| Author | Messages | |
AD000001450
Posts:0
 | | 02/13/2006 9:53 AM |
| Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| dwells
Posts:53
| | 02/13/2006 2:08 AM |
| A few
thoughts --
I'm
not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing
roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer
not to perform such actions when the capability to trap failures within a
sequence of events is beyond my control, e.g. the transfer fails and the
seize continues without confirmation or regard for my input.
Although I realize that your goal here is to seize a
role, a single slip of the finger may inadvertently cause seizure to
occur. I would suggest scripting the operation to _manually_ attempt a
transfer first, trap the error and confirm your intention to proceed with a
seize (remains achievable with NTDSUTIL). Of course, the implications of
_not_ doing it this way are entirely dependent upon either or both the FSMO
role in question and/or your particular infrastructure.
The
commands below outline an alternative approach for attempting a FSMO transfer of
the domain naming master -
admod
-h -b ""
becomedomainmaster::1
...
and the equivalent seizure -
admod
-h -b
cn=partitions,cn=configuration,dc= fsmoroleowner::""
...
e.g. -
admod
-h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan
fsmoroleowner::"CN=NTDS
Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN"
This
approach provides more control at the expense of requiring slightly more
specific knowledge of the directory.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Monday, February 13, 2006 5:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
run the script on the DC that should host the FSMO
role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role
holder as an argument. Make sure to adjust the script concerning the FSMO roles
that should be seized/transfered
--> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize
PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master"
"Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO
SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema
master" QUIT QUIT
cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi All,Can somebody point me in the right direction as
to how to use a scriptedsolution for seizing the FSMO roles in case of a
site failure?What we have is a W2K3 Domain, with two core sites and 60
branch offices. Inthe case of site 1 failing we want a procedure of
activation a script so onthe standby DC to seize the FSMO
roles.Site 11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID,
GCSite 21 X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use
by the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you. | | | |
| AD000001450
Posts:0
| | 02/13/2006 4:14 AM |
| Jorge,
Yes it is a test environment we will be doing it in. So much going on. Also
just a quick question, is there a Inbound - Outbound replication fresh hold
for a site bridgehead server?? I have read somewhere that it is 15? Not sure
how this has changed with R2 also as we are still awaiting the software to
install and trial.
Simon
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: 13 February 2006 12:45
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
Are you saying...."simulating the procedure in the production environment by
seizing the FSMO roles" ?
don't do that! use a test environment that is a correct representation of
the production environment to do your tests!
jorge
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 13:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
Jorge,
If we are simulating a DR scenario running the script on the backup FSMO
serve in site 2 will not be a problem??
Simon
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
run the script on the DC that should host the FSMO role(s) or replace
%COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an
argument. Make sure to adjust the script concerning the FSMO roles that
should be seized/transfered
--> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
domain naming master" "Transfer schema master" QUIT QUIT
cheers,
Jorge
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> | | | |
| dwells
Posts:53
| | 02/13/2006 6:57 AM |
| Having
chatted offline on this topic, I'm reminded that it's worth mentioning an
exception pertaining to the RID FSMO. Extensive state is maintained for
this particular role, state which is sensitive and requires modification when
the role is seized. Unfortunately, these modifications are handled
client-side by NTDSUTIL (a mistake in my opinion), as such, any manual seizure
of the RID Master should be either conducted using NTDSUTIL (again, in a
controlled manner) or supplemented with the necessary RID allocation pool
modifications.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: Dean Wells
[mailto:dwells@xxxxxxxxxxxxxxxxx] Sent: Monday, February 13, 2006
9:06 AMTo: Send - AD mailing list
(activedir@xxxxxxxxxxxxx)Subject: RE: [ActiveDir] Script to transfer
FSMO roles.
A few
thoughts --
I'm
not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing
roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer
not to perform such actions when the capability to trap failures within a
sequence of events is beyond my control, e.g. the transfer fails and the
seize continues without confirmation or regard for my input.
Although I realize that your goal here is to seize a
role, a single slip of the finger may inadvertently cause seizure to
occur. I would suggest scripting the operation to _manually_ attempt a
transfer first, trap the error and confirm your intention to proceed with a
seize (remains achievable with NTDSUTIL). Of course, the implications of
_not_ doing it this way are entirely dependent upon either or both the FSMO
role in question and/or your particular infrastructure.
The
commands below outline an alternative approach for attempting a FSMO transfer of
the domain naming master -
admod
-h -b ""
becomedomainmaster::1
...
and the equivalent seizure -
admod
-h -b
cn=partitions,cn=configuration,dc= fsmoroleowner::""
...
e.g. -
admod
-h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan
fsmoroleowner::"CN=NTDS
Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN"
This
approach provides more control at the expense of requiring slightly more
specific knowledge of the directory.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Monday, February 13, 2006 5:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
run the script on the DC that should host the FSMO
role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role
holder as an argument. Make sure to adjust the script concerning the FSMO roles
that should be seized/transfered
--> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize
PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master"
"Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO
SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema
master" QUIT QUIT
cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi All,Can somebody point me in the right direction as
to how to use a scriptedsolution for seizing the FSMO roles in case of a
site failure?What we have is a W2K3 Domain, with two core sites and 60
branch offices. Inthe case of site 1 failing we want a procedure of
activation a script so onthe standby DC to seize the FSMO
roles.Site 11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID,
GCSite 21 X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use
by the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you. | | | |
| dwells
Posts:53
| | 02/13/2006 7:02 AM |
| Can
you elaborate on what you mean by "replication threshold" (or fresh hold if you
prefer ... gotta love spell checkers :o)?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon
BembridgeSent: Monday, February 13, 2006 11:06 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
Jorge,
Yes it is a test
environment we will be doing it in. So much going on. Also just a quick
question, is there a Inbound “ Outbound replication fresh hold for a site
bridgehead server?? I have read somewhere that it is 15? Not sure how this has
changed with R2 also as we are still awaiting the software to install and
trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
12:45To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Are you
saying...."simulating the procedure in the production environment by seizing the
FSMO roles" ?
