RE: [ActiveDir] FSMO role transfer

[Rich Milburn]

Amy the easiest path for your new hardware comment is Y’s #2 below – new server, dcpromo, AND MOVE FSMOs, and then decom the old one.  Note that if there is DNS involved, and DHCP, and WINS, there’s a bit more to it… computer names etc… you can get around those issues by demoting the old box, removing it from the domain, and then building the new server with the same IP and name, dcpromo, etc.  But as several people pointed out, do move the FSMOs first if there are any on that server.  Much easier to move them while both servers are up, than seize them when the FSMO holder is down.  This isn’t a step by step guide for hardware replacement but hopefully it gives you some ideas in the right direction. Rich   ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Tuesday, November 29, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer   Amy,   You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices:   1. install base os and do a full system restore from the tapes of the old server. or 2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment.   Good Luck   Y     From: Amy Hunter Sent: Tue 29/11/2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer So are these FSMO roles stored in some sort of configuration partition in AD? if not, where are they stored?   I plan to replace my DC hardware next year, as long as I bring the new server up with the same IP/Name etc configuration etc, I won't need to move the FSMO roles to another DC when I replace the hardware?   Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience)   thank you for your help, Amy ;o)   "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> wrote: First, look at each role and see what it does...   Forest FSMOs * Schema Master --> needed when updating the schema * Domain Naming master --> needed when adding or removing domains within the forest   Domain FSMOs * PDC Emulator --> needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master --> needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure --> needed to update references between domains in a forest (does not do anything in a single domain forest)   If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either.   In short: leave as is. it will be OK for those 2 hours   Cheers, jorge   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys,   We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.   I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained.    Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC.   I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs.   Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother   Is there any recommended practice?   Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.   To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.