What to do after seizing FSMO Role?

[Guest]

Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network without
demoting with DCPromo. It appears that the Infrastructure Master was it's
only role. I've seen the documents regarding using Ntdsutil to seize FSMO
roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the global catalog
DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Dean Wells [MVP]]

Nothing further needs to be done when seizing the Infrastructure FSMO
since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible when
running on the same DC.

 

[Guest]

I do not plan on re-introducing the former AD DC back into the network.
Do I need to remove any references of it...e.g. AD CU /System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary messages.
Thanks much Dean.

Robert

Nothing further needs to be done when seizing the Infrastructure FSMO
since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible when
running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network
without demoting with DCPromo. It appears that the Infrastructure
Master was it's only role. I've seen the documents regarding using
Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the global
catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Michael D. Ober]

Yes. Find and remove all references to the former machine. You will need
to use ADSIEdit to completely remove this server. When you sieze a FSMO
role, you must ensure the old machine never comes back up without formatting
its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the network.
Do I need to remove any references of it...e.g. AD CU /System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary messages.
Thanks much Dean.

Robert

Nothing further needs to be done when seizing the Infrastructure FSMO
since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible when
running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network
without demoting with DCPromo. It appears that the Infrastructure
Master was it's only role. I've seen the documents regarding using
Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the global
catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Guest]

That former server will never be on the network again (already formatted).
How risky is it to run ADSIEdit? Is it really necessary?
MS documentation (Q283595) claims that it is run when you want to return a
DC that previously owned one or more roles of the operations master to the
same network without causing conflict with any new role holder of the
operations master.

This server will never, ever be returned to the network.

Yes. Find and remove all references to the former machine. You will need
to use ADSIEdit to completely remove this server. When you sieze a FSMO
role, you must ensure the old machine never comes back up without formatting
its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the network.
Do I need to remove any references of it...e.g. AD CU /System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary messages.
Thanks much Dean.

Robert

Nothing further needs to be done when seizing the Infrastructure FSMO
since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible when
running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network
without demoting with DCPromo. It appears that the Infrastructure
Master was it's only role. I've seen the documents regarding using
Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the global
catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Dean Wells [MVP]]

Great point, I neglected to mention the process of metadata cleanup. My
comment regarding the IM simply meant that the FSMO role itself imposes
no additional requirements once seized.

I would recommend the use of NTDSUTIL over ADSIEDIT since, although it
is cumbersome, it ensures that the task at hand is completed correctly
(including FRS state).

With regard to the statement: "you must ensure the old machine never
comes back up without formatting its hard drive", this is FSMO specific
and does not apply here. The IM, as I said, maintains virtually no
state and as such can be brought back on line (where possible) without
any cause for concern ... assuming other non-related factors are a
non-issue, factors such as downtime not exceeding tombstone lifetime.

Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
introduce the concept of INITSYNC; a requirement that must be met by all
DCs holding FSMO roles. This requirement prevents a DC in possession of
a FSMO role from offering any service at boot time bound to that role
until it has completed a full replication cycle with one of its direct
replication partners. This technique helps to ensure that 2 DCs do not
service the same FSMO role (the assumption being that the DC from which
the old FSMO replicates will already be aware that the role has moved
and will inform the old FSMO of this fact before it begins to offer
those services).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Yes. Find and remove all references to the former machine. You will
need to use ADSIEdit to completely remove this server. When you
sieze a FSMO role, you must ensure the old machine never comes back
up without formatting its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the
network. Do I need to remove any references of it...e.g. AD CU
/System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary
messages. Thanks much Dean.

Robert

Nothing further needs to be done when seizing the Infrastructure
FSMO since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible
when running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network
without demoting with DCPromo. It appears that the Infrastructure
Master was it's only role. I've seen the documents regarding using
Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the
global catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Guest]

If I have this straight, I seize the role first, then run NTDSutil metadata
cleanup.
Then I remove any references of the former DC from AD Users and Computers,
etc...

Thanks much Dean.

Great point, I neglected to mention the process of metadata cleanup. My
comment regarding the IM simply meant that the FSMO role itself imposes
no additional requirements once seized.

I would recommend the use of NTDSUTIL over ADSIEDIT since, although it
is cumbersome, it ensures that the task at hand is completed correctly
(including FRS state).

With regard to the statement: "you must ensure the old machine never
comes back up without formatting its hard drive", this is FSMO specific
and does not apply here. The IM, as I said, maintains virtually no
state and as such can be brought back on line (where possible) without
any cause for concern ... assuming other non-related factors are a
non-issue, factors such as downtime not exceeding tombstone lifetime.

Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
introduce the concept of INITSYNC; a requirement that must be met by all
DCs holding FSMO roles. This requirement prevents a DC in possession of
a FSMO role from offering any service at boot time bound to that role
until it has completed a full replication cycle with one of its direct
replication partners. This technique helps to ensure that 2 DCs do not
service the same FSMO role (the assumption being that the DC from which
the old FSMO replicates will already be aware that the role has moved
and will inform the old FSMO of this fact before it begins to offer
those services).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Yes. Find and remove all references to the former machine. You will
need to use ADSIEdit to completely remove this server. When you
sieze a FSMO role, you must ensure the old machine never comes back
up without formatting its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the
network. Do I need to remove any references of it...e.g. AD CU
/System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary
messages. Thanks much Dean.