don't do that! use a test
environment that is a correct representation of the production environment to do
your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
If
we are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
10:09To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
run the script on the DC that
should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name
of the new FSMO role holder as an argument. Make sure to adjust the script
concerning the FSMO roles that should be
seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID
master" "Seize PDC" QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming
master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master"
"Transfer RID master" "Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi
All,Can somebody point me in the right direction as to how to use a
scriptedsolution for seizing the FSMO roles in case of a site
failure?What we have is a W2K3 Domain, with two core sites and 60 branch
offices. Inthe case of site 1 failing we want a procedure of activation a
script so onthe standby DC to seize the FSMO roles.Site
11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21
X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use
by the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you. | | | |
| AD000001450
Posts:0
| | 02/13/2006 8:08 AM |
| Yep I love spell checker, also have four
kids running around the house at the moment ready for a pig out at TGI™s.
I do not know why but I am sure I read somewhere that a bridgehead server had a
threshold of 15 inbound replication partners. We have two core sites with 2 x
DC in both and around 64 branch offices. We were going to let the KCC sort it
all out for us but just have this niggling doubt about the 15 limit I am sure I
read or dreamt somewhere.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean Wells
Sent: 13 February 2006 18:58
To: Send - AD mailing list
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Can you elaborate on what you mean by
"replication threshold" (or fresh hold if you prefer ... gotta love
spell checkers :o)?
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon Bembridge
Sent: Monday, February 13, 2006
11:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Jorge,
Yes it is a test environment we will be doing
it in. So much going on. Also just a quick question, is there a Inbound “
Outbound replication fresh hold for a site bridgehead server?? I have read
somewhere that it is 15? Not sure how this has changed with R2 also as we are
still awaiting the software to install and trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: 13 February 2006 12:45
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Are you
saying...."simulating the procedure in the production environment by
seizing the FSMO roles" ?
don't do that! use a test environment that is a correct
representation of the production environment to do your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 13:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Jorge,
If we
are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
run
the script on the DC that should host the FSMO role(s) or replace
%COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument.
Make sure to adjust the script concerning the FSMO roles that should be
seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
infrastructure master" "Seize RID master" "Seize PDC"
QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
"Transfer infrastructure master" "Transfer RID master"
"Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to
transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and all copies and inform the
sender. Thank you. | | | |
| dwells
Posts:53
| | 02/13/2006 8:47 AM |
| Not
that's springing to mind. Some related thoughts -
*
inbound replication is single threaded (i.e. no concurrency limitation is
required)
* in
2k, 15 mins. represented the anticipated end-to-end replication within a
site
* the
KCC in 2k3 is capable of load-balancing bridgeheads
* the
min. polled replication interval between DCs in different sites is 15
mins.
* the
KCC in 2k is limited; assuming ((domain+1) *
sites^2) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon
BembridgeSent: Monday, February 13, 2006 3:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
Yep I love spell
checker, also have four kids running around the house at the moment ready for a
pig out at TGI™s. I do not know why but I am sure I read somewhere that a
bridgehead server had a threshold of 15 inbound replication partners. We have
two core sites with 2 x DC in both and around 64 branch offices. We were going
to let the KCC sort it all out for us but just have this niggling doubt about
the 15 limit I am sure I read or dreamt somewhere.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: 13 February 2006
18:58To: Send - AD mailing
listSubject: RE: [ActiveDir]
Script to transfer FSMO roles.
Can you elaborate on
what you mean by "replication threshold" (or fresh hold if you prefer ... gotta
love spell checkers :o)?
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Simon
BembridgeSent: Monday,
February 13, 2006 11:06 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
Yes it is a test
environment we will be doing it in. So much going on. Also just a quick
question, is there a Inbound “ Outbound replication fresh hold for a site
bridgehead server?? I have read somewhere that it is 15? Not sure how this has
changed with R2 also as we are still awaiting the software to install and
trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
12:45To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Are you
saying...."simulating the procedure in the production environment by seizing the
FSMO roles" ?
don't do that! use a test
environment that is a correct representation of the production environment to do
your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
If
we are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
10:09To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
run the script on the DC that
should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name
of the new FSMO role holder as an argument. Make sure to adjust the script
concerning the FSMO roles that should be
seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID
master" "Seize PDC" QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming
master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master"
"Transfer RID master" "Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi
All,Can somebody point me in the right direction as to how to use a
scriptedsolution for seizing the FSMO roles in case of a site
failure?What we have is a W2K3 Domain, with two core sites and 60 branch
offices. Inthe case of site 1 failing we want a procedure of activation a
script so onthe standby DC to seize the FSMO roles.Site
11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21
X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is
for authorised use by the intended recipient(s) only. It may contain proprietary
material, confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other party. If you
are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank
you. | | | |
| AD000001450
Posts:0
| | 02/13/2006 10:04 AM |
| Dean
All sounds good. We are creating a single
domain, two core main sites with around 60 branch office world wide. Each core
site has 2 X DC, will be W2K3 R2 once we get are heads around the new product.
