| Author | Messages | |
BrianB
Posts:126
 | | 08/12/2008 11:30 AM |
| I have a forest root DC that is to be decommissioned and need to move
the Schema master role to another DC. Can it be moved to a DC in a child
domain, along with the Domain Naming Master? What are the implications
of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
| | | |
| neilruston
Posts:164
| | 08/12/2008 11:41 AM |
| This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the
FR domain tho.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move
the Schema master role to another DC. Can it be moved to a DC in a child
domain, along with the Domain Naming Master? What are the implications
of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or without viruses. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| BrianB
Posts:126
| | 08/12/2008 12:05 PM |
| Allow me explain our unique situation/architecture before I ask the next
question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child
domains as there would be in a traditional forest root/child structure,
i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the
same forest.
XX-first holds schema master and Domain naming master, along with its
other domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and
collapsing it? Or would that have adverse affects on the other xx
Domain? (of course we would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the
FR domain tho.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move
the Schema master role to another DC. Can it be moved to a DC in a child
domain, along with the Domain Naming Master? What are the implications
of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or without
viruses. The Barclays Group does not accept responsibility for any loss
arising from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| BrianB
Posts:126
| | 08/12/2008 12:33 PM |
| Thanks Steve,
I thought so. I just needed to see if there was a way. Looks like we're
going the hard way. Any recommendations/articles/best practice/etc of
how to migrate?
Thanks again.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, August 12, 2008 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
The first domain in the forest will always be the forest root and you
cannot decommission it without standing up a new forest and migrating
the child that is left. The forest root is responsible for additional
infrastructure support beyond just the FSMO roles. For example it is
responsible for Kerberos routing amongst the transitive trusts, forest
trust establishment, etc. Decommissioning the first domain in the
forest even if you plan to have just another single domain child is not
a supported configuration.
Thanks,
-Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Allow me explain our unique situation/architecture before I ask the next
question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child
domains as there would be in a traditional forest root/child structure,
i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the
same forest.
XX-first holds schema master and Domain naming master, along with its
other domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and
collapsing it? Or would that have adverse affects on the other xx
Domain? (of course we would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the
FR domain tho.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move
the Schema master role to another DC. Can it be moved to a DC in a child
domain, along with the Domain Naming Master? What are the implications
of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or without
viruses. The Barclays Group does not accept responsibility for any loss
arising from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| listmail
Posts:822
| | 08/12/2008 1:14 PM |
| The forest root isn't the forest root on the basis of its name, it is the
forest root on the basis of its creation order in the forest.
So... The first domain built in the forest is the forest root domain
irregardless of any name space or perceived dependencies on the namespace.
To put it yet another way, the fact that you have two domain trees does not
in any way make the forest root domain (again the first domain in the
forest), not the forest root. You cannot get rid of the forest root, ever.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Allow me explain our unique situation/architecture before I ask the next
question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child domains
as there would be in a traditional forest root/child structure, i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the same
forest.
XX-first holds schema master and Domain naming master, along with its other
domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and collapsing
it? Or would that have adverse affects on the other xx Domain? (of course we
would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the FR
domain tho.
neil
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move the
Schema master role to another DC. Can it be moved to a DC in a child domain,
along with the Domain Naming Master? What are the implications of doing so
if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or without viruses.
The Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| BrianB
Posts:126
| | 08/12/2008 1:36 PM |
| Thanks Joe,
Yes, the goal is to keep xx.vdy.com and do away with xx-first.vdy.com. I
figured that because of the disjointed namespace, what "they" called the
"root" was just a peer domain in a forest.(I figured this because there
is not a top level domain like vdy.com that I would call the "parent") I
have never built an AD forest that did not follow the Parent/children
hierarchy: top.com > child.top.com > adolescent.top.com etc.
Ours is a disjointed namespace starting with xx-first.vdy.com with
another called xx.vdy.com. So I figured I could get away with collapsing
the xx-first while keeping the xx domain intact. It seems, based on what
Y'all (Tennessean talk for you fellows) are saying, that though it is
disjointed, they are still very much a parent/child relationship model,
though not apparent.
Therefore, I cannot collapse the first domain but would have to migrate
and rename from the other domain. Is that correct?
BTW: this configuration was done during a time when our NDS engineers
switched over to AD and MS suggestions were to have an empty root for
the domain. It was all new to them at the time. (AD 2000)
Any thoughts?
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, August 12, 2008 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
So the goal is to go to a single domain forest with the domain named
xx.vdy.com?
