**** HELPPP Safe Harbor for Seize schema master role

[J.H]

Dear all,

Question:
- How safe can it be if we try to seize the schema master roles (5) to
the 3RD domain controller and retire the 1ST domain controller ?
(I already practiced and found it is not difficult to do, by following W2K
instruction)
- I experienced once in my lab that after I seized 5 roles to another DC,
I tried to join a workstation to the domain, it said there is no domain.com
domain
available. If this happens, CAN WE JUST BRING BACK THE 1ST DC ONLINE ?
(take off line the one I seized 5 roles to ?), and no effect at all for the
other servers and
member workstations ?

PLEASE HELP, As I understand, this operation is very critical that if it is
failed, it will be
corrupting every thing in the network: domain authentication, application,
file sharing, printing
every thing.




My system architecture such as:

- 2 Domain controller with DNS integrated
- 1ST Domain controller
- No error log found, good replication between DCs
- it is NT 4 SP6 upgraded to Windows 2000 W/SP3 AD
- It is Active Directory/DNS integrated
- plays 5 roles in the Windows 2000 network
- This server is also Global Catalog Server for supporting Exchange 2000
- DNS setting that points to itself in DNS1; DNS2
- WINS is installed and configured (internal requirement by the company)
- Checked: Exchange 2000 was using 3 Global Catalog Servers for queries

- 2ND Domain controller
- No error log found, good replication between DCs
- it is pure Windows 2000/SP3 installation, has DNS installed &
configured
- No role is assigned for this server
- This server is also Global Catalog Server for supporting Exchange 2000
- DNS setting that : DNS1 = point to itself; DNS2 = point to 1ST DC
- Checked: Exchange 2000 was using 3 Global Catalog Servers for queries
- 3RD Domain controller with DNS integrated (= replacement for 1ST DC)
- No error log found, good replication between DCs
- Sames as 2ND DC
- DNS setting that DNS1 = point to itself; DNS2 = point to 1ST DC
- WINS server installed, replicated 1ST DC's WINS server.
- Checked: Exchange 2000 was using 3 Global Catalog Servers for queries

 

[Chriss3]

You Should only SIZE roles if you make sure the orgnial server of the FSMO
role never comes back online.

take a look at the follow MSKB:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

//Christoffer Andersson

 

[J.H]

Hi there,

Thanks for your contribution !!
My question is whether my operation is possible from the one NT4 SP6
upgraded.
And if the operation is failed (errors happens after the seizing process),
CAN WE
JUST BRING BACK THE OLD ONE ? (I understood, read that make sure the
original 1st dc never gets back online, but what if the seizing process
failed, no one
can logon in the morning ?) . Is there any roll-back operation for safe
operation ?

Should I give Microsoft Support $250 bucks for supporting this operation
since it
is too critical to do so ? I practiced 10 times, succeeded for 9.999 times
almost.

PLEASE HELP PER YOUR EXPERIENCE !!!

JH

 

[Chriss3]

Hello, J.H

Do you want to do this operation on NT4 Server SP6 ?

Size means you dosen't move FMSO roles, you make a server to take the FMSO
roles, if you want and can trasfer the role you should follow this KB:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

other wise you have to size and make one of your existing Domain Controllers
to take the roles by size them, but make sure the old server never come back
online then.

http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

//Chrstoffer Andersson

 

[J.H]

Hi there,

Perhaps, you misunderstood my sentences.
The 1ST DC is a NT4 SP6 upgraded to Windows 2000 DC.
I want to know if there is any issue to seize the roles from this
1ST DC to another DC that I added on !! that was 1st question.

2nd question is that if the seize operation failed (which creates error
for 'no domain logon found', 'access denied to logon..etc on the network)
Can we just bring back the old 1ST DC online ? I read some docs, it said
that might created more corruption in the network for schema, relative id
roles.

My questions are about the safety for performing the seizing operation,
and how to roll back if any errors happen.

Regards,
J.H

 

[David Fisher [MSFT]]

Hello J.H.

I have a few points to be considered.

First, in a healthy environment the fsmo roles are actually "transferred",
which implies that the fsmo ownership information was negotiated between the
previous owner and the new owner. If no errors appear during the transfer,
then the operation completed successfully. Actual "seizes" should only be
performed when the current owner of the fsmo role is offline and
unrecoverable.

255690 HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
http://support.microsoft.com/?id=255690

Second, if the transfer (or seizure) is successful, then the problems
experienced with 'no domain logon found' or 'access denied to logon' is due
to another problem in the environment. For instance, if DC1 was taken down
and these problems started to occur for domain clients, it is likely that
they do not have DNS resolution to contact the remaining domain controllers.
Perhaps DC1 was their primary DNS server and, now that it is offline, their
queries go unanswered.

The netdiag.exe support tool may be helpful to troubleshoot why clients
cannot locate the domain controllers:
321708 HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows
2000
http://support.microsoft.com/?id=321708

Simply execute netdiag on the client and look for any failures.

Fsmo transfers or seizures are only dangerous when the role is owned by
multiple domain controllers. This can allow privileged changes to the
domain to occur simultaneously and leave the domain in an inconsistent
state.

I hope this information is helpful to you!

Best Regards,
David Fisher
Enterprise Platform Support

 

[J.H]

Hi there,

Thanks for your response. Your information is helpful !!
One last question that I found one doc on the support.microsoft.com said
that
the DC should not be also Global Catalog server while it holds 5 roles in
the
domain. But our domain model is single domain, it's been firstly set up as
1ST DC
and playing as Global Catalog server (2nd DC is also playing as 2nd Global
Catalog
server). When I seize 1st DC to 3rd DC (also make it Global Catalog server),
will
there be any concerns about due to the doc from support.microsoft.com ?

Regards,
J.H

 

[Richard Moreno]

Hi JH-

It is a recommendation only that the Infrasture master role not be on a
server functioning as a GC, but not a requirement. There should be no
negative impact to your AD by leaving your 3rd DC as a GC. Don't be
surprised to see a few warnings in the event logs though indicating
Microsoft's recommendation about not sharing a GC with Infra master.

--
Thanks,
Richard Moreno
MCSE

 

[Cary Shultz [A.D. MVP]]

Also, let's not forget about the situation where WIN2000 Pro clients in an
upgraded WINNT 4 to WIN2000 AD Domain authenticate only to the upgraded
WIN2000 DC......so long as the Domain Mode is still 'Mixed'. Take a look at
the following MSKB Article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;284937

HTH,

Cary