At first we are working with W2K3 SP1. DC will be Server Standard, Exch W2K3. A
bit of citrix, and unix (Vintela for SSO) lots to think about. We are just
doing a bit of AD proving at the moment and I will write up the FSMO
transfer/seizure scenarios.
Is their any really advantage over the
server additions :- Standard vs Enterprise.
My feeling and what I have seen in the
past, that standard fits the build for a DC build.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean Wells
Sent: 13 February 2006 20:38
To: Send - AD mailing list
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Not that's springing to mind. Some
related thoughts -
* inbound replication is single threaded
(i.e. no concurrency limitation is required)
* in 2k, 15 mins. represented the
anticipated end-to-end replication within a site
* the KCC in 2k3 is capable of
load-balancing bridgeheads
* the min. polled replication interval
between DCs in different sites is 15 mins.
* the KCC in 2k is limited; assuming
((domain+1) * sites^2) * the KCC in 2k3 is also limited but to a
lesser extent; assuming ((domain+1) * sites)
Assuming you have a single domain (or less
than ~10 total domain & app. partitions combined), both Windows 2000 and
Windows 2003 KCC/ISTGs will more than suffice.
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon Bembridge
Sent: Monday, February 13, 2006
3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Yep I love spell checker, also have four
kids running around the house at the moment ready for a pig out at TGI™s.
I do not know why but I am sure I read somewhere that a bridgehead server had a
threshold of 15 inbound replication partners. We have two core sites with 2 x
DC in both and around 64 branch offices. We were going to let the KCC sort it
all out for us but just have this niggling doubt about the 15 limit I am sure I
read or dreamt somewhere.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean Wells
Sent: 13 February 2006 18:58
To: Send - AD mailing list
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Can you elaborate on what you mean by
"replication threshold" (or fresh hold if you prefer ... gotta love
spell checkers :o)?
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Simon Bembridge
Sent: Monday, February 13, 2006
11:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Jorge,
Yes it is a test environment we will be
doing it in. So much going on. Also just a quick question, is there a Inbound
“ Outbound replication fresh hold for a site bridgehead server?? I have
read somewhere that it is 15? Not sure how this has changed with R2 also as we
are still awaiting the software to install and trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: 13 February 2006 12:45
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Are you
saying...."simulating the procedure in the production environment by
seizing the FSMO roles" ?
don't do that! use a test environment that is a correct
representation of the production environment to do your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 13:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
Jorge,
If we
are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to
transfer FSMO roles.
run
the script on the DC that should host the FSMO role(s) or replace
%COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an
argument. Make sure to adjust the script concerning the FSMO roles that should
be seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
infrastructure master" "Seize RID master" "Seize PDC"
QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
"Transfer infrastructure master" "Transfer RID master"
"Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER
%COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to
transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and all copies and inform the
sender. Thank you. | | | |
| ZJORZ
Posts:389
| | 02/13/2006 10:14 AM |
| --> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT
cheers,
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| dwells
Posts:53
| | 02/13/2006 10:21 AM |
| Great,
sounds like you're good to go!
Re:
W2K3 Standard vs. Enterprise: there's a mass of information concerning the
feature differences and supported hardware, the following is as good a place as
any to start -
http://www.microsoft.com/windowsserver2003/default.mspx
I have
no concerns using Standard edition for DCs, I don't see it too often since the
majority of my customers are licensed up the wazoo and use whatever ISO they
stumble across first :o)
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon
BembridgeSent: Monday, February 13, 2006 5:02 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
Dean
All sounds good. We are
creating a single domain, two core main sites with around 60 branch office world
wide. Each core site has 2 X DC, will be W2K3 R2 once we get are heads around
the new product. At first we are working with W2K3 SP1. DC will be Server
Standard, Exch W2K3. A bit of citrix, and unix (Vintela for SSO) lots to think
about. We are just doing a bit of AD proving at the moment and I will write up
the FSMO transfer/seizure scenarios.
Is their any really
advantage over the server additions :- Standard vs Enterprise.
My feeling and what I
have seen in the past, that standard fits the build for a DC build.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: 13 February 2006
20:38To: Send - AD mailing
listSubject: RE: [ActiveDir]
Script to transfer FSMO roles.
Not that's springing to
mind. Some related thoughts -
* inbound replication
is single threaded (i.e. no concurrency limitation is
required)
* in 2k, 15 mins.
represented the anticipated end-to-end replication within a
site
* the KCC in 2k3 is
capable of load-balancing bridgeheads
* the min. polled
replication interval between DCs in different sites is 15
mins.
* the KCC in 2k is
limited; assuming ((domain+1) * sites^2)
* the KCC in 2k3 is
also limited but to a lesser extent; assuming ((domain+1) * sites)
Assuming you have a
single domain (or less than ~10 total domain & app. partitions combined),
both Windows 2000 and Windows 2003 KCC/ISTGs will more than
suffice.
