Transfer FSMO roles automatically on pdc down?

PashPash Posts: 1,601Member ■■■■■□□□□□
Hi all,

Is it possible at all? Even with a simple script or something. Same with a demote and transfer of roles, can this be made as easy as possible. Im looking for solution that requires minimal technical presence to achieve this.

Thanks!
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • sprkymrksprkymrk Posts: 4,884Member
    I never thought about it....

    Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?
    All things are possible, only believe.
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    sprkymrk wrote:
    I never thought about it....

    Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?

    Absolutely mark! :D

    This is for Disaster Recovery infact. Im just wondering how easy it is to transfer roles and pdc promote if we lose our main PDC, in this scenario no techy's would be at DR site, so it would have to be fairly automated.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Megadeth4168Megadeth4168 Posts: 2,157Member
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
  • Silver BulletSilver Bullet Posts: 676Member
    I am curious as to why you wouldn't just restore from a backup if it is for Disaster recovery?

    If the server holding the fsmo roles is going to be down for a while then you could "seize" the needed role/s to another DC. But the person standing in front of the DC doesn't have to be the one performing the task. Unless your sites aren't interconnected???

    If you have multiple Domain Controllers then you might consider spreading the fsmo roles around.
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm

    Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure.

    Silver Bullet:

    This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about:

    1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC.

    2. NO techy onsite at DR to seize the needed roles temporarily

    3. Quick Operation, no time to restore from backup, has to be GO straight after failure.

    Things i need to happen:-

    1. Users have to logon to domain with usual credentials

    2. Ability to add additional pc's to the domain at DR site IF needed.


    If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par icon_sad.gif

    Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea?

    Suggestions as always, welcome.

    Thanks mate,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • AhriakinAhriakin SupremeNetworkOverlord Posts: 1,800Member ■■■■■■■■□□
    Haven't tried any of this myself but off the top of my head you could script seizing the roles using NTDSutil reasonably easily. The trick is getting an accurate system in place to detect a real FSMO DC outage, as you know seizing roles is an absolute last resort. I've been using Hyperic Free on our own network for the last few months, haven't had as much time with it as I'd like but I know you could have it monitor DC availability quite easily and set an alert threshold that would allow for reboots etc. The only thing is you need to pay for the enterprise version to activate the ability for it to respond automatically to those alerts, but if you did it would be easy to set it to run your batch/script to seize the roles. You may want to write something yourself that just uses PINGs with a set timeout-threshold that again activates the script.

    Okay, the next bit is pure theory on my part, may be complete garbage....
    As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master.

    Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Megadeth4168Megadeth4168 Posts: 2,157Member
    Pash wrote:
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm

    Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure.

    Silver Bullet:

    This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about:

    1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC.

    2. NO techy onsite at DR to seize the needed roles temporarily

    3. Quick Operation, no time to restore from backup, has to be GO straight after failure.

    Things i need to happen:-

    1. Users have to logon to domain with usual credentials

    2. Ability to add additional pc's to the domain at DR site IF needed.


    If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par icon_sad.gif

    Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea?

    Suggestions as always, welcome.

    Thanks mate,

    Don't worry about the Schema Master, you can live without that without ever possibly noticing that it is not online.... It's just a matter of whether or not you ever make changes to the schema.

    Anyway, As far as making the BDC a GC, it depends... Firstly, are you in a single domain environment or a multi-domain environment? Next, do you plan on Placing the Infrastructure role on it at any point (being a standby)?

    If you are in a single domain then yes make it a GC, it won't harm anything. If you are in a multi-domain and plan on using the BDC as a standby operations master then either do not make it a GC or do not make it the standby for the infrastructure role. (EDIT::: For this to be done though, I believe that you would need a separate DC that holds the Infrastructure role.)
  • ajs1976ajs1976 Posts: 1,945Member
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
    Andy

    2017 Goals: 1 of 5 courses complete, 0 of 2 exams complete
  • Megadeth4168Megadeth4168 Posts: 2,157Member
    ajs1976 wrote:
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.

    I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles.

