The FSMO role holders have a pre-requisite that they be able to replicate with an appropriate partner DC prior to advertising each role. For the Schema Master, it has to successfully replicate the schema partition, for PDCE the Domain partition, etc. This is to try and prevent two DC's from both advertising as one of the FSMO roles after an improper seize/restore/etc.
This would be something to check. You might have a lot of metadata from old DC's that needs to be cleaned out, which could be causing replication failures. Barring that, you should verify everything looks good from a DNS perspective. The two surviving DC's need a consistent view of AD from DNS. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, May 01, 2005 17:15 > To: [email protected] > Subject: [ActiveDir] seizing FMSO roles > > Help > The consultancy I work for took on a job to provide support > during the split of three companies (one divison) from a > large group. There were a number of limitations placed on us. > No access to their network or machines before the move and do > all the sites at the same time. The comms for the sites would > be disconnected as soon as we had control of the local > network. The project manager created a plan that was approved > by the customer and by the group IT staff. This was for the > group staff to demote all domain controllers on the sites of > the three companies except one. disconnect the MPLS links at > the three sites to isolate them from the group and we > activate vpn tunnels over adsl to connect the three sites. > They give us an access account for all the member servers and > the domain controllers we seize the fmso roles on the > remaining domain controller and promote the servers on the > other sites clean out all the group servers information with > ntdsutil. install exchange with the /removeorg command switch > to clean out the exchange data in ad. All the mailboxes for > the three sites were held centrally at the group datacentre > so we had no access and the plan was for them to courier down > all the mailboxes as pst files extracted with exmerge and > once we had reinstalled exchange import them back and we > point the mx records for the new domains to the new exchange server. > Now for the problems, we started this work yesterday. It was > all going well they did the demotions we cut the links the > vpn tunnels came up and they gave me the password for the dc. > Thats when I discovered that the three companies were part of > a child domain and I had no access to the parent, looking > back someone should have asked the question but their staff > agreed to this and it would seem obvious the plan would not > work with a child domain. > Group IT staff agreed to allow as to connect a new servers > via crossover link to the mpls router they would take control > and promote it up as dc in the parent domain and we put it > back on the local network. I then seized the fmso roles on > that dc, but I still have problems if I run the exchange > setup with the removeorg option it says that it cannot > contact the schema master but the server it says it cannot > contact is the server that I seized the schema master role on > I have checked with ntdsutil that the server holders that > role and it confims that. I cannot log onto the child domain > with a new admin account created in the parent domain it > tells me it cannot find the parent domain I placed the dns > forwarder for the child domain to point to the new parent > domain server. they have split dns to the child and have > delegation to the child domain on the parent. any and all > advise would be appreciated. > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