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Simon
BembridgeSent: Monday,
February 13, 2006 3:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Yep I love spell
checker, also have four kids running around the house at the moment ready for a
pig out at TGI™s. I do not know why but I am sure I read somewhere that a
bridgehead server had a threshold of 15 inbound replication partners. We have
two core sites with 2 x DC in both and around 64 branch offices. We were going
to let the KCC sort it all out for us but just have this niggling doubt about
the 15 limit I am sure I read or dreamt somewhere.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: 13 February 2006
18:58To: Send - AD mailing
listSubject: RE: [ActiveDir]
Script to transfer FSMO roles.
Can you elaborate on
what you mean by "replication threshold" (or fresh hold if you prefer ... gotta
love spell checkers :o)?
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Simon
BembridgeSent: Monday,
February 13, 2006 11:06 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
Yes it is a test
environment we will be doing it in. So much going on. Also just a quick
question, is there a Inbound “ Outbound replication fresh hold for a site
bridgehead server?? I have read somewhere that it is 15? Not sure how this has
changed with R2 also as we are still awaiting the software to install and
trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
12:45To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Are you
saying...."simulating the procedure in the production environment by seizing the
FSMO roles" ?
don't do that! use a test
environment that is a correct representation of the production environment to do
your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
If
we are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
10:09To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
run the script on the DC that
should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name
of the new FSMO role holder as an argument. Make sure to adjust the script
concerning the FSMO roles that should be
seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID
master" "Seize PDC" QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming
master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master"
"Transfer RID master" "Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi
All,Can somebody point me in the right direction as to how to use a
scriptedsolution for seizing the FSMO roles in case of a site
failure?What we have is a W2K3 Domain, with two core sites and 60 branch
offices. Inthe case of site 1 failing we want a procedure of activation a
script so onthe standby DC to seize the FSMO roles.Site
11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21
X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is
for authorised use by the intended recipient(s) only. It may contain proprietary
material, confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other party. If you
are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank
you. | | | |
| AD000001450
Posts:0
| | 02/13/2006 12:28 PM |
| Jorge,
If we are simulating a DR scenario running the script on the backup FSMO
serve in site 2 will not be a problem??
Simon
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
run the script on the DC that should host the FSMO role(s) or replace
%COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an
argument. Make sure to adjust the script concerning the FSMO roles that
should be seized/transfered
--> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
domain naming master" "Transfer schema master" QUIT QUIT
cheers,
Jorge
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> | | | |
| ZJORZ
Posts:389
| | 02/13/2006 12:48 PM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 13:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
Jorge,
If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem??
Simon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: 13 February 2006 10:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered
--> Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
--> Seize-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT
--> Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT
--> Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT
cheers,
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
Sent: Mon 2006-02-13 10:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted
solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
the case of site 1 failing we want a procedure of activation a script so on
the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| dwells
Posts:53
| | 02/15/2006 3:43 AM |
| Inline ...
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxx
Sent: Tuesday, February 14, 2006 7:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>> That is not true, the schema and naming FSMOs also have extensive state
that is sensitive and critical, however the frequency of the updates is
significantly less, and thus less likely to cause an issue.
- what's not true .. yes it is? :o)
- schema FSMO, domain naming FSMO -- state? I guess this is a matter of
perspective then ... personally, I don't consider an entire partition to be
state (or a crossRef or an NC head or ...), they are IMO the result of a
mostly controlled, single-mastered update not the state of the role holder
that introduced the change(s). State, in this context, defines something
particular to the role that indicates its position within a sequence of
events ... or knowledge of what it did last time ... or information relevant
to "what to do next" ... or ...
>> Having personally been on PSS cases for people who've f-d up thier
forest, because they didn't understand the concept of the F-Single-Master-O
- nod, I imagine many have a sadly similar experience.
>> and which data each is responsible for, I do not recommend seizing any
roles except one.
- neither do I ... but the need does arise (seizing I mean). That's not to
say I advocate scripting it (per my original post) though scripting a
transfer has, to date, been a non-issue.
>> It is not good to conflict the NCs, hard to undo, and even worse to
conflict the schema.
- good point, most (including the relatively inexperienced) are aware of
this (I hope).
>>If you're a novice, here is what you should remember, IMNHO
>> - Only the PDC is safe for seizing.
- don't agree, for example -
: think impact on BDCs ... they do still exist
: timesync; most will forget the necessary reconfiguration
: AOB
>> - The infrastructure master is probably safe (I've never
>> really thought it through enough to vouch for it).
- I've seized it often (under test conditions) and occasionally in
production = no problems or observed side effects of any kind.
- Seizing any other role is a complicate process that will require
learning of some DS internals, and a few steps.
The process for seizure, should be
A) Understand what data that FSMO owns, and think carefully if
ANYONE has updated that data on a DC that is somehow
unavailable to the forest at this moment, and could be brought
back to the forest?
a. If it could be brought back, you must then decide to not
bring it back _EVER_, destroy the DC before seizure. Or
bring it back and let it's changes replicate out.
B) By seizing you can break the F-Single-Master-O model, and
effectively have the potential to multi-mastered the data on
more than one DCs, conflicting the data in a very bad way...
C) Run repadmin /syncall
to guarantee your forest has a consistent view of the data in
question you want to seize.
D) Finally perform the seizure, don't use a script, don't temp
yourself with it. Use ntdsutil / dsmgmt.
E) Finally, evaluate what you did to cause this seizure? Did you
take down a box without properly demoting it? Institute an
IT policy that allows for that mistake never to happen again,
seizures should not be a part of any IT operation, unless you
experienced critical hardware failure.
