locked
unable to transfer Schema master and domain naming master roles RRS feed

  • Question

  • We recently had a domain controller disfunction and a colleague transferred the PDC, RID and Infrastructure FSMO roles but didn't transfer the Schema or Domain naming master roles before it was decommissioned, to in a virtual environment running windows server 2003.

    Now i am unable to transfer or seize the roles as it is saying ****Warning the role holder is a deleted DC.

    Is it even possible to just make  the new DC to be the role holder? because i can't even do that.

    Can someone help me?

    thanks in advance

    cal

    Tuesday, March 27, 2012 3:43 PM

Answers

  • Do you know , once you have Decommisned a Domain controller , You should not bring the Server back to Active directory.

    It will create lot of problem like above.

    Now , I think , Old DC references still exsists in your domain.

    If it is possbile to take out your Old DC ( which is acting as a member server)from the network.  

    Note - You can reimage the Old DC , and then you can add it as member server after words. (with different host name and IP address).

    To remove old referecne perform metadata clean up.

    http://support.microsoft.com/kb/216498.

    Once done. Proceed with seizing the roles.

    • Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
    • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
    • Type roles, and then press ENTER.
    • Type connections, and then press ENTER.
    • Type connect to server <var>servername</var>, and then press ENTER, where <var>servername</var> is the name of the domain controller that you want to assign the FSMO role to.
    • At the server connections prompt, type q, and then press ENTER.
    • Type seize <var>role</var>, where <var>role</var> is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
    • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    Note - FSMO Roles have to be hosted on Physical Domain controller.

    Hope this helps.

    Do let us know if face any problem in doing this.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by calsmith Wednesday, March 28, 2012 1:30 PM
    Wednesday, March 28, 2012 11:19 AM

All replies

  • Did you try to seize the FSMO role using the NTDSUtil command?

    http://support.microsoft.com/kb/255504

     


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Tuesday, March 27, 2012 5:50 PM
  • Hello,

    please see here about removing broken DCs and also seizing FSMO roles during the cleanup process:

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Do NOT forget to reconfigure the time service after changing PDCEmulator. http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 27, 2012 6:27 PM
  • Hi,

    I think you could run the following command in the command prompt with evaluated rights:

    netdom -query fsmo

    And you will get the owner for each FSMO roles.

    At the same time, if the unavailable DC is not recoverable. You could follow Meinolf’s suggestion to seize FSMO roles.

    Regards,
    James


    James Xiong

    TechNet Community Support

    Wednesday, March 28, 2012 2:11 AM
  • Hi,

    yes, i tried to seize the roles using ntdsutil from CMD prompt, but i can't connect to server to seize them.

    do you think i may need to run DCPROMO and then seize these roles and then demote it again?

    Many thanks

    calum

    Wednesday, March 28, 2012 10:39 AM
  • What is the errror message you are encoutring while seizing the roles?

    You have to try using ntdsutil on Domain controller to seize the FSMO roles.

    So,

    1.Login to Domain controller.

    2. Use ntdsutil to seize the roles.

    http://support.microsoft.com/kb/255504

    Question -

    do you think i may need to run DCPROMO and then seize these roles and then demote it again?

    Don't do this. It may result into some more trouble in your Domain.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, March 28, 2012 10:48 AM
  • Hi,

    problem is that it was a successful demotion, the roles just weren't transferred. It is now classed as a domain computer. i also tried running metadata cleanup but i can't connect to the domain controller because it is no longer a domain controller.

    i was thinking maybe if i ran a dcpromo then transfer the remaining roles and then demote it again might that work? or would that cause problems, as i have heard you should not return a demoted DC back on to the domain as a DC?

    Thanks again

    Calum

    Wednesday, March 28, 2012 10:50 AM
  • I belive you have additional domain controller in your domain.

    Login to that and perform metadata cleanup.

    Let us know the scenario in which you are trying this.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, March 28, 2012 11:00 AM
  • thanks,

    yes i ran the netdom query and it is telling me the PDC, RID and infrastructure roles are now held on the newly promoted Virtual DC, but it tells me the following for the schema master and Domain Naming master roles;

    Schema master               *** Warning: role owner is a deleted DC: CN=NTDS Set
    tings\0ADEL:0dfb4b8d-5f7e-4520-9e7b-8c9e2f0be886,CN=CLINICAL\0ADEL:e389c877-8ea0
    -42c8-bcbc-1e53abdb4fab,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
    uration,DC=h84607isoft,DC=nhs,DC=uk
    Domain naming master        *** Warning: role owner is a deleted DC: CN=NTDS Set
    tings\0ADEL:0dfb4b8d-5f7e-4520-9e7b-8c9e2f0be886,CN=CLINICAL\0ADEL:e389c877-8ea0
    -42c8-bcbc-1e53abdb4fab,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
    uration,DC=h84607isoft,DC=nhs,DC=uk
    PDC                         h****-dc01.xxxxxxisoft.nhs.uk
    RID pool manager            h****-dc01.xxxxxxisoft.nhs.uk
    Infrastructure master       h****-dc01.xxxxxxisoft.nhs.uk

    when i try to seize the roles i get the following;

    C:\Users\administrator.H84607ISOFT>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server clinical
    Binding to clinical ...
    DsBindWithSpnExW error 0x6d9(There are no more endpoints available from the endp
    oint mapper.)
    server connections:

    the old DC is still in use and is used for file sharing and backups, but it is now within the computers OU in AD.

    Thanks

    Calum


    Wednesday, March 28, 2012 11:05 AM
  • Do you know , once you have Decommisned a Domain controller , You should not bring the Server back to Active directory.

    It will create lot of problem like above.

    Now , I think , Old DC references still exsists in your domain.

    If it is possbile to take out your Old DC ( which is acting as a member server)from the network.  

    Note - You can reimage the Old DC , and then you can add it as member server after words. (with different host name and IP address).

    To remove old referecne perform metadata clean up.

    http://support.microsoft.com/kb/216498.

    Once done. Proceed with seizing the roles.

    • Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
    • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
    • Type roles, and then press ENTER.
    • Type connections, and then press ENTER.
    • Type connect to server <var>servername</var>, and then press ENTER, where <var>servername</var> is the name of the domain controller that you want to assign the FSMO role to.
    • At the server connections prompt, type q, and then press ENTER.
    • Type seize <var>role</var>, where <var>role</var> is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
    • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    Note - FSMO Roles have to be hosted on Physical Domain controller.

    Hope this helps.

    Do let us know if face any problem in doing this.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by calsmith Wednesday, March 28, 2012 1:30 PM
    Wednesday, March 28, 2012 11:19 AM
  • Hello,

    please cleanup AD database according to then mentioned articles. Then run the support tools again and upload the outputto Windows Skydrive

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt

    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]

    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, March 28, 2012 11:49 AM
  • Im so sorry, i have just realised my mistake!! I was trying to connect to the 'decommissioned' server when using the ntdsutil command, to seize the roles! when, i should have been connecting to the server i wanted to transfer the roles to!

    sorry,  this is the first 'live' situation i have had to do this procedure, all the others have been in test environments, and as i didn't start the procedure myself, i was coming in to 'clean up' i guess i was a bit flustered...

    thanks again for all your help, and please forgive me, i am new to this and am learning everyday, i will make sure i don't make a silly mistake like that again.

    thank you all for all your time on this, all the roles have now been transferred successfully!

    cheers

    calum

    Wednesday, March 28, 2012 1:29 PM
  • Glad to hear that issue has been resolved now.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, March 28, 2012 1:36 PM