Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to transfer RDC & PDC roles

Status
Not open for further replies.
JBruyet

JBruyet

IS-IT--Management
Apr 6, 2001
1,200
0
0
US
Hey all, I have two domain controllers on my network and I want to transfer the RID and PDC roles back to the first server. Ok, let me back up a bit further. I recently removed a domain controller from my network. DCPROMO worked fine and the server was removed gracefully. I ran DCPROMO on the new server and it came up just fine. Both servers are running DNS (Active Directory Integrated) and DHCP. I moved the RID and PDC roles to DC2. Now we're having some slight time issues (I work for a transit agency) and I want to move the RID and PDC roles back to DC1 but I'm getting errors:

RID error:
The transfer of the operations master role cannot be performed because:
The requested FSMO operation failed. The current FSMO holder could not be contacted.

PDC error:
This computer is a non-replication partner. Do you want to continue wit the transfer.

I've Googled this but what I see pertains to NT4 or seizing roles (<--something I don't want to do). Any idea on how to get the roles back on the original server so the time issue can be resolved?

Thanks,

Joe B
 
Sort by date Sort by votes
C:\>netdom query fsmo
Schema owner srv-dc1.domain.com
Domain role owner srv-dc1.domain.com
PDC role srv-dc2.domain.com
RID pool manager srv-dc2.domain.com
Infrastructure owner srv-dc1.domain.com

The command completed successfully.

I would like to move the RID and PDC roles back to DC1 because our time issue started when I moved them to DC2.

Thanks,

Joe B
 
Upvote 0 Downvote
Anyone have any ideas?

Thanks,

Joe B
 
Upvote 0 Downvote
Both domain controllers see the correct FMSO role on the correct domain controller.

Thanks,

Joe B
 
Upvote 0 Downvote
So both servers see the FSMO role holders as this?;


Schema owner srv-dc1.domain.com
Domain role owner srv-dc1.domain.com
PDC role srv-dc2.domain.com
RID pool manager srv-dc2.domain.com
Infrastructure owner srv-dc1.domain.com

Any errors in the event logs? Run a dcdiag and post any errors


Paul
VCP4

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

Difficult takes a day, impossible takes a week
 
Upvote 0 Downvote
pagy, yes both servers see the same FSMO role holders BUT, I was just looking through the error log (my bad for not doing that earlier) and found a couple of repeating errors:

///////////////////////////////////////////////////////////

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2092
Date: 6/14/2010
Time: 5:24:56 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV-DC2
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: DC=link,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at
///////////////////////////////////////////////////////////

Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2092
Date: 6/14/2010
Time: 5:24:56 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SRV-DC2
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.

Operations which require contacting a FSMO operation master will fail until this condition is corrected.

FSMO Role: CN=RID Manager$,CN=System,DC=link,DC=com

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

For more information, see Help and Support Center at
DCDIAG and NETDIAG come back clean. I ran REPLMON and all replications have been successful as of this morning. SO, why can't I move the PDC and RID roles back to DC1??? I also ran the repadmin /showrepl and all attempts have been successful (looks like the same results I had from REPLMON).

One item I didn't think to mention was that DC2 is a VM running on ESXi 4.0. I've checked around and from what I've seen the fact that it's a VM shouldn't have any effect on it.

Thanks,

Joe B
 
Upvote 0 Downvote
The only issue I'm aware of where virtualization can be problematic is the PDC Emulator role, which deals with time sync. I've seen the virtualization time slicing cause problems with that.


Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
58sniper, I read some potential issues with the time sync but the DC is set to get its time from the us.pool.ntp.org source. We initially had a time issue of about two minutes but that has been corrected.

Thanks,

Joe B
 
Upvote 0 Downvote
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
0
Views
88
DTGMI
DTGMI
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony &amp; QS
Replies
0
Views
78
DeepuM
DeepuM
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
105
microsGuy16
microsGuy16
bechna
  • Locked
  • Question
Unable to connect to VPN windows server 2019
Replies
0
Views
50
bechna
bechna
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
73
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top