Transferring of FSMO Roles (Urgent!)

[Ryan]

Hi all,

There are 3 domain controllers in my domain environment. The PDC is the
only GC available, it is also our exchange server. Before we change the
FSMO roles to another DC, we enable the other 2 DC as the GC. Then we
started to change the FSMO roles. No error reported on the screen or on the
event viewer. This was done during off-peak hour and we let in run for 1 day
(non-working day). When we were backed to office, we found that there were
about 30 users (out of 400) uunable to access to the Global Address List
from Outlook Client. Some even having problem loading up the Outlook
Client. We started to change back all the FSMO roles back to the original
PDC but the problem persist

We decided to roll back to the system state before we did the change of
FSMO roles and it has helped to solved the problem.

Question:
1) What are the possible causes of the problem? When we were trobleshooting
this issue, we found that the GPO is inaccessible (can't rememebr the exact
error message, but we were unable to bring up the GPO (right-click the
domain under "Active Directory Users & Computers", properties, Group
Policy), meaning cannot even edit the CPO). We found kccevent test failed
while running DCDIAG. Event Log found 9074 event but we did not find any
problem related to the article shown.

2) Apparently, the problem occured after we changed the FSMO roles. Is
there anything we need to take care of before doing the changes, are there
tools available to check the DC consistency before and after the transition?

Due to the tight schedule, we need to run the FSMO role changes again ASAP.
Please send in your advice for our references, thank you very much!

 

[Kevin Bowersock]

First I would run a DCdiag a NetDiag ( in verbose mode) and clean up any
errors there.
Pay particular attention to your DNS settings.
Bad DNS can really upset you Active directory.
Also check your AD and FRS replication. IF these are broken it will make
your FSMO role move unreliable.

Next I would also take a look at these links:

283595 HOW TO: Change the Role Owner of the Operations Master After a
http://support.microsoft.com/?id=283595

255690 HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
http://support.microsoft.com/?id=255690

255504 Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
controller
http://support.microsoft.com/?id=255504

223787 Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/?id=223787

Best regards!


(e-mail address removed)

This posting is provided "AS IS"
with no warranties, and confers no rights
--------------------
| Reply-To: "Ryan" <[email protected]>
| From: "Ryan" <[email protected]>
| Subject: Transferring of FSMO Roles (Urgent!)
| Date: Mon, 2 Aug 2004 18:53:44 +0800
| Lines: 34
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 61.6.72.66
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:83062
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Hi all,
|
| There are 3 domain controllers in my domain environment. The PDC is the
| only GC available, it is also our exchange server. Before we change the
| FSMO roles to another DC, we enable the other 2 DC as the GC. Then we
| started to change the FSMO roles. No error reported on the screen or on
the
| event viewer. This was done during off-peak hour and we let in run for 1
day
| (non-working day). When we were backed to office, we found that there
were
| about 30 users (out of 400) uunable to access to the Global Address List
| from Outlook Client. Some even having problem loading up the Outlook
| Client. We started to change back all the FSMO roles back to the original
| PDC but the problem persist
|
| We decided to roll back to the system state before we did the change of
| FSMO roles and it has helped to solved the problem.
|
| Question:
| 1) What are the possible causes of the problem? When we were
trobleshooting
| this issue, we found that the GPO is inaccessible (can't rememebr the
exact
| error message, but we were unable to bring up the GPO (right-click the
| domain under "Active Directory Users & Computers", properties, Group
| Policy), meaning cannot even edit the CPO). We found kccevent test failed
| while running DCDIAG. Event Log found 9074 event but we did not find any
| problem related to the article shown.
|
| 2) Apparently, the problem occured after we changed the FSMO roles. Is
| there anything we need to take care of before doing the changes, are there
| tools available to check the DC consistency before and after the
transition?
|
| Due to the tight schedule, we need to run the FSMO role changes again
ASAP.
| Please send in your advice for our references, thank you very much!
|
|
|
|

 

[Cary Shultz [A.D. MVP]]

Ryan,

You might want to post this in the Exchange news group as well....

What version of Outlook are you running? Is there anything in common ( such
as all 30 of the problem systems are running Outlook 2000 SP1 while everyone
else has at least Outlook 2000 SP3, for example )? What OS are the clients
running?

Did you have everyone restart their computers ( or, at the very least, exit
and close Outlook and then open it again )? Did this do anything?

This could be a DSAccess issue. Please look into how this process works.

