Standard Procedure for transferring FSMO roles (PLEASE COMMENT)

[Ryan]

Hi guys,

I'm planning to transfer all the 5 FSMO roles to another DC. My current
scenario: single domain with 3 DCs. Note: There is another domain that
tusted with our domain.

Currently, we have 1 GC that holds the FSMO Roles (DC1). DC1 is also the
exchange server, we decided to change the roles to another DC (DC2) to
reduce the workload of DC1.

Expected outcome:

3 DC in the domain, 2 GC (DC1 and DC2) and change FSMO roles from DC1 to
DC2.

My plan is (please correct me if I'm wrong):

1) Run DCDIAG, NETDIAG, NTDSUTIL and AD Replication Monitor and clear any
error found (Is there other tools I can use to check the AD consistency? Bad
DNS always relate to AD problem, how to make sure my DNS is running well?)

2) Enable DC2 as GC, restart the DC2 and wait for some time for DC2 to
publish itself as GC (how long should this be?)

3) Check for event 1119, run repadmin /showrep, repdamin /showconn, use
DSDIAG to view cached server list by DSACCESS. Test Exchange & Network
client connections.

4) Do the 5 role transfer (because this step is quite straightforward and
has no progress stated, do I need to restart the new Operation Master server
(D2) after changing the role, will this cause any problem? I think the
server should be kept alive for proper synchronization, how long should I
wait until I start diagnosing the AD condition? Any tool recommended? Do I
need to "push" replication at this stage?).

** Since there's another trusted domain available, any things I need to be
aware in order not to temper the trust relationship? **



Best regards,

Ryan

 

[Cary Shultz [A.D. MVP]]

Ryan,

I would cut to the chase and make DC2 and DC3 a Global Catalog Server. I
would transfer roles to either DC2 or DC3. If you were to transfer roles to
multiple DCs then I would transfer the Schema Master and Domain Naming
Master to the same DC and the PDC Emulator, RID Master and Infrastructure
Master to the other one ( you always want to keep the PDC Emulator and RID
Master on the same DC ). You can run 'netdom query fsmo' on each DC to make
sure that it knows of the changes. BTW - replmon will also do this for you.

I would then stop all of the Exchange related services on DC1 and dcpromo it
so that you do not have Exchange 2000 running on a Domain Controller ( it
would now be a Member Server ). This just complicates things as far as
Disaster Recovery is concerned. Since you have multiple DCs I would
consider this...

dcdiag and netdiag would be good utilities to run. I would also look at
repadmin and replmon. All four will provide you with a clear picture. Not
sure how you would use ntdsutil in this situation. I am probably forgetting
one of the utilities that it does...I would do all of this before you start
this undertaking so that you are able to clean up anything that might be
awry. You do not want to start all of this if there are errors.

To check on DNS ( good thinking ) I might go with the ole standby: nslookup.
You could also use dnslint, but I think that nslookup will be your biggest
help. BTW - you did not specify where your internal DNS Servers are? Are
you running DDNS on the Domain Controllers?

You do not always need to restart a Domain Controller once you have made it
a Global Catalog server. However, it might not be a bad idea to do it
anyway. Naturally, this is horrible advice if you are doing it at 10:30 AM
and probably not so bad if you are doing it at 10:30 PM. Or whenever a
server reboot is not going to disrupt your user base.

dsaccess would be a good utility to run to make sure that you should not
have any problems with your Outlook clients.

Please do not forget to make any appropriate changes on your DHCP Server so
that your clients have the correct infor...

Going to take our son to the park with the Mrs...children are such a
wonderful part of life!

Cary

 

[Cary Shultz [A.D. MVP]]

Forgot about the trusts...

What type of trust relationship is it? Is it between another WIN2000
forest? or between a WINNT 4.0 domain?

In a WIN2000 Interforest or WINNT 4/WIN2000 trusts you are usually using
NetBIOS communication. Since you did not mention anything about any WINS
Servers I will assume that you are using LMHOSTS files. You normally would
put this on the WINNT 4.0 PDC and the WIN2000 Domain Controller that holds
the FSMO Role of PDC Emulator. Since this will be changing ( possibly ) you
would need to update the LMHOSTS file on the WINNT 4.0 PDC....as well as
make sure that you either copy over the existing LHMOSTS to the PDC Emulator
or create a new one ( but why do that )...

