Tuesday, April 17, 2012

AD MASTER CORRUPTED

We can use this command to list the FSMO roles holder:
C:\Netdom Query

FSMO The 5 roles:

  1. Schema Master: Used to introduce manual and programmatic schema updates, and this includes those updates that are added by Windows ADPREP /FORESTPREP, by Microsoft Exchange, and by other applications that use Active Directory Domain Services (AD DS). - Must be online when schema updates are performed. (which in my case when I wanted to promote the new DC in to the existing domain it was unable because the DC was holding the Schema master was offline). 
  2. Domain Naming Master: Used to add and to remove domains and application partitions to and from the forest. -Must be online when domains and application partitions in a forest are added or removed. 
  3. Primary Domain Controller: Receives password updates when passwords are changed for the computer and for user accounts that are on replica domain controllers. -Consulted by replica domain controllers that service authentication requests that have mismatched passwords. -Default target domain controller for Group Policy updates. -Target domain controller for legacy applications that perform writable operations and for some admin tools. -Must be online and accessible 24 hours a day, seven days a week. 
  4. RID: Allocates active and standby RID pools to replica domain controllers in the same domain. -Must be online for newly promoted domain controllers to obtain a local -RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation. 
  5. Infrastructure Master: Updates cross-domain references and phantoms from the global catalog.


You can see that all masters are binding to the corrupted server and you cannot change the operation master since it could not be contacted. 
What you can do is using ntdsutil command. (use this ref : http://www.vishalvasu.com/finding-fsmo-roles-using-ntdsutil/
Step #1: On any Domain Controller, click Start. In the Run command type CMD and hit Enter. You will be taken to the good old command prompt window (DOS were the days). Type ntdsutil and hit Enter. 
Step #2: You shall see the screen with ntdsutil: prompt. Since we want to find out the roles, type roles and hit Enter. Notice that the prompt now changes to show fsmo maintenance:. Now is a good time to get more HELP on the list of available commands. 
Step #3: On the fsmo maintenance: prompt, type ? and hit Enter. Right-click in the Window, mark and copy them. Paste the clipboard in to Notepad for easy reference. 
Step #4: Type connection and press Enter. This will show a prompt with server connections:. Type connect to server (replace and press Enter. 
Step #5: Once we are connected to the Domain Controller, type q to return back to the fsmo maintenance prompt. Now type, select operation target and then press Enter. Notice that the prompt changes to select operation target:. 
Step #6: At the select operation target prompt, type list roles for connected server and press Enter. This would list all the FSMO roles for that Domain Controller. To get out of the ntdsutil, type q until you are back to the good old DOS prompt. Then, if the master server are permenantly offline use seize command (ref: http://www.petri.co.il/seizing_fsmo_roles.htm) . If the master server still online ; you can user transfer command to moving the 5 FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational. 

This table has the info:
FSMO Role
Loss implications
Schema
The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming
Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID
Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator
Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure
Group memberships may be incomplete. If you only have one domain, then there will be no impact.

The following table summarizes the FSMO seizing restrictions:
FSMO Role
Restrictions
Schema
Original must be reinstalled
Domain Naming
RID
PDC Emulator
Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:
FSMO Role
Administrator must be a member of
Schema
Schema Admins
Domain Naming
Enterprise Admins
RID
Domain Admins
PDC Emulator
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:



After done it.. you can check again the Netdom Query FSMO already go to the connected server (Slave AD).


After that you have to delete/clear all the info for offline/corrupted server (eg: probOldAD.contoso.com)


http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Remove AD




Then you can start installing AD for new server as below step:



If you facing below warning... what you can check is if the is other network is enabled . 
Solved: disable other network
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)