>> Dean is right, it's the wrong place to fixup RID seizure in ntdsutil
though, but I also think an LDAP modification performing a seizure, and a
LDAP control for performing the more common transfer is ass backwards as
well, so what do I know.
- the seizure approach is odd IMO though the transfer approach makes sense
(at least to me). I would also very much like to see all necessary related
directory mods. made server-side.
I wrote this mail in a hurry, so didn't proof it, probably mistakes ...
BrettSh [msft]
Building #7 Garage Door Operator
On Mon, 13 Feb 2006, Dean Wells wrote:
> Having chatted offline on this topic, I'm reminded that it's worth
> mentioning an exception pertaining to the RID FSMO. Extensive state
> is maintained for this particular role, state which is sensitive and
> requires modification when the role is seized. Unfortunately, these
> modifications are handled client-side by NTDSUTIL (a mistake in my
> opinion), as such, any manual seizure of the RID Master should be
> either conducted using NTDSUTIL (again, in a controlled manner) or
> supplemented with the necessary RID allocation pool modifications.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: Dean Wells [mailto:dwells@xxxxxxxxxxxxxxxxx]
> Sent: Monday, February 13, 2006 9:06 AM
> To: Send - AD mailing list (activedir@xxxxxxxxxxxxx)
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
> A few thoughts --
>
> I'm not entirely adverse to the idea of throwing commands at NTDSUTIL
> and seizing roles (and relying upon the mandatory pre-emptive transfer
> attempt) but I prefer not to perform such actions when the capability
> to trap failures within a sequence of events is beyond my control,
> e.g. the transfer fails and the seize continues without confirmation or
regard for my input.
>
> Although I realize that your goal here is to seize a role, a single
> slip of the finger may inadvertently cause seizure to occur. I would
> suggest scripting the operation to _manually_ attempt a transfer
> first, trap the error and confirm your intention to proceed with a
> seize (remains achievable with NTDSUTIL). Of course, the implications
> of _not_ doing it this way are entirely dependent upon either or both
> the FSMO role in question and/or your particular infrastructure.
>
> The commands below outline an alternative approach for attempting a
> FSMO transfer of the domain naming master -
>
> admod -h -b "" becomedomainmaster::1
>
> ... and the equivalent seizure -
>
> admod -h -b cn=partitions,cn=configuration,dc= DN> fsmoroleowner::""
>
> ... e.g. -
>
> admod -h machine1.adcorp.lan -b
> cn=partitions,cn=configuration,dc=adcorp,dc=lan
> fsmoroleowner::"CN=NTDS
> Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
> =Confi
> guration,DC=ADCORP,DC=LAN"
>
> This approach provides more control at the expense of requiring
> slightly more specific knowledge of the directory.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida
> Pinto, Jorge de
> Sent: Monday, February 13, 2006 5:09 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> run the script on the DC that should host the FSMO role(s) or replace
> %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as
> an argument. Make sure to adjust the script concerning the FSMO roles
> that should be seized/transfered
>
> --> Seize-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
>
>
>
> --> Seize-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Seize domain naming master" "Seize schema master" QUIT QUIT
>
>
>
> --> Transfer-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Transfer infrastructure master" "Transfer RID master" "Transfer PDC"
> QUIT QUIT
>
>
>
> --> Transfer-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Transfer domain naming master" "Transfer schema master" QUIT QUIT
>
>
> cheers,
> Jorge
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
> Sent: Mon 2006-02-13 10:52
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> Hi All,
>
> Can somebody point me in the right direction as to how to use a
> scripted solution for seizing the FSMO roles in case of a site failure?
>
> What we have is a W2K3 Domain, with two core sites and 60 branch
> offices. In the case of site 1 failing we want a procedure of
> activation a script so on the standby DC to seize the FSMO roles.
>
>
> Site 1
>
> 1 X DC Sch, Inf, DNM, PDC, GC
> 1 X DC RID, GC
>
> Site 2
>
> 1 X DC Standby FSMO role holder, GC
> 1 X DC GC
>
>
> Regards,
>
> Simon
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| dwells
Posts:53
| | 02/15/2006 3:56 AM |
| In hindsight, the same is true of the PDC regardless of whether it is seized
or transferred so that's somewhat moot ... my scotch = my bad :O)
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean Wells
Sent: Tuesday, February 14, 2006 10:41 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
Inline ...
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxx
Sent: Tuesday, February 14, 2006 7:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>> That is not true, the schema and naming FSMOs also have extensive
>> state
that is sensitive and critical, however the frequency of the updates is
significantly less, and thus less likely to cause an issue.
- what's not true .. yes it is? :o)
- schema FSMO, domain naming FSMO -- state? I guess this is a matter of
perspective then ... personally, I don't consider an entire partition to be
state (or a crossRef or an NC head or ...), they are IMO the result of a
mostly controlled, single-mastered update not the state of the role holder
that introduced the change(s). State, in this context, defines something
particular to the role that indicates its position within a sequence of
events ... or knowledge of what it did last time ... or information relevant
to "what to do next" ... or ...
>> Having personally been on PSS cases for people who've f-d up thier
forest, because they didn't understand the concept of the F-Single-Master-O
- nod, I imagine many have a sadly similar experience.
>> and which data each is responsible for, I do not recommend seizing
>> any
roles except one.
- neither do I ... but the need does arise (seizing I mean). That's not to
say I advocate scripting it (per my original post) though scripting a
transfer has, to date, been a non-issue.
