Moving Master Schema Role (DBrandt)

[Frank Buechler]

I've done a little more research.. turns out I missed
something. After running
dcdiag /test:Knowsofroleholders /v,
it turns out the server in the DMZ fails. What I get is
this:

Warning: CN="NTDS Settings
....blah blah.. is the Schema Owner, but is deleted
Warning: CN=NTDS Settings
....blah blah.. is the Domain Owner, but is deleted

The server in the DMZ is the server holding these roles,
and this is the server I ran this test on.

PDC, RID, and Infrastructure Update Owner all passed,
seeing the internal server as the role holders.
Where do I go from here? I really don't see anything in
Technet (not yet, anyway.)

Thanks, Frank

 

[David Brandt [MSFT]]

That dmz dc is going to need to be demoted for one cause or another, and if
what you see below matches up to what you're seeing, notice the DEL:xxxxx
(deleted somehow). I found a few other cases where they were seeing the
same thing, and the end result of all of them was a demotion of the box and
seizure of the role/s to another machine. I don't know the
background/history/politics/etc of this situation, but can only say I
wouldn't want any dc of mine out in a dmz anyway. The other recommendation
that normally comes with the seizure of the schema role (others are fine) is
that the box From which it was seized, not be brought back into the network
again as a dc, so you're going to need to demote it either gracefully or
forcefully.

Some of what I found from other cases;
DCDIAG /test:KnowsOfRoleHolders /V provided
==========================================
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=<servername>,CN=Servers,CN=Defa
ult-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=com
Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-f21749bd168a",CN=<servername>,CN=Servers,CN=Defa
ult-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=<domainname>,DC=com is the Schema
Owner, but is deleted.

note; the domain and server names were removed by me.
--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Guest]

Yes, that is what I am seeing. Is it possible for me to
use ntdsutil to see if there is a tombstoned record in the
metabase? And if there is, can I delete and recreate this
record? How do I do this?

Thanks David

-----Original Message-----
That dmz dc is going to need to be demoted for one cause or another, and if
what you see below matches up to what you're seeing, notice the DEL:xxxxx
(deleted somehow). I found a few other cases where they were seeing the
same thing, and the end result of all of them was a demotion of the box and
seizure of the role/s to another machine. I don't know the
background/history/politics/etc of this situation, but can only say I
wouldn't want any dc of mine out in a dmz anyway. The other recommendation
that normally comes with the seizure of the schema role (others are fine) is
that the box From which it was seized, not be brought back into the network
again as a dc, so you're going to need to demote it either gracefully or
forcefully.

Some of what I found from other cases;
DCDIAG /test:KnowsOfRoleHolders /V provided
==========================================
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-

ult-Fir
st-Site-

Warning: CN="NTDS Settings
DEL:388498d1-b96f-4df5-a81a-