I've seen other questions and documents about doing this, but there are some things that still confuse me. Here are the documents and questions I've seen:
- Retire a Dead Windows 2003 Domain Controller
- Seizing FSMO Roles from Petri
- Using NTDSUtil.exe to transfer or seize FSMO roles to a domain controller – Microsoft Knowledgebase
- FSMO placement and optimization on Active Directory domain contollers – Microsoft Knowledgebase
- How to remove data in Active Directory after an unsuccessful domain controller demotion
The environment contains two Windows servers and numerous clients. The Domain Controller is Windows 2003 SP2 running with a Windows 2000 Native AD. The other server (not a DC at all) is Windows 2000 SP4 (it's hosting a virus checking utility).
Results from netdom query fsmo:
Schema owner missing.office.local
Domain role owner myself.office.local
PDC role missing.office.local
RID pool manager missing.office.local
Infrastructure owner missing.office.local
The command completed successfully.
Results from dcdiag:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\MYSELF
Starting test: Connectivity
The host 841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local) couldn't be
resolved, the server name (MYSELF.office.local) resolved to the IP
address (192.168.9.101) and was pingable. Check that the IP address
is registered correctly with the DNS server.
......................... MYSELF failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\MYSELF
Skipping all tests, because server MYSELF is
not responding to directory service requests
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : office
Starting test: CrossRefValidation
......................... office passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... office passed test CheckSDRefDom
Running enterprise tests on : office.local
Starting test: Intersite
......................... office.local passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
......................... office.local failed test FsmoCheck
Here are my questions (pardon me if they are too much of beginner questions):
- Are the roles listed from
netdom query fsmothe same ones I've seen listed elsewhere? For example, is Domain role owner the same as Domain Naming Master? Is RID Pool Manager the same as the RID role? - What are the bad things that could happen if I seize one of these roles?
- Will users notice?
- This set up has been going for a long time and people have been functioning more or less normally; is seizing the PDC role going to change this?
- Some of these documents predict dire consequences to having all roles on one DC. With a client base of no more than 20 – and perhaps less than 10 most days – is having all roles on one DC a real problem?
- Are there any caveats to performing the cleanup process recommended by Microsoft to remove the old DC from Active Directory?
Also – an almost tangential question – if I were upgrade the domain to a Windows 2003 AD (now or in the future) does this change anything in the seizing of FSMO roles?
PS: I suspect the DNS problems have to do with trying to use a non-Microsoft DNS that didn't support Microsoft's Dynamic DNS; I think there is a Windows DNS running but haven't audited it for proper functioning and set up yet.
Best Answer
Yes, exactly. Not sure why they've got the names slightly different in that particular display.
The seizure itself? Not a lot. Most of the potential issues that are warned about are about turning the old DC back on after it's had its role seized - and even then, there's a lot of hysteria out there for not a lot of risk; it takes some pretty strange scenarios to break anything with a seizure instead of a transfer of a role. To go on a tangent for a moment, let's go over the roles and the potential risks:
Schema Master: This one gets everyone pretty twitchy, but breaking it is not a terribly likely scenario. The documentation says that you should never ever ever turn the old Schema Master back on after seizing the role, which I call alarmist. The old server will be informed of the role change, and as soon as it is, it'll relinquish the role. The potential risk here is if changes are made to the new schema master, then the old schema master is brought online, then before it replicates from the other DCs, different, conflicting, schema changes are made on the old server. This situation is unlikely, but would destroy your domain.
Naming Master: Same deal as with the Schema master, you'd need to make changes (in this case, create a new domain in the forest) on the old DC, after seizing its role but before it gets knowledge of the seizure.
PDC Emulator: No risk, it's not responsible for anything where you risk divergence.
RID Master: You'd need a messed up replication structure to break this one - imagine that you've got 2 DCs; an old RID master that doesn't know its role has been seized, and a new RID master. In this situation, you'd need to create enough objects to exhaust the RID pool on both (they're handed out in 500s), and have them both assign themselves overlapping pools. Create objects with identical RIDs, reconnect the domain controllers, and watch the apocalypse unfold.
Infrastructure Master: Honestly, probably 50% of domains in the world don't even have a working Infrastructure Master at all, since it doesn't work when it's on a GC. In any case, you can't break it with seizure.
They should not.
No. With a single DC, none of the functions of the PDC are missed at all, except maybe your non-PDC DC being unable to sync time with the source that it wants to (the missing PDC).
Moreso:
No - but get a second DC. You don't want to have your only DC fail.
Yeah - be careful. But sharpen your
ntdsutilknives and tear the old data out - extra junk in there isn't helping the maintainability of the domain.