FSMO Roles in 2008.

BoomAM · 22 Dec 2010 at 15:01

Hi,
Can anyone tell me the answer to this:
The existing domain here has, by design of my predecessor, the FSMO roles split between 3 DCs.
Which causes no end of problems for various reasons, and provides no fail over redundancy of any kind.
If I install a new DC in the domain, will it automatically install all the FSMO roles on itself like a 'normal' 2008 domain would and provide FSMO fail over to the rest of the domain, or will it just install the bare essentials?

Effectively what I want to achieve is install 2 new DCs with full FSMO fail over on the domain and demote the 3 'faulty' ones and get rid of them.

Thanks in advance.

BoomAM · 23 Dec 2010 at 09:29

DustyMiller said:
FSMO roles are non redundant. Each of the FSMO roles can only be present on one DC at any one time in domain, you can spread them about on as many DC's as you like, but there is only ever one of each role present at any one time.

Actually, the reason i bring it up is that within the documentation for 2008 R2, it is possible to make the FSMO roles redundant.

At my last job we had two 2008 DCs on the domain, no FSMO config done on them, and they failed over correctly...

So in theory, if i create a new 2008 DC, add it to the domain, transfer the roles, then demote the other, older, DCs, everything, 'should' work correctly should it not?

BoomAM · 24 Dec 2010 at 11:10

ethos said:
BoomAM, can you point me to the documentation you are viewing regarding redundant FSMO roles?

I'll dig it out over xmas, iirc it was linked too off something i read on Petri.

Yes, as stated above, promote, move roles across, make sure new DC is a GC, make sure everything is functioning as it should... happy days.

Right, well i think im going to give it a go over xmas, want to get everything tiptop before the Exch2010 migration in Jan.

Such a mess this network, both physically and virtually!

BoomAM · 27 Dec 2010 at 13:16

Quick question as ive never done this before:
Setting the DCPROMO program to 'last domain controller in domain/remove domain' when im on a subdomain should only remove the subdomain should it not?

BoomAM · 27 Dec 2010 at 13:24

Thanks for the quick reply.

Good, thought so, just wanted to check first.
The wording MS use's isnt the best. lol.

Its annoying me at the moment as it keeps failing auth with the parent domain!

.

BoomAM · 27 Dec 2010 at 15:23

Any ideas on why i get this? :

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration,DC=123,DC=456,DC=co,DC=uk to
Active Directory Domain Controller DC01.123.456.co.uk.

"Access is denied."

Been googling for a while now, nout conclusive comes up.

I'd rarther do a clean removal of the subdomain rarther than having to clear up metadata....

Whats strange, is that its not the login thats wrong, as if i put in a different one, it says 'incorrect username/password' instead of 'access denied'.

BoomAM · 27 Dec 2010 at 15:50

BoomAM · 29 Dec 2010 at 08:39

ecksmen said:
Security Policy?

On the domain im trying to get rid of or the one that its a child domain of?

BoomAM · 29 Dec 2010 at 13:51

Due to time constraints, ive had to remove the final DC the old fashioned/dirty way, using forceremoval.
Metadata cleared, trusts removed, all clean.
Yet some workstations still show the child domain in the domain list...

BoomAM · 29 Dec 2010 at 13:52

ecksmen said:
There's a child domain? You've not mentioned this before. I think at this point for anyone to help out you perhaps need to clarify you set up with domain structure and what you are trying to do.

What on earth are you on about? :confused:

.
The questions about the child domain and the one in the OP are completely separate as they wont relate to each other once the child domain is gone, which it now is.