>> It is not good to conflict the NCs, hard to undo, and even worse to
conflict the schema.
- good point, most (including the relatively inexperienced) are aware of
this (I hope).
>>If you're a novice, here is what you should remember, IMNHO
>> - Only the PDC is safe for seizing.
- don't agree, for example -
: think impact on BDCs ... they do still exist
: timesync; most will forget the necessary reconfiguration
: AOB
>> - The infrastructure master is probably safe (I've never
>> really thought it through enough to vouch for it).
- I've seized it often (under test conditions) and occasionally in
production = no problems or observed side effects of any kind.
- Seizing any other role is a complicate process that will require
learning of some DS internals, and a few steps.
The process for seizure, should be
A) Understand what data that FSMO owns, and think carefully if
ANYONE has updated that data on a DC that is somehow
unavailable to the forest at this moment, and could be brought
back to the forest?
a. If it could be brought back, you must then decide to not
bring it back _EVER_, destroy the DC before seizure. Or
bring it back and let it's changes replicate out.
B) By seizing you can break the F-Single-Master-O model, and
effectively have the potential to multi-mastered the data on
more than one DCs, conflicting the data in a very bad way...
C) Run repadmin /syncall
to guarantee your forest has a consistent view of the data in
question you want to seize.
D) Finally perform the seizure, don't use a script, don't temp
yourself with it. Use ntdsutil / dsmgmt.
E) Finally, evaluate what you did to cause this seizure? Did you
take down a box without properly demoting it? Institute an
IT policy that allows for that mistake never to happen again,
seizures should not be a part of any IT operation, unless you
experienced critical hardware failure.
>> Dean is right, it's the wrong place to fixup RID seizure in ntdsutil
though, but I also think an LDAP modification performing a seizure, and a
LDAP control for performing the more common transfer is ass backwards as
well, so what do I know.
- the seizure approach is odd IMO though the transfer approach makes sense
(at least to me). I would also very much like to see all necessary related
directory mods. made server-side.
I wrote this mail in a hurry, so didn't proof it, probably mistakes ...
BrettSh [msft]
Building #7 Garage Door Operator
On Mon, 13 Feb 2006, Dean Wells wrote:
> Having chatted offline on this topic, I'm reminded that it's worth
> mentioning an exception pertaining to the RID FSMO. Extensive state
> is maintained for this particular role, state which is sensitive and
> requires modification when the role is seized. Unfortunately, these
> modifications are handled client-side by NTDSUTIL (a mistake in my
> opinion), as such, any manual seizure of the RID Master should be
> either conducted using NTDSUTIL (again, in a controlled manner) or
> supplemented with the necessary RID allocation pool modifications.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: Dean Wells [mailto:dwells@xxxxxxxxxxxxxxxxx]
> Sent: Monday, February 13, 2006 9:06 AM
> To: Send - AD mailing list (activedir@xxxxxxxxxxxxx)
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
> A few thoughts --
>
> I'm not entirely adverse to the idea of throwing commands at NTDSUTIL
> and seizing roles (and relying upon the mandatory pre-emptive transfer
> attempt) but I prefer not to perform such actions when the capability
> to trap failures within a sequence of events is beyond my control,
> e.g. the transfer fails and the seize continues without confirmation
> or
regard for my input.
>
> Although I realize that your goal here is to seize a role, a single
> slip of the finger may inadvertently cause seizure to occur. I would
> suggest scripting the operation to _manually_ attempt a transfer
> first, trap the error and confirm your intention to proceed with a
> seize (remains achievable with NTDSUTIL). Of course, the implications
> of _not_ doing it this way are entirely dependent upon either or both
> the FSMO role in question and/or your particular infrastructure.
>
> The commands below outline an alternative approach for attempting a
> FSMO transfer of the domain naming master -
>
> admod -h -b "" becomedomainmaster::1
>
> ... and the equivalent seizure -
>
> admod -h -b cn=partitions,cn=configuration,dc= DN> fsmoroleowner::""
>
> ... e.g. -
>
> admod -h machine1.adcorp.lan -b
> cn=partitions,cn=configuration,dc=adcorp,dc=lan
> fsmoroleowner::"CN=NTDS
> Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
> =Confi
> guration,DC=ADCORP,DC=LAN"
>
> This approach provides more control at the expense of requiring
> slightly more specific knowledge of the directory.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida
> Pinto, Jorge de
> Sent: Monday, February 13, 2006 5:09 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> run the script on the DC that should host the FSMO role(s) or replace
> %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as
> an argument. Make sure to adjust the script concerning the FSMO roles
> that should be seized/transfered
>
> --> Seize-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
>
>
>
> --> Seize-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Seize domain naming master" "Seize schema master" QUIT QUIT
>
>
>
> --> Transfer-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Transfer infrastructure master" "Transfer RID master" "Transfer PDC"
> QUIT QUIT
>
>
>
> --> Transfer-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT
> "Transfer domain naming master" "Transfer schema master" QUIT QUIT
>
>
> cheers,
> Jorge
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
> Sent: Mon 2006-02-13 10:52
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> Hi All,
>
> Can somebody point me in the right direction as to how to use a
> scripted solution for seizing the FSMO roles in case of a site failure?
>
> What we have is a W2K3 Domain, with two core sites and 60 branch
> offices. In the case of site 1 failing we want a procedure of
> activation a script so on the standby DC to seize the FSMO roles.
