Server 2012 R2, Server 2012, Domain Controller role Show
After experiencing some permissions problems on my domain I noticed that my 2nd domain controller appears to be corrupted in some way (I'm sorry the naming is confusing. When I say the 2nd DC, it is actually named vswbcdc1). I have included some screen shots below to explain why I think the DC is corrupted. I had previously made this DC the operations master and transferred all the FSMO roles to it. The original DC on svrwbc is installed on Server 2012, the 2nd DC on vswbcdc1 is on Server 2012 R2 in case that is an issue. I thought maybe a viable solution was to remove the 2nd DC role from its server and the problem might go away when I add the role back in, but I can't transfer things back to the original 1st DC b/f removing the 2nd DC's role. When I tried to transfer the operations master back, I received these screens: On the 1st DC which is where I want to transfer the ops master back to I get "ERROR" for the current operations master. I figured that can't be good: On the 2nd DC which is where I want to transfer the ops master from it initially looks OK, but upon clicking Change the error panel shown below explains there are problems with contacting the current FSMO role holder: But the fsmo roles appear to still be with the 2nd DC: After I demoted the 2nd DC and tried to remove the DC role, the role removal terminated with this error. All this leads me to believe the 2nd DC is corrupted, so what is the best course of action? My system is quite small and setting up AD DS again won't be a terrible pain, but I'd like to take the shortest path through this. My questions: 1) Is there a tool to 'repair' DC's? 2) If not, is the info above enough to point to what I could go in and fix manually? 3) If necessary, can I just kill both DC servers and start over? 3a) Does all of the domain info reside totally on the 2 DC servers so that if I kill those VM's and rebuild new DC's, I won't have any lingering DC data hanging around? Thanks. A flexible single-master operation (FSMO) is a set of AD (Active Directory) operations or roles designed to help eliminate replication conflicts. FSMO is used when standard data transfer and update methods are inadequate in a specialized domain. Updates to specific objects in the
Active Directory are made in a single-master method to avoid conflicting updates in Windows. Only once DC in the entire directory is allowed to process updates in a single master model. It’s the same as the role given to the primary domain controller (PDC) in the earlier versions of windows. The single-master model used by older versions of Windows is expanded by Active Directory to allow numerous roles, and is given the ability to transfer roles to any DC within the company. Since
the role of Active Directoy isn’t bound to any single DC, It’s referred to as a FSMO role. Currently, there are 5 FSMO roles in Windows that are classified under 2 main heads: 1. Forest wide 2. Domain wide These roles are further explained in
detail here. An FSMO role ownership often isn’t executed until the domain controller has replicated the naming context (NC) where the ownership is held ever since the Directory Service started. Prior to the role being used, make sure the prior owner receives notice of an FSMO role seizure. Why should FSMO roles be transferred?The first domain controller in the forest root domain receives a default allocation of all five FSMO roles when Active Directory is first configured. Transferring FSMO roles is frequently necessary for a number of reasons, including:
It is advised to only transfer FSMO roles while the holder is active and reachable on the network. Transferring FSMO roles can be done by 2 methods: The first is using PowerShell and the second is using the ADUC GUI. Things to remember while transferring FSMO roles1.Transferring FSMO roles using PowerShell
Once you know which DCs currently hold the FSMO roles, you can transfer those roles as well. Run the Move-ADDirectoryServerOperationMasterRole command in Windows PowerShell using the Identity parameter for the DC you want to move the FSMO role to (in this case, ChildDC1), followed by the name of the FSMO role. The below examples is transferring the RID master role: For the FSMO role name, you can use PDCEmulator, RIDMaster, InfrastructurerMaster, SchemaMaster and, DomainNamingMaster. You can also transfer more than one role at once by defining each role name separated by a comma e.g. Move-ADDirectoryServerOperationMasterRole -Identity “ChildDC1” PDCEmulator,InfrastructureMaster. Now let’s look at transferring roles using the Active Directory Users and Computers GUI. 2. FSMO Roles Transfer Using ADUC GUI
As you can see, transferring FSMO roles via the GUI requires a significant number of additional steps, which is why using PowerShell is preferred. If you’re not into PowerShell, the GUI will suffice. Active Directory FSMO roles – Best practices
SummaryMoving FSMO roles to another server is not a common task, but it is considered necessary whenever needed. When switching roles, Microsoft recommends that the server be online. The steps in this tutorial should come in handy when the time comes to switch roles. What is Operations Master domain controller?An Operations master is a domain controller that has been assigned one or more special roles in an Active Directory domain. Because there is no primary domain controller (PDC) in Windows 2000, operations masters fill the various roles performed by the PDC in NT 4.0 networks.
Which operation master is responsible for performing updates to the schema?The schema master FSMO role holder is the DC responsible for performing updates to the directory schema, that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>. This DC is the only one that can process updates to the directory schema.
Which Operations Master role is responsible for managing password changes at the domain level?Primary Domain Controller (PDC) Emulator
This is the most authoritative DC in the domain. The role of this DC is to respond to authentication requests, managed password changes and manages Group Policy Objects (GPO).
When you create the first domain in a new forest by default how many operation master roles are assigned to it?The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest.
|