For info on the 9074 error please take a look at the following link:

http://www.eventid.net/display.asp?eventid=9074&eventno=1107&source=MSExchangeSA&phase=1

HTH,

Cary

 

[Ryan]

Thanks for the input....I have thought of relate the 30 users. In terms of
Outlook version, most of them used Outlook 2000 or 2002, but there are users
with the same version that are able to connect to the GAL It's the same
case for the OS versions. I have not relate the users according to their
workgroup, do you think that would help?

I did try some diagnostic on the client machines before restore the old
system state. Here are what I did on the problemed machine:
- I've tried creating new profile for the machine and it can access the GAL
upon finishing the setup and directly access, however, after I close and
relaunch Outlook, the same problem occured; this machine does not have
problem opening the Outlook though
- on another machine, try rejoining the client machine to the domain: (no
problem disjoin and rejoin), problem persist
- at the same machine, the problem that I saw is that this machine take
very long time to load Outlook and after few minutes of "hanging" it will
prompt the server unavailable error, it gets through though when I click on
"Retry". can view the messages in the mailbox (stored in server), but still
cannot access to the GAL. When I check the GAL properties, there's no
correct server name stated (eg: E instead of the full server name Exch01).
Another unusual thing is when I ping the domain from this machine, the reply
came back from another DC but this DC is not our PDC, is this normal that
the reply will be returned from any of the DC available?

Thank you.

 

[Cary Shultz [A.D. MVP]]

How many Domain Controllers do you have? How many of these Domain
Controllers are Global Catalog Servers? Have you verified that each DC is
indeed a Global Catalog Server?

If you open up the ESM and open up the Administrative Groups | First
Administrative Group | Servers | <servername> and right click on
<servername> and go to the Directory Access tab what do you see?

You should see at the top a Domain Controller that is the CONFIG domain
controller. You should then see all of the Domain Controllers listed as DC
and then you should see each Global Catalog Server listed as GC. Do all
three Domain Controllers show up as DC and GC?

I am sorry, but you description of the steps you took are a bit confusing to
me. In the first one it seems like it was able to work but then if you
close Outlook and then try to open it up again it doesn't work???? And,
upon finishing what setup? After the installation of Outlook and the
configuration?

Where are you checking the GAL properties? Why is there only an 'E' instead
of the correct name?

Have you installed the Support Tools on all of your Domain Controllers and
ran dcdiag /c /v and netdiag /v? I do not believe that there should be any
problems with either of these two tests but let's rule it out.

I would also run repadmin /showreps and repadmin /showconn just to make sure
that there are no replication problems ( again, there should not be any and
this is probably a waste of time but..... ).

I would focus on the dsaccess part of this...

HTH,

Cary

 

[Ryan]

I have 3 DC, 2 of them are GC. Indeed, I didn't check the ESM of what are
the available GCs or Domain Controllers and now it has the same state as
before any changes made to the FSMO roles.

As for the descriptions....in the first one, I try to create a new profile
for that machine (so I select the server and successfully "check" the
mailbox name. After finish setting up the new profile (which I run it from
Control Panel, Mail), I launch the outlook by selecting the new profile and
it was able to access Global Address List, but after I close the Outlook and
relaunch it, the GAL access problem happened again. So the setup meant here
is setting up new profile.

I check the GAL properties by bringing up the address book from the client
machine (of course at this time an error will pop-up saying unable to
retrieve the GAL), right click the "Gloal Address List" and select
properties. Under the "Microsoft Exchange Address Book Provider", "The
current server is" column, you should see the server's full name but what I
see is a single character (which is so happened to be the 1st character of
the server name).

I cannot do further checking since I've restored the system state to its
good state before the FSMO transition. What I can do now is to avoid the
problm from re-occuring on my next FSMO roles transfer. Here are my
concerns:
- What is the appropriate way of doing the FSMO roles transfer? Do I need
to enable other DCs as the GC before changing the FSMO role? Can I transfer
the roles without adding any other GC?
- What is the consequence of having more than 1 GC?
- Because the FSMO role transfer is pretty straight forward and do not have
progress indication. I have 3 DC in 1 domain, do I change all the roles at
once or 1 by 1? I can think of dcdiag and netdiag as the diagnostic tools
to be used before doing the changes, any other tools available?
- I always heard of bad DNS cause AD problem, how to make sure that the DNS
is running fine? I can think of doing simple query, flushdns & registerdns.
- 1 significant thing I can compare between the state of before & after FSMO
role transfer is the GPO. Maybe some input on how to safely replicate the
policy after the changes made.

Thank you.