>
>
> Site 1
>
> 1 X DC Sch, Inf, DNM, PDC, GC
> 1 X DC RID, GC
>
> Site 2
>
> 1 X DC Standby FSMO role holder, GC
> 1 X DC GC
>
>
> Regards,
>
> Simon
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:114
| | 02/15/2006 8:04 AM |
| check out the thread on "W2K3 Std. vs. Ent. for DCs /
x64"
=> Std. Edition is usually fine; mostly depends on your
memory requirements for caching the DIT (AD Database) - best to go directly
to Win2003x64 (especially if you happen to rollout new HW)
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon
BembridgeSent: Montag, 13. Februar 2006 23:02To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to
transfer FSMO roles.
Dean
All sounds good. We are
creating a single domain, two core main sites with around 60 branch office world
wide. Each core site has 2 X DC, will be W2K3 R2 once we get are heads around
the new product. At first we are working with W2K3 SP1. DC will be Server
Standard, Exch W2K3. A bit of citrix, and unix (Vintela for SSO) lots to think
about. We are just doing a bit of AD proving at the moment and I will write up
the FSMO transfer/seizure scenarios.
Is their any really
advantage over the server additions :- Standard vs Enterprise.
My feeling and what I
have seen in the past, that standard fits the build for a DC build.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: 13 February 2006
20:38To: Send - AD mailing
listSubject: RE: [ActiveDir]
Script to transfer FSMO roles.
Not that's springing to
mind. Some related thoughts -
* inbound replication
is single threaded (i.e. no concurrency limitation is
required)
* in 2k, 15 mins.
represented the anticipated end-to-end replication within a
site
* the KCC in 2k3 is
capable of load-balancing bridgeheads
* the min. polled
replication interval between DCs in different sites is 15
mins.
* the KCC in 2k is
limited; assuming ((domain+1) * sites^2)
* the KCC in 2k3 is
also limited but to a lesser extent; assuming ((domain+1) * sites)
Assuming you have a
single domain (or less than ~10 total domain & app. partitions combined),
both Windows 2000 and Windows 2003 KCC/ISTGs will more than
suffice.
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Simon
BembridgeSent: Monday,
February 13, 2006 3:04 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Yep I love spell
checker, also have four kids running around the house at the moment ready for a
pig out at TGI™s. I do not know why but I am sure I read somewhere that a
bridgehead server had a threshold of 15 inbound replication partners. We have
two core sites with 2 x DC in both and around 64 branch offices. We were going
to let the KCC sort it all out for us but just have this niggling doubt about
the 15 limit I am sure I read or dreamt somewhere.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: 13 February 2006
18:58To: Send - AD mailing
listSubject: RE: [ActiveDir]
Script to transfer FSMO roles.
Can you elaborate on
what you mean by "replication threshold" (or fresh hold if you prefer ... gotta
love spell checkers :o)?
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Simon
BembridgeSent: Monday,
February 13, 2006 11:06 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
Yes it is a test
environment we will be doing it in. So much going on. Also just a quick
question, is there a Inbound “ Outbound replication fresh hold for a site
bridgehead server?? I have read somewhere that it is 15? Not sure how this has
changed with R2 also as we are still awaiting the software to install and
trial.
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
12:45To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Are you
saying...."simulating the procedure in the production environment by seizing the
FSMO roles" ?
don't do that! use a test
environment that is a correct representation of the production environment to do
your tests!
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
Jorge,
If
we are simulating a DR scenario running the script on the backup FSMO serve in
site 2 will not be a problem??
Simon
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto, Jorge
deSent: 13 February 2006
10:09To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Script to transfer
FSMO roles.
run the script on the DC that
should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name
of the new FSMO role holder as an argument. Make sure to adjust the script
concerning the FSMO roles that should be
seized/transfered
-->
Seize-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID
master" "Seize PDC" QUIT QUIT
-->
Seize-Forest-FSMO-Roles.cmd
NTDSUTIL
ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming
master" "Seize schema master" QUIT QUIT
-->
Transfer-Domain-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master"
"Transfer RID master" "Transfer PDC" QUIT QUIT
-->
Transfer-Forest-FSMO-Roles.cmd
NTDSUTIL ROLES CONNECTIONS
"CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master"
"Transfer schema master" QUIT QUIT
cheers,
Jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Script to transfer
FSMO roles.
Hi
All,Can somebody point me in the right direction as to how to use a
scriptedsolution for seizing the FSMO roles in case of a site
failure?What we have is a W2K3 Domain, with two core sites and 60 branch
offices. Inthe case of site 1 failing we want a procedure of activation a
script so onthe standby DC to seize the FSMO roles.Site
11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21
X DC Standby FSMO role holder, GC1 X DC
GCRegards, SimonList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is
for authorised use by the intended recipient(s) only. It may contain proprietary
material, confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other party. If you
are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank
you. | | | |
| activedirsmaporg
Posts:0
| | 02/15/2006 12:58 PM |
| That is not true, the schema and naming FSMOs also have extensive state
that is sensitive and critical, however the frequency of the updates is
significantly less, and thus less likely to cause an issue.
Having personally been on PSS cases for people who've f-d up thier forest,
because they didn't understand the concept of the F-Single-Master-O, and
which data each is responsible for, I do not recommend seizing any roles
except one. It is not good to conflict the NCs, hard to undo, and even
worse to conflict the schema.
If you're a novice, here is what you should remember, IMNHO
- Only the PDC is safe for seizing.
