RE: [ActiveDir] Script to transfer FSMO roles.

Mon, 13 Feb 2006 06:08:07 -0800

Title: [ActiveDir] Script to transfer FSMO roles.
A few thoughts --
 
I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer not to perform such actions when the capability to trap failures within a sequence of events is beyond my control, e.g. the transfer fails and the seize continues without confirmation or regard for my input.
 
Although I realize that your goal here is to seize a role, a single slip of the finger may inadvertently cause seizure to occur.  I would suggest scripting the operation to _manually_ attempt a transfer first, trap the error and confirm your intention to proceed with a seize (remains achievable with NTDSUTIL).  Of course, the implications of _not_ doing it this way are entirely dependent upon either or both the FSMO role in question and/or your particular infrastructure.
 
The commands below outline an alternative approach for attempting a FSMO transfer of the domain naming master -
 
admod -h <target DC FQDN> -b "" becomedomainmaster::1
 
... and the equivalent seizure -
 
admod -h <target DC FQDN> -b cn=partitions,cn=configuration,dc=<root DN> fsmoroleowner::"<NTDS Settings DN of recipient DC>"
 
... e.g. -
 
admod -h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN"
 
This approach provides more control at the expense of requiring slightly more specific knowledge of the directory.

--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Monday, February 13, 2006 5:09 AM
To: [email protected]
Subject: RE: [ActiveDir] Script to transfer FSMO roles.

run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered

--> Seize-Domain-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT

 

--> Seize-Forest-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT

 

--> Transfer-Domain-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT

 

--> Transfer-Forest-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT
 
 
cheers,
Jorge

From: [EMAIL PROTECTED] on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: [email protected]
Subject: [ActiveDir] Script to transfer FSMO roles.

Hi All,

Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?

What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.


Site 1

1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC

Site 2

1 X DC Standby FSMO role holder, GC
1 X DC GC


Regards,
 
Simon

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Reply via email to