FSMO roles

[Kamesh]

Hi all,

Recently I configured an additional domain controller adn
moved the FSMO roles and then later both the old and newly
configured servers are displaying error in operations
masters of RID, PDC, Infrastucture.

Then I restored the old backup on the first server and
made it online. But then I got a problem in creating
users/computer accounts.

With the help of MS articles, I seized FSMO roles and
taken brought back the old server online.

Again I used ntfsutil on the new server and seized the
roles on the old server.Here in new server I could able to
create all the objects.

After doing this operation, both the servers are
displaying all the 5 FSMO roles ( Netdom ).

My exchange server is still looking for old server and it
is still not allowing me to create any user/mail accounts.

I am getting error
"Windows cannot validate the uniqueness of this proposed
user name with a global catalog server because:
The server is not operational. Windows will create
thisuser account, but the user can log on only after the
user name is verified to be unique. For further
assistance, contact your system administrator".

I am not getting the change option on either of the
servers. I want to make this old server offline and this
new server to be online.

Atleast my server as to allow me in creating objects.

Can any one guide me in solve this problem.

Thanks
Kamesh akella

 

[Ashok Nair [MSFT]]

Hi Kamesh,

If an FSMO role is seized from a DC, it should never be brought back
online. The "Seizing the Flexible Single Master Operation Role" section in
the following KB article talks about this.

For your issue, try the following steps and check if it works.

Take the original FSMO role holder offline.
Make the new FSMO role holder the Global catalog Server.
Do a manual replication from AD Sites & Services.

============================================================================
========================================

Microsoft Knowledge Base Article - 223787
Flexible Single Master Operation Transfer and Seizure Process
View products that this article applies to.
This article was previously published under Q223787
SUMMARY
This article describes how Flexible Single Master Operations (FSMO) roles
are transferred from one domain controller to another and how this role can
be forcefully appointed in the event that the domain controller that
previously held the role is no longer available.

For more information about FSMO roles in general, please see the following
article in the Microsoft Knowledge Base:
197132 Windows 2000 Active Directory FSMO Roles

For additional information about the correct placement of FSMO roles,
please see the following article in the Microsoft Knowledge Base:
223346 FSMO Placement and Optimization on Windows 2000 Domains

MORE INFORMATION
Transferring the Flexible Single Master Operation Role
The transfer of an FSMO role is the suggested form of moving a FSMO role
between domain controllers and can be initiated by the administrator or by
demoting a domain controller, but is not initiated automatically by the
operating system. This includes a server in a shut-down state. FSMO roles
are not automatically relocated during the shutdown process--this must be
considered when shutting down a domain controller that has an FSMO role for
maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a
synchronization of the data that is maintained by the FSMO role owner to
the server receiving the FSMO role is performed prior to transferring the
role to ensure that any changes have been recorded before the role change.

Operational attributes are attributes that translate into an action on the
server. This type of attribute is not defined in the schema, but is instead
maintained by the server and intercepted when a client attempts to read or
write to it. When the attribute is read, generally the result is a
calculated result from the server. When the attribute is written, a
pre-defined action occurs on the domain controller.

The following operational attributes are used to transfer FSMO roles and
are located on the RootDSE (or Root DSA Specific Entry--the root of the
Active Directory tree for a given domain controller where specific
information about the domain controller is kept). In the operation of
writing to the appropriate operational attribute on the domain controller
to receive the FSMO role, the old domain controller is demoted and and the
new domain controller is promoted automatically. No manual intervention is
required. The operational attributes that represent the FSMO roles are:
becomeRidMaster
becomeSchemaMaster
becomeDomainMaster
becomePDC
becomeInfrastructureMaster

If the administrator specifies the server to receive the FSMO role using a
tool such as Ntdsutil, the exchange of the FSMO role is defined between the
current owner and the domain controller specified by the administrator.

When a domain controller is demoted, the operational attribute
"GiveAwayAllFsmoRoles" is written, which triggers the domain controller to
locate other domain controllers to offload any roles it currently owns.
Windows 2000 determines which roles the domain controller being demoted
currently owns and locates a suitable domain controller by following these
rules:
Locate a server in the same site.
Locate a server to which there is RPC connectivity.
Use a server over an asynchronous transport (such as SMTP).
In all transfers, if the role is a domain-specific role, the role can be
moved only to another domain controller in the same domain. Otherwise, any
domain controller in the enterprise is a candidate.

Seizing the Flexible Single Master Operation Role
Administrators should use extreme caution in seizing FSMO roles. This
operation, in most cases, should be performed only if the original FSMO
role owner will not be brought back into the environment.

When the administrator seizes an FSMO role from an existing computer, the
"fsmoRoleOwner" attribute is modified on the object that represents the
root of the data directly bypassing synchronization of the data and
graceful transfer of the role. The "fsmoRoleOwner" attribute of each of the
following objects is written with the Distinguished Name (DN) of the NTDS
Settings object (the data in the Active Directory that defines a computer
as a domain controller) of the domain controller that is taking ownership
of that role. As replication of this change starts to spread, other domain
controllers learn of the FSMO role change.

Primary Domain Controller (PDC) FSMO:
LDAP://DC=MICROSOFT,DC=COM

RID Master FSMO:
LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM

Schema Master FSMO:
LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com

Infrastructure Master FSMO:
LDAP://CN=Infrastructure,DC=Microsoft,DC=Com

Domain Naming Master FSMO:
LDAP://CN=Partitions,CN=Configuration,DC=Microsoft,DC=Com

For example, if Server1 is the PDC in the Microsoft.com domain and is
retired and the administrator is unable to demote the computer properly,
Server2 needs to be assigned the FSMO role of the PDC. After the seizure of
the role takes place, the value
CN=NTDS
Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
uration,DC=Microsoft,DC=Com

is present on the following object:
LDAP://DC=MICROSOFT,DC=COM

The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server
Last Reviewed: 5/14/2003 (2.0)
Keywords: kbenv kbinfo KB223787

============================================================================
========================================

HTH

Ashok
This posting is provided "AS IS" with no warranties, and confers no rights.