Moving Schema Master role

F

Frank Buechler

Greetings All

I have a rather unique problem. I have been called in to
upgrade a 2000 mixed domain (including Exchange 2000) to
Windows 2003 (including Exchange 2003.) I have configured
a 2003 server, and I am ready to place it into the 2000
AD. Prior to doing that, I know I need to run ADPREP on
the 2000 server serving as Schema Master. Here's where it
becomes fun.. The server acting in this role is sitting in
the DMZ. This server is also the Exchange server, and it
hosts IIS.
When I attemt to move the Schema Master role to a DC
sitting in trusted, I get an error "current FSMO holder
could not be contacted". I have tried opening all ports
between the two servers on the firewall (yeah, I know) but
it had no effect. For obvious reasons I can't simply
"seize" the role.
Does anyone have any suggestions? This is the only role
this server is performing, and I really want to move it
off. Taking it out of the DMZ, placing it in trusted, then
doing it again in reverse is really not an option either.

TIA for any help.
 
D

David Brandt [MSFT]

I'm sure that you're already aware of the point, but having a dc, much less
one holding any fsmo roles, out in a dmz is Not recommended.
However working with what you got, verify that the dc is not having other
replication etc issues with the other dcs over 60 days old (don't want it
tombstoned) and it is even still a "valid" dc. Run "netdom query fmso" on
the other dc's to be sure that everybody is still looking to it for schema,
and that they can still ping it ok by fqdn. Also run dcdiag /v on it to
check the health out.
If the AD is still ok on it (less than 60 days old), and since you indicated
that ports are wide open and it still isn't going, the easiest thing is to
physically bring in back inside the firewall, let it do the transfer, and
then move it back (I know you said something to this effect wasn't an
option, but it's by far the easiest).
Another "option" is to demote the box (hopefully gracefully but probably
won't go because it can't transfer) or forcefully in which case you'd then
seize the role to another dc. If forced demotion it would need to rejoin
the domain as server (after doing a metadata cleanup of it) and I wouldn't
promote it back up again.
Not sure if they wanted a dc there just to get a gc for exchange, but don't
recommend having a dc out there anyway and would encourage trying to
convince them of the same.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

question on upgrading from active directory 2000 to active directory 2003 2
moving schema master 1
Schema, Domain Naming Master is down due to hardware failure. Implications in case I seize the roles 11
Seizing the Schema Owner and Domain Role Owner Roles 4
How Do I move the "DOMAIN ROLE OWNER" TO ANOTHER DC? 0
Is it safe to seize the Schema Master FSMO Role? 4
Error transfering schema master role 1
Schema modification 2

Top