    Like I said, I could be wrong, I guess Pash will let us know :)
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    Ahriakin wrote:
    Haven't tried any of this myself but off the top of my head you could script seizing the roles using NTDSutil reasonably easily. The trick is getting an accurate system in place to detect a real FSMO DC outage, as you know seizing roles is an absolute last resort. I've been using Hyperic Free on our own network for the last few months, haven't had as much time with it as I'd like but I know you could have it monitor DC availability quite easily and set an alert threshold that would allow for reboots etc. The only thing is you need to pay for the enterprise version to activate the ability for it to respond automatically to those alerts, but if you did it would be easy to set it to run your batch/script to seize the roles. You may want to write something yourself that just uses PINGs with a set timeout-threshold that again activates the script.

    Okay, the next bit is pure theory on my part, may be complete garbage....
    As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master.

    Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.

    Ok thanks for the input Ahriakin. Im gonna lab this up in the office for the next couple of days and see what works.

    In regards to the GC hosted on the infra master, I understand the rule is, only do this if you have one domain in your forest, or if all dc's in the forest host the GC? In both these cases currently, we are fine. Btw, creating a sub domain for the DR is also an option, there would be no issues here aslong as the correct trusts are in place for replication?

    Anyway, I guess there is only so much reading I can do, time to test it.

    Cheers all,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    ajs1976 wrote:
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.

    I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles.

    Like I said, I could be wrong, I guess Pash will let us know :)

    This is correct, false of habbit, many appologies.

    Really ajs1976? So for the purposes of keeping user operations in the "norm" we should be ok?

    Thanks again,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    Well the proposal is complete, the presentation is ready to be presented to the customer tommorow. They are the IT staff at a banking organisation, so I have to know what I am talking about :p Luckily after several hours of playing about (wireshark on capture) and reading technet I have a very good idea of how everything works for AD replication, GC, FSMO and what happens when a pc joins a domain.

    Now time for a beer drunken_smilie.gif
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    jtdaly wrote:
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
    You'll need the roles to be available. Why not just seize the roles, it only takes a few minutes?
  • jbaellojbaello Posts: 1,192Member
    This is back from September of 07, too late the horse is dead :P jk...
  • jbaellojbaello Posts: 1,192Member
    astorrs wrote:
    jtdaly wrote:
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
    You'll need the roles to be available. Why not just seize the roles, it only takes a few minutes?

    +1
  • ilcram19-2ilcram19-2 Posts: 436Banned
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?
    ==============================================================
    since you mention you had an other dc before the fsmo role holder crashed you should be able to seaze the roles to the dc tha was left then add new dc to the mix you should be good i had that issue a couple of times im not really worried about lossing the fsmo holder anymore as long as i have a another dc in the network[/quote]
  • rbutturinirbutturini Posts: 123Member
    We were called in to consult on a scenario similar to this where a company had a division sold, was losing their point to point T1 to the corporate HQ where all the FSMO masters lived, but needed to keep the domain services intact. It was essentially the same as the scenario you described. you could create the server and promote to a DC, then disconnect it from the network, connect at the DR site and seize the FSMO roles. Everything worked great for us after this.

    I think this is pretty much the solution that the other guys contributing to the thread came up with, but sometimes it's nice to have a voice of experience :D
  • dynamikdynamik Posts: 12,314Banned ■■■■■■■■□□
    Are you going to bring the original server back online? You're going to have problems with that if you seize the roles.
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Thanks All, I was just being super cautious, being down to only one DC, and I haven't done a FSMO seizure before, and wanted another DC up and running before I messed with anything at all. I didn't think the FSMO roles would be touched by the DC promotion, but actually, since a RID needs to be assigned to the new DC, I guess that role needs to be present.

