Reactivate FSMO Role

  • 45 Views
  • Last Post 21 February 2017
manasrrp6 posted this 18 February 2017

Some one of our Admin user has seize (stopped) the FSMO Role i.e. Domain Naming Master role in our enterprises using ntdsutil.exe command. I Googling to find out the solution "how to reactivating the fsmo role" , but not found any proper answer except formating the  OS. Please guide me.
Regards,Manas Dash.
..
--
With Warm Regards,
Manas Dash.
AD & Exchange Admin
+91 9437615424
+91 7400342191
Skype : manasrrp6
Plant a Tree & Save the Earth.

Order By: Standard | Newest | Votes
daemonr00t posted this 18 February 2017

Quick question… why would you like to do that?

 

~danny CS


Sent from Mail for Windows 10

 

show

pawan posted this 18 February 2017

Hi Manas,
Once the role sized you need to decom that dc and if you want to back fsmo role on same dc then you need to setup as new dc and transfer fsmo from existing dc.
Thanks,Pawan
On Feb 18, 2017 7:31 PM, "Danny CS" <daemonroot@xxxxxxxxxxxxxxxx> wrote:
















Quick question… why would you like to do that?

 

~danny CS


Sent from Mail for Windows 10

 

show

manasrrp6 posted this 19 February 2017

Hi Danny,
Because I want to make it live again.
Thanks


show

daemonr00t posted this 19 February 2017

While with some tinkering here and there and lots of ADSIEDIT you can achieve pretty much anything you want I wouldn't go that way as it could jeopardize the whole directory.


We know some FSMOs are used less than others but you don't want to have duplicated RID blocks out there... just as an example.


Now the risk and efforts are way bigger than what it takes to forcefully demote/promote that box back.


Is there something on that server that was not replicated outbound? If so... try exporting it and then importing it on prod.


Cheers,







~dannyCS


Sent from my mobile







show

Atula posted this 19 February 2017

Hi,please check if this helps.
-Atul


show

idarryl posted this 19 February 2017

Microsofts official line is as follows:
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanupcommand. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. 
So the DC should not be allowed to communicate with another and should be removed from the domain. However, as it was the Domain Naming Master role that was seized, unless you added or removed a domain or application naming context (so normally, added or removed a domain) after the role was seized and before the next inbound replication, I can't see what damage was done. 
That being said, unless someone else completely agreed with me on here, I would have immediately removed the DC from the network, forced removal of the role, performed metadata cleanup, reinstalled the OS and rejoined it to the domain. 
~Darryl

show

manasrrp6 posted this 19 February 2017

Hi Darryl,
Your solution given is correct and I agree with your comments. But how could I take backup & restore all AD objects of the dead DC to new DC. And second challange infront of me is that, there was no ADC installed on that enterprise. In that case it is so much challenging task to buildup and make it to run properly since so many dependancy are there as like Exchange Server, Oracle , WSUS, Antivirus Server, IIS , VPN Server etc etc.....
Manas


show

daemonr00t posted this 19 February 2017

Why would you want to take a backup of a dead DC?


Are you having replication issues?







~dannyCS


Sent from my mobile







show

mcasey posted this 19 February 2017

I have the same question as Danny.  It would also be helpful to know how many DCs you have in that domain and forest and which of the DCs are the current role holders.
On Feb 19, 2017 10:32 AM, "Danny CS" <daemonroot@xxxxxxxxxxxxxxxx> wrote:














Why would you want to take a backup of a dead DC?


Are you having replication issues?







~dannyCS


Sent from my mobile







show

manasrrp6 posted this 19 February 2017

I am not telling about backup as you understand as like last consistant and good condition backup process. I am saying that since it is a single DC in enterprise and all object information (users, groups, ou) are there in it's hard disk. After rebuild a new DC how do i put all objects on that i.e. copy/import/export from dead to newly build DC. ????
On Feb 19, 2017 9:04 PM, "Danny CS" <daemonroot@xxxxxxxxxxxxxxxx> wrote:














Why would you want to take a backup of a dead DC?