Robert

:

Nothing further needs to be done when seizing the Infrastructure
FSMO since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible
when running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
Hi,
I've got a single domain, two Win2k DC's mixed with some NT BDC,s.
Previously another Win2k DC was physically removed from the network
without demoting with DCPromo. It appears that the Infrastructure
Master was it's only role. I've seen the documents regarding using
Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the
global catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Dean Wells [MVP]]

That will do ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

If I have this straight, I seize the role first, then run NTDSutil
metadata cleanup.
Then I remove any references of the former DC from AD Users and
Computers, etc...

Thanks much Dean.

Great point, I neglected to mention the process of metadata cleanup.
My comment regarding the IM simply meant that the FSMO role itself
imposes no additional requirements once seized.

I would recommend the use of NTDSUTIL over ADSIEDIT since, although
it is cumbersome, it ensures that the task at hand is completed
correctly (including FRS state).

With regard to the statement: "you must ensure the old machine never
comes back up without formatting its hard drive", this is FSMO
specific and does not apply here. The IM, as I said, maintains
virtually no state and as such can be brought back on line (where
possible) without any cause for concern ... assuming other
non-related factors are a non-issue, factors such as downtime not
exceeding tombstone lifetime.

Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
introduce the concept of INITSYNC; a requirement that must be met by
all DCs holding FSMO roles. This requirement prevents a DC in
possession of a FSMO role from offering any service at boot time
bound to that role until it has completed a full replication cycle
with one of its direct replication partners. This technique helps
to ensure that 2 DCs do not service the same FSMO role (the
assumption being that the DC from which the old FSMO replicates will
already be aware that the role has moved and will inform the old
FSMO of this fact before it begins to offer those services).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Yes. Find and remove all references to the former machine. You
will need to use ADSIEdit to completely remove this server. When
you sieze a FSMO role, you must ensure the old machine never comes
back up without formatting its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the
network. Do I need to remove any references of it...e.g. AD CU
/System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary
messages. Thanks much Dean.

Robert

:

Nothing further needs to be done when seizing the Infrastructure
FSMO since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible
when running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
Hi,
I've got a single domain, two Win2k DC's mixed with some NT
BDC,s. Previously another Win2k DC was physically removed from
the network without demoting with DCPromo. It appears that the
Infrastructure Master was it's only role. I've seen the
documents regarding using Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the
global catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert

 

[Guest]

Thanks Dean, appreciate it.

Robert

That will do ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

If I have this straight, I seize the role first, then run NTDSutil
metadata cleanup.
Then I remove any references of the former DC from AD Users and
Computers, etc...

Thanks much Dean.

Great point, I neglected to mention the process of metadata cleanup.
My comment regarding the IM simply meant that the FSMO role itself
imposes no additional requirements once seized.

I would recommend the use of NTDSUTIL over ADSIEDIT since, although
it is cumbersome, it ensures that the task at hand is completed
correctly (including FRS state).

With regard to the statement: "you must ensure the old machine never
comes back up without formatting its hard drive", this is FSMO
specific and does not apply here. The IM, as I said, maintains
virtually no state and as such can be brought back on line (where
possible) without any cause for concern ... assuming other
non-related factors are a non-issue, factors such as downtime not
exceeding tombstone lifetime.

Note that Windows 2000 SP?(something, 2 I think) and Windows 2003
introduce the concept of INITSYNC; a requirement that must be met by
all DCs holding FSMO roles. This requirement prevents a DC in
possession of a FSMO role from offering any service at boot time
bound to that role until it has completed a full replication cycle
with one of its direct replication partners. This technique helps
to ensure that 2 DCs do not service the same FSMO role (the
assumption being that the DC from which the old FSMO replicates will
already be aware that the role has moved and will inform the old
FSMO of this fact before it begins to offer those services).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Michael D. Ober wrote:
Yes. Find and remove all references to the former machine. You
will need to use ADSIEdit to completely remove this server. When
you sieze a FSMO role, you must ensure the old machine never comes
back up without formatting its hard drive.

Mike Ober.

I do not plan on re-introducing the former AD DC back into the
network. Do I need to remove any references of it...e.g. AD CU
/System/FRS?
Or in any other locations where it is referenced.
I'm concerned with the event viewer logs displaying unnecessary
messages. Thanks much Dean.

Robert

:

Nothing further needs to be done when seizing the Infrastructure
FSMO since it maintains virtually no state.

In a single domain, the Infrastructure FSMO and GC ARE compatible
when running on the same DC.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

RHS wrote:
Hi,
I've got a single domain, two Win2k DC's mixed with some NT
BDC,s. Previously another Win2k DC was physically removed from
the network without demoting with DCPromo. It appears that the
Infrastructure Master was it's only role. I've seen the
documents regarding using Ntdsutil to seize FSMO roles.
Once I've done that, is there anything else I need to do?

Also, with a single domain is there a problem with having the
global catalog DC also hold the Infrastructure Master?
It's a RAID 5 machine versus my second AD DC being a pc clone.

Thanks much,
Robert