Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD and FMSO issues 1

Status
Not open for further replies.
Dinkytoy

Dinkytoy

IS-IT--Management
Jun 14, 2007
147
GB
We've recently had some issues and I have a good idea where to take it but would like confirmation of what I'm already thinking.

Ok we have a small single site AD domain and were looking to replace a couple of dated DCs. We built up a new DC done all the bits and stuck it in. A short while after we started to get some inconsistant results from logins etc, unfortunately something else came up and we just had to take the DC offline rather than investigate.

What I didn't realise was that my colleague had already transferred all the FSMO roles over to it. We experienced no issues with the role holder offline. We bought it back online last week after I realised the roles were missing, they had been offline for about 6 weeks.

The issue is now that the the two pre-existing DCs can not see the new DC. Repladmin /showrepl shows fails to the new DC on both boxes 'Can't retrieve message string 1256 (0x4e8), error 1815 (2588 consecutive failure(s).' The new DC reports fine from Repladmin. Dcdiag on the old boxes shows failures against FSMO roles.

'Warning: DC-01 is the Infrastructure Update Owner, but is not responding to LDAP Bind

.......................... DC-1 failed test KnowsOfRoleHolders'

We get the top one of each of the roles via RPC and LDAP.

What I'm thinking is that I drop the new DC off again seize the FMSO roles to DC-1, rebuild the new (DC-01) and put it back in again afresh. Does make sense?

Sometimes just writing it out helps things become clearer.
 
Sort by date Sort by votes
sounds like the safest bet to me. after seizing the fsmo roles back turn your newest dc off and get everything back to normal. then drop it back to a member to blow away AD and re-dcpromo it back in *safely*
 
Upvote 0 Downvote
Once you seize the roles, and you perform your thinking plan, you can bring the server back; just bring it back with a new name. You may need to verify your AD is clean by running a metadata cleanup.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.
 
Upvote 0 Downvote
Thanks, I was actually gonna rebuild it from the ground up, don't think I'll bother providing I can get AD to come off cleanly, got a feeling it might complain if thinks it's a role holder.
 
Upvote 0 Downvote
I think rebuilding the server from the ground up is a good idea if you have the time.

Changing the name and sid might be a quicker alternative, though. MS has a tool called NewSid specifically for giving the machine a new "identity":




Thanks,
Andrew

[medal] Hard work often pays off over time, but procrastination pays off right now!
 
Upvote 0 Downvote
Rebuilt, back in and everything is working *touch wood* :).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
604
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
248
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
403
DTGMI
DTGMI
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
180
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
845
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top