Saturday, March 26, 2011

Active Directory FSMO roles

In Active Directory on Server 2008, FSMO stands for Flexible Single Master Operation. The different FSMO roles are as follows:


  •     Schema Master: schema=(defines default AD object properties in a template, like what a user is and what a server is), manages schema
  •     Domain Naming Master: create or remove new domains in a forest
  •     PDC: time server, backwards compatibility with older DCs
  •     RID Pool manager: assigns Relative IDs to AD objects from a pool of IDs
  •     Infrastructure Master: queries other domains to see what changes had been made in that made and sees if those objects have any references in its own domain, and updates its own objects correspondingly


These are the different roles that are held by Active Directory Servers. A few years ago, in an IT admin's worst nightmare: The Main Server 2008 AD server (which held all 5 FSMO roles) was down, and would not boot up. Fortunately there was a backup Domain Controller (which had all of Active Directory replicated onto it). But since the Primary DC would not boot up, all the FSMO roles had to be forcibly seized and moved from the Primary DC and to the backup DC.
The setup was 2 Server 2008 AD servers-a primary one with all 5 FSMO roles on it (let's call it DC1), and a backup DC which just had AD replicated onto it (let's call it DC2). There was also an Exchange 2007 machine. Since DC1 wouldn't boot, all the FSMO roles had to be forcibly seized and moved to DC2. Then Server 2008 had to be reinstalled on DC1 and the FSMO roles had to be gracefully moved back to DC1. Below were the steps:

//////////////////////////////////////////////////////////////////////////////////seize fsmo roles
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DOMAIN>ntdsutil
ntdsutil: roles
fsmo maintenance: con
server connections: con t DC1 localhost
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210380, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210575, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: seize rid master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210B34, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: sieze domainnamingmaster
Error parsing Input - Invalid Syntax.
fsmo maintenance: seize domainnamingmaster
Error parsing Input - Invalid Syntax.
fsmo maintenance: seize namingmaster
Error parsing Input - Invalid Syntax.
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210380, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210380, problem 5002 (UN
AVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: q
ntdsutil: q

C:\Users\Administrator.DOMAIN>netdom
The syntax of this command is:

NETDOM [ ADD | COMPUTERNAME | HELP | JOIN | MOVE | QUERY | REMOVE |
         MOVENT4BDC | RENAMECOMPUTER | RESET | TRUST | VERIFY | RESETPWD ]


The command completed successfully.


C:\Users\Administrator.DOMAIN>netdom query fsmo
Schema master               DC2.DOMAIN.FOREST.com
Domain naming master        DC2.DOMAIN.FOREST.com
PDC                         DC2.DOMAIN.FOREST.com
RID pool manager            DC2.DOMAIN.FOREST.com
Infrastructure master       DC2.DOMAIN.FOREST.com
The command completed successfully.












////////////////clean up metadata and AD objects
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DOMAIN>ntdsutil
ntdsutil: m c
metadata cleanup: con
server connections: con t DC1 localhost
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
server connections: rescue
Error parsing Input - Invalid Syntax.
server connections: q
metadata cleanup: li dom
Error parsing Input - Invalid Syntax.
metadata cleanup: select
Error parsing Input - Invalid Syntax.
metadata cleanup: select operation target
select operation target: list events
Error parsing Input - Invalid Syntax.
select operation target: list domains
Found 1 domain(s)
0 - DC=DOMAIN,DC=FOREST,DC=com
select operation target: select domain 0
No current site
Domain - DC=DOMAIN,DC=FOREST,DC=com
No current DC1
No current Naming Context
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=c
om
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,D
C=com
Domain - DC=DOMAIN,DC=FOREST,DC=com
No current DC1
No current Naming Context
select operation target: list DC1 in site
Found 2 DC1(s)
0 - CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=DOMAIN,DC=FOREST,DC=com
1 - CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=DOMAIN,DC=FOREST,DC=com
select operation target: select DC1 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,D
C=com
Domain - DC=DOMAIN,DC=FOREST,DC=com
DC1 - CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
on,DC=DOMAIN,DC=FOREST,DC=com
        DSA object - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
        DNS host name - DC1.DOMAIN.FOREST.com
        Computer object - CN=DC1,OU=Domain Controllers,DC=DOMAIN,DC=FOREST,DC=
com
No current Naming Context
select operation target: q
metadata cleanup: remove select DC1
Transferring / Seizing FSMO roles off the selected DC1.
Removing FRS metadata for the selected DC1.
Searching for FRS members under "CN=DC1,OU=Domain Controllers,DC=DOMAIN,DC=ea
cpc,DC=com".
Deleting subtree under "CN=DC1,OU=Domain Controllers,DC=DOMAIN,DC=FOREST,DC=co
m".
The attempt to remove the FRS settings on CN=DC1,CN=servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com failed because "El
ement not found.";
metadata cleanup is continuing.
"CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=of
fice,DC=FOREST,DC=com" removed from server "localhost"
metadata cleanup: q
ntdsutil: q

C:\Users\Administrator.DOMAIN>adsiedit.msc                        //check different parts of the AD to make sure it's healthy

                                            //recursively look at all subnodes of "Active Directory Domain Services" node in snapin (including Active Directory Users and Computer and Active Directory Sites and Services) to remove any reference to the hostname or IP address of the deleted DC1












C:\Users\Administrator.DOMAIN>repadmin /syncall /d /e                    //push AD objects from one DC1 to the other
CALLBACK MESSAGE: The following replication is in progress:
    From: CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
    To  : CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
CALLBACK MESSAGE: The following replication completed successfully:
    From: CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
    To  : CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.











//TRANSFER fsmo roles back to the old DC1, with a newly installed Server 2008. The following is a graceful transfer, not a forceful FSMO seize like above
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.DOMAIN>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to DC1 localhost
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
server connections: q
fsmo maintenance: transfer schema master
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: transfer pdc
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: transfer namingmaster
Error parsing Input - Invalid Syntax.
fsmo maintenance: transfer naming master
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: transfer infrastructure master
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC2,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: transfer rid master
Operation cancelled
fsmo maintenance: transfer rid master
server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Naming Master - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
PDC - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
RID - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
Infrastructure - CN=NTDS Settings,CN=DC1,CN=servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=DOMAIN,DC=FOREST,DC=com
fsmo maintenance: q
ntdsutil: q

C:\Users\Administrator.DOMAIN>net dom
The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | PRINT | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

C:\Users\Administrator.DOMAIN>net dom query fsmo
The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | PRINT | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]
////////make sure we have all FSMO rules on newly install Server 2008 on DC1 machine
C:\Users\Administrator.DOMAIN>netdom query fsmo
Schema master               DC1.DOMAIN.FOREST.com
Domain naming master        DC1.DOMAIN.FOREST.com
PDC                         DC1.DOMAIN.FOREST.com
RID pool manager            DC1.DOMAIN.FOREST.com
Infrastructure master       DC1.DOMAIN.FOREST.com
The command completed successfully.








//////////////dcpromo settings from DC1.DOMAIN.FOREST.com
; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
;   dcpromo.exe /unattend:C:\Users\Administrator.DOMAIN\Desktop\dcpromo.txt
;
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Replica DC promotion
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=DOMAIN.FOREST.com
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=Yes
DNSDelegationUserName=*
DNSDelegationPassword=*
UserDomain=DOMAIN.FOREST.com
UserName=*
Password=*
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes
 

Posted by Neil Sikka at 3:15 PM 0 comments
Labels: ,
Subscribe to: Posts (Atom)