Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SEIZING FSMO ROLES 4

Status
Not open for further replies.
bran2235

bran2235

IS-IT--Management
Feb 13, 2002
703
US
Hi everyone-
Going to be replacing a W2k DC that has all 5 FSMO roles:
I will seize all five FSMO roles using ntdsutil and then I want to remove the old DC totally...
Here's my question:

After I seize all five roles, do I need to run (or should I run) dcpromo to DEMOTE the box before I totally remove it?

How do I totally remove the box from AD??


Thanks for any adivce!

Brandon
 
Sort by date Sort by votes
Ok here is my little recommendation:-

1. Do not seize, instead transfer the roles, this is far less critical (seizing assumes you cannot talk to the original role machine)
2. It is good practice not to have all 5 roles on a single box (ADCheck is a tool that when run will warn against this)
3. Running DCPromo will remove the DC links to the box in AD
4. Once you have a simple member server then you can turn off and delete the machine account (I would not recommend just doing this without doing step 3. as you may end up with AD errors)

Ding that should be it...

"Be Excellent To Each Other"

:)
 
Upvote 0 Downvote
If you only have one DC, and you want to replace it with a new one, it's very simple: Run dcpromo on the new server to make a DC on the domain. Make sure replication between the two DCs is working.

Then run dcpromo on the old one. Since there is only one other DC, the roles will be transferred to it during dcpromo. Then just make sure the new DC is a global catalog.
 
Upvote 0 Downvote
That'll work, for some reason I had it stuck in my head that there was more than 1...

"Be Excellent To Each Other"

:)
 
Upvote 0 Downvote
Actually guys, I have three DCs all together...
The one which I am going to replace has all Five FSMO roles currently...

So, I thought I would SEIZE (MS says to do it this way if the box (old one) is not GOING TO BE in the domain any longer...

After I SEIZE (or transfer- please convince me of the right way) I will run DCPROMO to demote the DC and then remove the account from AD (Domain Controller OU)- right??

THanks!
Brandon
 
Upvote 0 Downvote
With three DCs, you will want to TRANSFER the roles to the DC(s) you want.

Then run dcpromo to remove the old server.
 
Upvote 0 Downvote
You should only seize a role using the ntdsutil if it cannot be tranfered gracefully.

You should be ask which DC you want the roles transfered to during the demotion process. If you have more then one DC you should at minimum seperate the Global catalog (GC) server from the Infrastructure Master role. Otherwise the role has difficulty parsing the GC to keep it accurate.
 
Upvote 0 Downvote
You should be ask which DC you want the roles transfered to during the demotion process"

You will not be asked by dcpromo, the roles will be transferred to either server without prompting you.
 
Upvote 0 Downvote
Thank you all!!!!
Ok, I will transfer NOT SEIZE...

After I run DCPROMO to demote the old server, What is the best way to 'remove' from AD all together?? Just delete the computer account in dsa.msc?? then physically yank the machine????


Thanks again...
Brandon
 
Upvote 0 Downvote
After you have Transfered roles and ran dcpromo. Right click on My Computer on the old DC. Choose properties, then the Network Indentification tab and then click on properties on the tab. Choose the workgroup button and join a work group of your choosing. That will disjoin you from the domain. You might see a message that states something like the computer account could not be removed from Active Directory please contact the system administrator to remove it. If you see that message you we also have to delete it from AD Users and Computers.
 
Upvote 0 Downvote
Hi trusted,

If I can add my two cents worth. TechLad's advice is sound. You only want to Seize roles when they can't be transferred. If you are just retiring this server and it is currently functioning, then a transfer is your best and most graceful way to do this.

Once you have removed the server from the domain, it is always best to see if AD has any remnants of the server left. Take a look at my FAQ for Seizing Roles and forcefully removing a server from AD. At the end of that FAQ you will find a script provided to my by Microsoft Premier Support. It greatly simplifies the process of remove any remaining data in the metabase. All you need to do is run that script and it will reprot what DCs it knows about. Select which one to remove and poof, it is gone. You can then safely delete the machine account.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Mark / Guys,

How long should this take?? Can I do it while people are logged in?? (the transfer)...

Or should I schedule a down time and do it then...
Oh, what about any special order which to transfer the roles??


Thanks sooo much!! You guys rock!!
Brandon
 
Upvote 0 Downvote
The Seizure can be done online and usually only takes a few minutes.

That said, consider whatever your tolerance is for IF something goes wrong.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Mark,
you mean TRANSFER, not Seize, right? After all, I am going to be transfering the roles....

Thanks again!
 
Upvote 0 Downvote
Sorry bad slip of the tongue, I mean fingers. :)

Yes, the transfer will only take a few minutes. (sometimes seconds)

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
No because you could be splitting the roles among multiple servers.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Mark,
Thanks!
How do I get to:
FAQ for Seizing Roles and forcefully removing a server from AD. At the end of that FAQ you will find a script provided to my by Microsoft Premier Support. It greatly simplifies the process of remove any remaining data in the metabase. All you need to do is run that script and it will reprot what DCs it knows about. Select which one to remove and poof, it is gone. You can then safely delete the machine account
???
I just transferred all five roles and didn't skip a beat!!!!
man, I will be able to sleep tonight!!!
You da man Mark!
Thanks!
Brandon
 
Upvote 0 Downvote
Hi Brandon,

Just click on the FAQs tab at the top of your screen now. You will find my FAQ in there.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kurio71
  • Locked
  • Question
Non-FSMO DCs Reporting Error for Operations Master - RID, PDC & Infrastructure 1
Replies
1
Views
73
technome
technome
KevCon
  • Locked
  • Question
Questions re: exporting roles/features from 2008 to 2012 new machine 1
Replies
1
Views
68
Mshen
Mshen
DanielUK
  • Locked
  • Question
DHCP on additional 2008 DC on SBS 2003 domain prior to FSMO seize 1
Replies
9
Views
86
DanielUK
DanielUK
manmac
  • Locked
  • Question
FSMO Role
Replies
0
Views
33
manmac
manmac
JBruyet
  • Locked
  • Question
Which FSMO roles for two domain controllers
Replies
2
Views
59
pagy
pagy

Part and Inventory Search

Sponsor

Back
Top