hear from you again!

    From an Exchange point of view, just make sure that it doesn´t have the failed server in it´s DNS-Settings.
    Look for EventID: 2080 in the Application Log and you will see what Domain Controller the Exchange Server knows about and will use.

    You should completly remove the failed Domain Controller from Active Directory so follow the steps in this guide to start with 

    Remove a demoted or failed DC from Active Directory using Ntdsutil.exe

    ...and dont´t forget to remove all entries in DNS for the failed server.




    Martina Miskovic
    Monday, August 1, 2011 5:29 AM
  • Hi Martina,

    Thanks for the guideline given. I have try the URL for step to remove a demoted or failed DC from AD using ntdsutil. We realize it doesn't apply to our demoted DC as the server already bring down. We can not connect to that DC thats the reason why we can not remove it from AD. 

    From the Event 2080 we received the return as mention below:

    MSG-AD1 CDG 1 0 0 1 0 0 0 0 0

    MSG-AD2 CDG 1 7 7 1 0 1 1 7 1

    Tuesday, August 2, 2011 1:52 AM
  • Hi Shirobb10,
    The guide do apply so read the instructions again.
    HINT: Read step 4 extra carefully (=you should connect to server MSG-AD2 CDG and remove MSG-AD1 CDG)

    When you read EventID 2080...
    Was the two servers in In-Site or was one Out-Of Site?
    Exchange needs a Global Catalog Server to "talk to" in the AD Site where is self belongs to.

    Run: Get-Exchangeserver | Ft Name,Site

    ...it will tell you if the Exchange servers belogs to different AD-Sites


    Martina Miskovic

    • Edited by Martina_Miskovic Tuesday, August 2, 2011 5:48 AM Added: Get-Exchangeserver
    Tuesday, August 2, 2011 5:30 AM
  • Thanks Martina, it work!! I have successfully remove demoted DC from AD2.

    Now the event ID 2080 only show one server:

    MSG-AD2 CDG 1 7 7 1 0 1 1 7 1

    Since we have remove demoted DC, can we re-build the DC with same hostname and IP address? Would it be have any conflict?

    Wednesday, August 3, 2011 8:06 AM
  • Thanks Martina, it work!! I have successfully remove demoted DC from AD2.

    Now the event ID 2080 only show one server:

    MSG-AD2 CDG 1 7 7 1 0 1 1 7 1

    Since we have remove demoted DC, can we re-build the DC with same hostname and IP address? Would it be have any conflict?

    Wednesday, August 3, 2011 8:31 AM
  • Hi Shirobb10,
    This is still a Forum for Exchange Questions.. :)

    But Ok, here´s my thoughts of what you should do

    1. Delete the Computer Account for MSG-AD1 CDG
    2. Make sure that you don´t have any records left for in in DNS
    3. Check in Sites and Servies...remote the computer is you haven´t done so already
    4. Install

    So yes, you can rebuild the server with the same name and IP.

    For Active Directory Questions, post here http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    Good Luck and don´t forget to backup your servers!!

     


    Martina Miskovic
    Wednesday, August 3, 2011 5:35 PM
  • Thanks Martina! Thanks for answering my question even  I have post at wrong forum.

     

    Thursday, August 4, 2011 1:33 AM