HTH,

Cary

 

[Ryan]

Thanx a lot for your input, my current Operation Master is the WINS Server
for the network....would it affect the name resolution after I changed the
roles to DC2?

Will it affcect Exchange Server if I demote the server? I would like to
demote it after everything is peoperly transferred.....You mentioned about
disaster recovery on an Exchange that is also a DC, can you explain this in
detail...I am aware that we should not put an exchange into a DC but do not
have clear picture why it should be done that way....If talking about
disaster recovery, we have additional DC and we will soon have backup
GC....so I supposed it could be due to corruption on AD on the same server
could create problem on Exchange...and that is why they want to get rid the
exchange from a DC? Please advice....thank you very much

Ryan

 

[Cary Shultz [A.D. MVP]]

Ryan,

I would suggest that you take a spin around the MS Web Site for the details.
I find that when I am looking something up that I tend to find other things
as well.

So, DC1 is the Domain Controller that currently holds all five of the FSMO
Roles. It is also currently a Global Catalog Server. It is also currently
the Exchange Server. It is also currently the WINS Server. It is also
currently a DNS Server? Is there any other DNS Server currently in your
environment? Which server is handing DHCP ( or is some network device -
like your Firewall )?

Demoting the Domain Controller ( DC1 ) that is also the Exchange Server will
not affect the Exchange Server at all. It is a very straightforward
process. Just stop all of the Exchange related services and run dcpromo.
Have done it several times. Well, there is a tiny bit of a hit in that the
Exchange Server would now have to go over the wire for the Domain Controller
/ Global Catalog Server ( since it is no longer a DC/GC ). But that is of
no real consequence.

What I am talking about with the Domain Controller also being an Exchange
Server is that this server is doing two major roles: being a Domain
Controller ( authenticating logon requests, etc. ) as well as being an
Exchange Server ( which is very taxing ). You did not mention anywhere in
your post the hardware specs of the three servers or the total number of
users in your environment. Exchange 2000 is a memory hog and will consume
almost all of the physical RAM ( if allowed - it will give RAM back to the
processes that request it ).

As far as troubleshooting and DR - if this server is both a DC as well as an
Exchange Server should you need to do a DR ( hopefully this will never
happen - but let's not look at it from this perspective. Let's assume that
it will happen at some point and be prepared for it ) there is an added
level of complexity. I will find some links for you. I would suggest that
you also look for them as the discovery process is a great thing.

I probably should have asked - right from the start - for the hardware specs
and the total number of users ( as well as physical and logical layout ).
So, what are the specs of the Servers? How many users are in your
environment? How many Sites? What are the client OS(es)?

There are two other Domain Controllers in your environment ( DC2 and DC3 ).
What else do they currently do?

Cary

 

[Cary Shultz [A.D. MVP]]

Also, on the Exchange side of things do not forget to change the mapping for
the Recipient Update Service ( it looks to a specific DC in both the domain
in which it is located as well as in the Enterprise ) should you decide to
change things.

Cary

 

[Ryan]

Hi Cary,

The Exchange Server h/w spec is Intel Xeon 700Mhz * 3 and 1 Gig RAM; RAID-5
serving about 400-500 users ranging from Win98 to WinXP. Two sites: both
sites with almost identical settings are trusted each other, each site has 1
internal DNS and is sort of as the "backup" preferred DNS to all other
domains. Actually I'm quite new to their server environment. Anyway, just
wanna confirm that the FSMO roles can be transferred successfully. We have
done it once but about 7% of the total users having problem with Exchange,
that's why I'm putting in this Standard Procedure to the public to comment
it. Thank you for the addtional information provided.

Thank you
Ryan

 

[Hank Arnold]

Where do I do this on Exchange 5.5? We recently demoted our Exchange server
and I'd like to verify that this is OK.

 

[Andrew Mitchell]

Where do I do this on Exchange 5.5? We recently demoted our Exchange server
and I'd like to verify that this is OK.

You don't need to with Exchange 5.5 as it's not AD aware and contains its own
X.500 directory.