Wednesday, February 12, 2014

Windows Server 2012 - Active Directory - Manual Removal of a domain controller, Part 1: seize FSMO roles

If at all possible, we should aim to remove domain controllers using dcpromo or, most recently (with Windows Server 2012), "Remove Roles and Features".

Sometimes this is not possible: a domain controller suffers catastrophic hardware failure and a so-called "graceful" demotion is not possible.

In such a situation, we have two options. We could attempt to restore the entire domain controller from backup (if we have one... ) or we could simply accept the loss of the machine and create a brand new domain controller on other hardware.

With this second option, we must consider the roles that the defunct domain controller held and how to re-establish them (if and as necessary) on the remaining domain controllers.

Note: I use "roles" in the broadest possible sense - FSMO roles as well as DNS, Global Catalog, etc.. 

In this scenario, I will assume that the failed domain controller held all five FSMO roles. It was also a DNS server and a Global Catalog. 

If we only have two domain controllers, the remaining domain controller must not only seize the FSMO roles but also assume these tasks:

1. DNS server (no Active Directory without DNS)
2. Global Catalog
3. Time source

In "double domain controller" scenario, it is likely that the remaining domain controller is both a DNS server and a Global Catalog. It would have made sense for both domain controllers have these roles for redundancy.

On the other hand, since the remaning domain controller (in our scenario) is not the PDCe, it would not be the authoritative time source.

Note, however, that this would not be critical. As long as the time source is uniform throughout the domain, Active Directory will function, even if the "domain time" is not in sync with the external "atomic time clocks". I will not address that aspect in this blog post.

So even before I seize the FSMO roles, I'm going to double check points 1 and 2.

For DNS, we can see if the domain controller is also a DNS server in Server Manager. By default, DNS is installed with Active Directory Domain Services. Unless someone changed this default, we should see the DNS role present. If we want to verify that DNS is Active Directory Integrated, we can open the DNS console:



As for the Global Catalog, this command will display the servers that hold a copy:

dsquery server -forest -isgc

Otherwise, we can open Active Directory Sites and Services and look at this location:



So we are ready to go. We can adjust time service later. The seizing of some FSMO roles (or operations masters) should be performed rather soon. We can do without the Schema master, the Domain Naming Master and (especially in a single domain) the Infrastructure Master for quite some time. Weeks could go by without any ill effect. But the RID Master (that distributes RIDs necessary for the creation of domain objects) and the PDCe may need to be restored rather rapidly.

Operations master roles (FSMO)


Seizing the FSMO roles (operations masters)

So we first need to seize the FSMO roles. We can do this at the command line with the ntdsutil tool:

(Note: the commands to enter are in bold and underlined - the rest is the resulting output.)

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server DC5
Binding to DC5 ...
Connected to DC5 using credentials of locally logged on user.
server connections: quit
fsmo maintenance: seize schema master

Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C7, problem 5002 (UNAVAILABLE), data 1722
Win32 error returned is 0x20af (The requested FSMO operation failed. The current FSMO holder could not be contacted.)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...

Server "DC5" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC5,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Naming Master - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=mynet,DC=lan
PDC - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=mynet,DC=lan
RID - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=mynet,DC=lan
Infrastructure - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=mynet,DC=lan


Some remarks...

1. NTDSUTIL asks us to confirm the operation...

2. NTDSUTIL attempts  to transfer the role, which fails.

3. And then displays verbose output in which we can see the status of the FSMO roles.

In this case, we can see that the Schema Master is now DC5 (in bold red) but the other roles are still held by the now defunct DC2.

For concision and readability, I will not post this output for each command:

Note the syntax, incorrect and correct for the domain naming master:

fsmo maintenance: seize domain naming master
Error parsing Input - Invalid Syntax.
fsmo maintenance: seize naming master

We must omit the word "domain". Users familiar with Windows Server 2003 may remember that we had to include the word "domain". Since Windows 2008, his is no longer the case.

These are the commands for the remaning operations masters:

fsmo maintenance: seize rid master
fsmo maintenance: seize infrastructure master
fsmo maintenance: seize pdc

Note: we exit the fsmo maintenance mode like this:

fsmo maintenance: q
C:\Windows\system32\ntdsutil.exe: q

q = quit


***

In the following section of this two-part blog post, we will examine the different methods for "metadata cleanup".

No comments:

Post a Comment