Are you having replication issues?







~dannyCS


Sent from my mobile







show

pawan posted this 19 February 2017

Hi Matt/Danny,
As per my understanding, Manas has only one DC in single domain with single forest so he has no additional dc in his environment. I don't know how his company is surviving on single DC which has gone now and also supports Multiple application like wsus, exchange, moat critical thing is Oracle☺
I also want to know what we can do in this type of situation which is rarely going to happen.
What he is seeking to repair fsmo on existing dc.But question is that how can a role be seized in single DC. Looks like someone has done testing of making adc and after seizing the role. The ADC is down like that.
@Manas, Correct me if this is not a scenario. Now if you have only full backup of your DC then only you can revert back to working stage.
Rgds,Pawan
On Feb 19, 2017 11:33 PM, "Manas Dash" <manasrrp6@xxxxxxxxxxxxxxxx> wrote:
I am not telling about backup as you understand as like last consistant and good condition backup process. I am saying that since it is a single DC in enterprise and all object information (users, groups, ou) are there in it's hard disk. After rebuild a new DC how do i put all objects on that i.e. copy/import/export from dead to newly build DC. ????
On Feb 19, 2017 9:04 PM, "Danny CS" <daemonroot@xxxxxxxxxxxxxxxx> wrote:














Why would you want to take a backup of a dead DC?


Are you having replication issues?







~dannyCS


Sent from my mobile







show

geezup posted this 19 February 2017

So there are no other aDC's within the enterprise ?. Well you need a back up , this is why we backup our environment in the first place. With regards the the actual hardware what went wrong. Also when compared to your actual question about seizing a domain

master role , you must have another DC in play to seize from. I am confused about your situation. Take the time out and put your thoughts together in a coherent fashion and we can get to a solution quicker. 



Sent from my iPhone


On Feb 19, 2017, at 1:03 PM, Manas Dash <manasrrp6@xxxxxxxxxxxxxxxx> wrote:









I am not telling about backup as you understand as like last consistant and good condition backup process. I am saying that since it is a single DC in enterprise and all object information (users, groups, ou) are there in it's hard disk. After

rebuild a new DC how do i put all objects on that i.e. copy/import/export from dead to newly build DC. ????


On Feb 19, 2017 9:04 PM, "Danny CS" <daemonroot@xxxxxxxxxxxxxxxx> wrote:








Why would you want to take a backup of a dead DC?


Are you having replication issues?







~dannyCS


Sent from my mobile







show

daemonr00t posted this 19 February 2017

Oh crap... that changes the whole scenario.


I should give you the speech about having at least two DCs per Damian but it's late already.


Do you have any backups? The system state backups contain the AD database and also DNS (if not integrated) and DHCP too. So restoring that should be good enough.


You can mount the VHD into pretty much anything as it contains all bootable files.










~dannyCS


Sent from my mobile







show

manasrrp6 posted this 19 February 2017

Hi Pawan,
You are absolutely correct, . That is our client not our company. I came here for support & troubleshooting first time. I also astonishing to found this.


show

mcasey posted this 20 February 2017

I may be missing a detail but if you have a single domain with a single running DC that is otherwise working expect for a role being in an inconsistent state, then just seize the role you want on that working DC. The steps to seize a role are the same if you have one or many DCs (except that if you had more than one, you'd want to keep the DC offline that was holding the role you are seizing) . I would seize any other roles that may be in an inconsistent state. I'd recommend checking AD for evidence of orphaned DCs and perform metadata cleanup on any DC objects in AD that are no longer operational.
On Feb 19, 2017 6:41 PM, "Manas Dash" <manasrrp6@xxxxxxxxxxxxxxxx> wrote:
Hi Pawan,
You are absolutely correct, . That is our client not our company. I came here for support & troubleshooting first time. I also astonishing to found this.


show

MikeLeone posted this 21 February 2017

On Sun, Feb 19, 2017 at 1:41 PM, Dron, Gregory wrote:

show

Close