I have a win2k domain with two Domain Controllers. One of the controllers just died. Ive reinstalled Win2k on a new server and done a depromo to replace the dead controller. The problem I have is that the DC that died had FSMO roles like PDC and RID master. Using the NTDSutil I still cant transfer the roles, windows will not allow me to transfer the roles because the old DC is not there. There is no way for me to make the old DC available, it doesnt exist any more. How can I get those roles back on my existing DC?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DC died and has to be replaced
- Thread starter bookouri
- Start date
bookouri,
when you were prompted that the FSMO holder could not be contacted, did you choose OK to force the transfer ? this would be for the PDC emulator role.
Mark Minasi's 2000 server book lists out how to seize the other roles using NTDSUTIL utility. a bit lengthy, or i would type it out. page 620 - 622.
scottie
when you were prompted that the FSMO holder could not be contacted, did you choose OK to force the transfer ? this would be for the PDC emulator role.
Mark Minasi's 2000 server book lists out how to seize the other roles using NTDSUTIL utility. a bit lengthy, or i would type it out. page 620 - 622.
scottie
- Thread starter
- #3
I finally had to use the ndtsutil to seize the roles to the remaining controller. It appeared to work finally, but Im still getting a lot of event log errors related to SAM errors, and DNS errors... i think there must be some other role or "something" that still hasnt been reset. My event logs are really colorful right now..<G>
You can transfer roles only when the machine hosting the role is still alive. Seizing is necessary when an FSMO role is lost to a dead machine. Make sure you have all 5 FSMO roles running on the remaining DC. You can view them with the ndtsutil. Make the remaining DC a global cat also. I made a mistake early in the 2000 era - bringing a schema master back online after I had seized its role. Had to rebuild all 3 DC's. Hence they pinned my nickname "Seizure". Jim - Synnex Info Tech
- Thread starter
- #5
thats the kind of horror that Im afraid of here. Im not up on Active Directory enough to be sure of not screwing something up... we're still on a mixed environment and just recently getting into the windows 2000 world... i think I finally managed to seize all five roles..
my main error now seems to be a SAM event 16650.. account identifier failed to initialize - account creation will be denied on this controller...
Ive checked through the ms knowledgebase but havnt come up with anything that helps explain what is wrong and how to fix it.
my main error now seems to be a SAM event 16650.. account identifier failed to initialize - account creation will be denied on this controller...
Ive checked through the ms knowledgebase but havnt come up with anything that helps explain what is wrong and how to fix it.
here is another link:
not much more help than the ms-kb , but sounds like the RID master role issue is the culprit if you cannot create security objects.
scottie
not much more help than the ms-kb , but sounds like the RID master role issue is the culprit if you cannot create security objects.
scottie
There are still some references to the old DC remaining in AD, probably the RID trying to replicate. Use the following link for info on cleanup.
There is a small article on the 16650 here: Jim - Synnex Info Tech
There is a small article on the 16650 here: Jim - Synnex Info Tech
- Status
Similar threads
- Locked
- Question
- Locked
- Question