    Anyway, I'll take it from all of your quite impressive credentials that it should be like falling off a log, right? :D

    Appreciate the help, (even if I am too late on the thread!)

    jd
  • dynamikdynamik Posts: 12,314Banned ■■■■■■■■□□
    Now I'm curious. Maybe I'm just getting rusty, but which roles are necessary for what he wants to do? RID goes out in pools, so I would think his DC has enough of those. It's not a new domain, so no domain naming. Infrastructure is used to keep track of objects in multiple domains, so not that. He's not changing the schema, so not that one either. PDC does a lot of miscellaneous things, but are any of those required for this?
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    dynamik wrote:
    Now I'm curious. Maybe I'm just getting rusty, but which roles are necessary for what he wants to do? RID goes out in pools, so I would think his DC has enough of those. It's not a new domain, so no domain naming. Infrastructure is used to keep track of objects in multiple domains, so not that. He's not changing the schema, so not that one either. PDC does a lot of miscellaneous things, but are any of those required for this?
    I agree that the other 4 FSMO roles would be unnecessary to bring a new DC online, but how would a new DC get its initial RID pool if the RID Master was unavailable. I would expect the DC startup process to hang (no NETLOGON/SYSVOL shares) until it could get a RID pool - but if someone wants to test... ;)
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Dynamik,

    I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC?

    I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over.

    Any thoughts from anyone else?

    Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    jtdaly wrote:
    Dynamik,

    I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC?

    I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over.

    Any thoughts from anyone else?

    Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
    PDC Emulator role doesn't matter since you're not dealing with mixed-mode, although you will have trouble with domain-wide time synchronization (since its the root of an NT5DS time hierarchy), just make sure your new DC's time is correct.

    The worst thing that would happen is either it would fail and roll back during the DCPROMO process, or that the DCPROMO would complete, but Active Directory would fail to startup fully on the new DC (no NETLOGON/SYSVOL shares).

    With that said, I always suggest having a roll back plan, breaking the mirror by pulling one of the drives would be an excellent method (although if you do have a problem you may need to manually cleanup AD - but that's rare and we can walk you through it if it does happen for some reason).
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Thanks very much for the comments. I think the next step is the FSMO seizure, I seem to have some pretty good notes from MS on that one. However, being the stickler I am for preparation, I don't have a total confirmation from HP on the Raid1 break / restore situation, so when I have that in hand, hopefully tomorrow, I'll go with the seizure. By the way, any easy way to verify the RID Master transference?
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    jtdaly wrote:
    Thanks very much for the comments. I think the next step is the FSMO seizure, I seem to have some pretty good notes from MS on that one. However, being the stickler I am for preparation, I don't have a total confirmation from HP on the Raid1 break / restore situation, so when I have that in hand, hopefully tomorrow, I'll go with the seizure. By the way, any easy way to verify the RID Master transference?
    Yeah its pretty straight forward:
    Seize FSMO roles
    To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
    1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
    2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
    3. Type roles, and then press ENTER.
    4. Type connections, and then press ENTER.
    5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
    6. At the server connections prompt, type q, and then press ENTER.
    7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
    8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    http://support.microsoft.com/kb/255504
    As for breaking the mirror my suggestion would be to just remove one of the drives (if you don't have hot-swap drives, make sure to shutdown first).

    To view the FSMO Masters, and assuming you have installed the Windows 2000/2003 Support Tools (on the O/S installation CD in the \SUPPORT directory), run the following from a command prompt:

    netdom query /domain:<domain> fsmo
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Great info. Looks like what I have been seeing online, but nice to hear it from someone real.
    Yea, the mirror break, restore is my next issue. The breaking is easy, the (proper) recovery could be the interesting part!

    Going home, will sleep on it. Definately want the second DC online before this next hurricane makes it into GA!
  • rbutturinirbutturini Posts: 123Member
    In the event you don't have the support tools installed and can't for whatever reason (I only bring it up because it's happened to me :) )

    If you use ntdsutil and connect up to a DC, then run "select operation target" and "list roles for connected server" you can see the roles the DC knows.
  • jtdalyjtdaly Posts: 6Member ■□□□□□□□□□
    Thanks for that option too.

    Just ran "netdom query /domain:<domain> fsmo" and determined that the extinct DC has all fsmo roles, as suspected. This is what you were getting at, right?
Sign In or Register to comment.