RE: [ActiveDir] Script to transfer FSMO roles.

Mon, 13 Feb 2006 10:57:27 -0800

Title: [ActiveDir] Script to transfer FSMO roles.
Having chatted offline on this topic, I'm reminded that it's worth mentioning an exception pertaining to the RID FSMO.  Extensive state is maintained for this particular role, state which is sensitive and requires modification when the role is seized.  Unfortunately, these modifications are handled client-side by NTDSUTIL (a mistake in my opinion), as such, any manual seizure of the RID Master should be either conducted using NTDSUTIL (again, in a controlled manner) or supplemented with the necessary RID allocation pool modifications.

--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com
 

From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Monday, February 13, 2006 9:06 AM
To: Send - AD mailing list ([EMAIL PROTECTED])
Subject: RE: [ActiveDir] Script to transfer FSMO roles.

A few thoughts --
 
I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer not to perform such actions when the capability to trap failures within a sequence of events is beyond my control, e.g. the transfer fails and the seize continues without confirmation or regard for my input.
 
Although I realize that your goal here is to seize a role, a single slip of the finger may inadvertently cause seizure to occur.  I would suggest scripting the operation to _manually_ attempt a transfer first, trap the error and confirm your intention to proceed with a seize (remains achievable with NTDSUTIL).  Of course, the implications of _not_ doing it this way are entirely dependent upon either or both the FSMO role in question and/or your particular infrastructure.
 
The commands below outline an alternative approach for attempting a FSMO transfer of the domain naming master -
 
admod -h <target DC FQDN> -b "" becomedomainmaster::1
 
... and the equivalent seizure -
 
admod -h <target DC FQDN> -b cn=partitions,cn=configuration,dc=<root DN> fsmoroleowner::"<NTDS Settings DN of recipient DC>"
 
... e.g. -
 
admod -h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN"
 
This approach provides more control at the expense of requiring slightly more specific knowledge of the directory.

--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Monday, February 13, 2006 5:09 AM
To: [email protected]
Subject: RE: [ActiveDir] Script to transfer FSMO roles.

run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered

--> Seize-Domain-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT

 

--> Seize-Forest-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT

 

--> Transfer-Domain-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT

 

--> Transfer-Forest-FSMO-Roles.cmd

NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT
 
 
cheers,
Jorge

From: [EMAIL PROTECTED] on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: [email protected]
Subject: [ActiveDir] Script to transfer FSMO roles.

Hi All,

Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?

What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.


Site 1

1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC

Site 2

1 X DC Standby FSMO role holder, GC
1 X DC GC


Regards,
 
Simon

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Reply via email to