- The infrastructure master is probably safe (I've never
really thought it through enough to vouch for it).
- Seizing any other role is a complicate process that will require
learning of some DS internals, and a few steps.
The process for seizure, should be
A) Understand what data that FSMO owns, and think carefully if
ANYONE has updated that data on a DC that is somehow
unavailable to the forest at this moment, and could be brought
back to the forest?
a. If it could be brought back, you must then decide to not
bring it back _EVER_, destroy the DC before seizure. Or
bring it back and let it's changes replicate out.
B) By seizing you can break the F-Single-Master-O model, and
effectively have the potential to multi-mastered the data on
more than one DCs, conflicting the data in a very bad way...
C) Run repadmin /syncall
to guarantee your forest has a consistent view of the data in
question you want to seize.
D) Finally perform the seizure, don't use a script, don't temp
yourself with it. Use ntdsutil / dsmgmt.
E) Finally, evaluate what you did to cause this seizure? Did you
take down a box without properly demoting it? Institute an
IT policy that allows for that mistake never to happen again,
seizures should not be a part of any IT operation, unless you
experienced critical hardware failure.
Dean is right, it's the wrong place to fixup RID seizure in ntdsutil
though, but I also think an LDAP modification performing a seizure, and a
LDAP control for performing the more common transfer is ass backwards as
well, so what do I know.
I wrote this mail in a hurry, so didn't proof it, probably mistakes ...
BrettSh [msft]
Building #7 Garage Door Operator
On Mon, 13 Feb 2006, Dean Wells wrote:
> Having chatted offline on this topic, I'm reminded that it's worth
> mentioning an exception pertaining to the RID FSMO. Extensive state is
> maintained for this particular role, state which is sensitive and requires
> modification when the role is seized. Unfortunately, these modifications
> are handled client-side by NTDSUTIL (a mistake in my opinion), as such, any
> manual seizure of the RID Master should be either conducted using NTDSUTIL
> (again, in a controlled manner) or supplemented with the necessary RID
> allocation pool modifications.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: Dean Wells [mailto:dwells@xxxxxxxxxxxxxxxxx]
> Sent: Monday, February 13, 2006 9:06 AM
> To: Send - AD mailing list (activedir@xxxxxxxxxxxxx)
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
> A few thoughts --
>
> I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and
> seizing roles (and relying upon the mandatory pre-emptive transfer attempt)
> but I prefer not to perform such actions when the capability to trap
> failures within a sequence of events is beyond my control, e.g. the transfer
> fails and the seize continues without confirmation or regard for my input.
>
> Although I realize that your goal here is to seize a role, a single slip of
> the finger may inadvertently cause seizure to occur. I would suggest
> scripting the operation to _manually_ attempt a transfer first, trap the
> error and confirm your intention to proceed with a seize (remains achievable
> with NTDSUTIL). Of course, the implications of _not_ doing it this way are
> entirely dependent upon either or both the FSMO role in question and/or your
> particular infrastructure.
>
> The commands below outline an alternative approach for attempting a FSMO
> transfer of the domain naming master -
>
> admod -h -b "" becomedomainmaster::1
>
> ... and the equivalent seizure -
>
> admod -h -b cn=partitions,cn=configuration,dc=
> fsmoroleowner::""
>
> ... e.g. -
>
> admod -h machine1.adcorp.lan -b
> cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS
> Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=ADCORP,DC=LAN"
>
> This approach provides more control at the expense of requiring slightly
> more specific knowledge of the directory.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells @msetechnology.com
> http://msetechnology.com
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
> Jorge de
> Sent: Monday, February 13, 2006 5:09 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> run the script on the DC that should host the FSMO role(s) or replace
> %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an
> argument. Make sure to adjust the script concerning the FSMO roles that
> should be seized/transfered
>
> --> Seize-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
> infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT
>
>
>
> --> Seize-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize
> domain naming master" "Seize schema master" QUIT QUIT
>
>
>
> --> Transfer-Domain-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
> infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT
>
>
>
> --> Transfer-Forest-FSMO-Roles.cmd
>
> NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer
> domain naming master" "Transfer schema master" QUIT QUIT
>
>
> cheers,
> Jorge
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Simon Bembridge
> Sent: Mon 2006-02-13 10:52
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Script to transfer FSMO roles.
>
>
>
> Hi All,
>
> Can somebody point me in the right direction as to how to use a scripted
> solution for seizing the FSMO roles in case of a site failure?
>
> What we have is a W2K3 Domain, with two core sites and 60 branch offices. In
> the case of site 1 failing we want a procedure of activation a script so on
> the standby DC to seize the FSMO roles.
>
>
> Site 1
>
> 1 X DC Sch, Inf, DNM, PDC, GC
> 1 X DC RID, GC
>
> Site 2
>
> 1 X DC Standby FSMO role holder, GC
> 1 X DC GC
>
>
> Regards,
>
> Simon
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| JEtie@xxxx.yyy
| | 03/01/2006 6:37 AM |
| Apparently some parts of ntdsutil are scriptable, see http://support.microsoft.com/?kbid=243267 .
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Simon Bembridge
Sent: Monday, February 13, 2006 1:52 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Script to transfer FSMO roles.
Hi All,
Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure?
What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles.
Site 1
1 X DC Sch, Inf, DNM, PDC, GC
1 X DC RID, GC
Site 2
1 X DC Standby FSMO role holder, GC
1 X DC GC
Regards,
Simon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|