Cannot Access Windows 2008 R2 Member Servers From The DMZ Zone to the Internal Network Domain Controller

Are the roles listed from netdom query fsmo the same ones I've seen listed elsewhere? For example, is Domain role owner the same as Domain Naming Master? Is RID Pool Manager the same as the RID role?

Yes, exactly. Not sure why they've got the names slightly different in that particular display.

What are the bad things that could happen if I seize one of these roles?

The seizure itself? Not a lot. Most of the potential issues that are warned about are about turning the old DC back on after it's had its role seized - and even then, there's a lot of hysteria out there for not a lot of risk; it takes some pretty strange scenarios to break anything with a seizure instead of a transfer of a role. To go on a tangent for a moment, let's go over the roles and the potential risks:

• Schema Master: This one gets everyone pretty twitchy, but breaking it is not a terribly likely scenario. The documentation says that you should never ever ever turn the old Schema Master back on after seizing the role, which I call alarmist. The old server will be informed of the role change, and as soon as it is, it'll relinquish the role. The potential risk here is if changes are made to the new schema master, then the old schema master is brought online, then before it replicates from the other DCs, different, conflicting, schema changes are made on the old server. This situation is unlikely, but would destroy your domain.

• Naming Master: Same deal as with the Schema master, you'd need to make changes (in this case, create a new domain in the forest) on the old DC, after seizing its role but before it gets knowledge of the seizure.

• PDC Emulator: No risk, it's not responsible for anything where you risk divergence.

• RID Master: You'd need a messed up replication structure to break this one - imagine that you've got 2 DCs; an old RID master that doesn't know its role has been seized, and a new RID master. In this situation, you'd need to create enough objects to exhaust the RID pool on both (they're handed out in 500s), and have them both assign themselves overlapping pools. Create objects with identical RIDs, reconnect the domain controllers, and watch the apocalypse unfold.

• Infrastructure Master: Honestly, probably 50% of domains in the world don't even have a working Infrastructure Master at all, since it doesn't work when it's on a GC. In any case, you can't break it with seizure.

Will users notice?

They should not.

This set up has been going for a long time and people have been functioning more or less normally; is seizing the PDC role going to change this?

No. With a single DC, none of the functions of the PDC are missed at all, except maybe your non-PDC DC being unable to sync time with the source that it wants to (the missing PDC).

Moreso:

• You'll only miss the Schema Master when you try to update the schema
• You'll only miss the Naming Master when you try to create a new domain in the forest
• You'll only miss the RID Master when you create too many objects and exhaust your DC's RID pool (this is probably the most likely for you to run into if you just keep running as is)
• You'll only miss the Infrastructure Master for global catalog group updates in a multi-domain forest

Some of these documents predict dire consequences to having all roles on one DC. With a client base of no more than 20 - and perhaps less than 10 most days - is having all roles on one DC a real problem?

No - but get a second DC. You don't want to have your only DC fail.

Are there any caveats to performing the cleanup process recommended by Microsoft to remove the old DC from Active Directory?

Yeah - be careful. But sharpen your ntdsutil knives and tear the old data out - extra junk in there isn't helping the maintainability of the domain.

One funny item that always springs to mind when UDP fails while TCP works: Kerberos MaxPacketSize

http://support.microsoft.com/kb/244474

A similar issue can exist with DNS, which by default uses UDP unless the response is too large for a single UDP packet (e.g. getting a list of SRV records). Normally a client should re-try with DNS over TCP, but if this is blocked, strange errors can occur.

Test DNS via TCP with: "nslookup -vc domain.name [dns server]". If this fails, you may have network ACLs, firewall rules, etc, that are blocking TCP DNS.

One final fault I've seen cause similar issues: routing blackholes, where traffic is silently dropped by routers/firewalls for various reasons.

http://support.microsoft.com/kb/314825

Hope this helps!