If so, two options:
1. Migrate all of the xx.vdy.com objects into xx-first.vdy.com, dcpromo
xx.vdy.com out of existence and rename the root.
2. Migrate the data from the first forect to another forest with a
single domain. Play with this in the lab, I have never played with this
when the domains were the same name. I could visualize all sorts of
issues there because of that. May have to rename the domain first and I
am not even positive that would work.
Mostly I recommend going into a lab and play play play.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Thanks Steve,
I thought so. I just needed to see if there was a way. Looks like we're
going the hard way. Any recommendations/articles/best practice/etc of
how to migrate?
Thanks again.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, August 12, 2008 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
The first domain in the forest will always be the forest root and you
cannot decommission it without standing up a new forest and migrating
the child that is left. The forest root is responsible for additional
infrastructure support beyond just the FSMO roles. For example it is
responsible for Kerberos routing amongst the transitive trusts, forest
trust establishment, etc. Decommissioning the first domain in the
forest even if you plan to have just another single domain child is not
a supported configuration.
Thanks,
-Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Allow me explain our unique situation/architecture before I ask the next
question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child
domains as there would be in a traditional forest root/child structure,
i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the
same forest.
XX-first holds schema master and Domain naming master, along with its
other domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and
collapsing it? Or would that have adverse affects on the other xx
Domain? (of course we would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the
FR domain tho.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move
the Schema master role to another DC. Can it be moved to a DC in a child
domain, along with the Domain Naming Master? What are the implications
of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or without
viruses. The Barclays Group does not accept responsibility for any loss
arising from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| bdesmond
Posts:977
| | 08/12/2008 2:55 PM |
| Would it not be cheaper just to empty out xx-first, leave two DCs there and live with it? Migrating to a new forest or even intraforest to a different domain will be pretty expensive.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, August 12, 2008 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
So the goal is to go to a single domain forest with the domain named xx.vdy.com?
If so, two options:
1. Migrate all of the xx.vdy.com objects into xx-first.vdy.com, dcpromo xx.vdy.com out of existence and rename the root.
2. Migrate the data from the first forect to another forest with a single domain. Play with this in the lab, I have never played with this when the domains were the same name. I could visualize all sorts of issues there because of that. May have to rename the domain first and I am not even positive that would work.
Mostly I recommend going into a lab and play play play.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Thanks Steve,
I thought so. I just needed to see if there was a way. Looks like we're going the hard way. Any recommendations/articles/best practice/etc of how to migrate?
Thanks again.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, August 12, 2008 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
The first domain in the forest will always be the forest root and you cannot decommission it without standing up a new forest and migrating the child that is left. The forest root is responsible for additional infrastructure support beyond just the FSMO roles. For example it is responsible for Kerberos routing amongst the transitive trusts, forest trust establishment, etc. Decommissioning the first domain in the forest even if you plan to have just another single domain child is not a supported configuration.
Thanks,
-Steve
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Allow me explain our unique situation/architecture before I ask the next question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child domains as there would be in a traditional forest root/child structure, i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the same forest.
XX-first holds schema master and Domain naming master, along with its other domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and collapsing it? Or would that have adverse affects on the other xx Domain? (of course we would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the FR domain tho.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move the Schema master role to another DC. Can it be moved to a DC in a child domain, along with the Domain Naming Master? What are the implications of doing so if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or without viruses. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| listmail
Posts:822
| | 08/12/2008 3:11 PM |
| Its not a parent child relationship but the root domain is not based on a
parent child relationship. It is based on what was built first. The naming
hierarchy does not come into play at all here.
Note that you have multiple domain trees, this isn't a name disjoint, just
multiple domain trees. Disjoint names comes in when your netbios domain name
doesn't match your DNS domain name (e.g. netbios name FRED and DNS name
joeware.net) or when your FQDNs on your machines don't match your domain DNS
name (the machine cerberus in the joeware.net domain having an FQDN of
cerberus.raytwp.se.michigan.joeware.net).
Multiple domain trees is a really bad idea in general because of exactly
this kind of confusion. Many scripts you find out there will completely
crash or completely miss data in a forest with multiple trees.
Your configuration and schema NCs take their names from the domain root...
so your schema is cn=schema,cn=configuration,dc=xxx-first,dc=vdy,dc=com,
your configuration is the same with cn=schema stripped. It isn't that those
NCs would suddenly go, oh, I better change my DN to fit under the last
remaining forest. Also as Steve mentioned, kerberos domain traversals,
unless you have shortcut trusts in place, travel through the forest root
domain (again regardless of naming hierarchy). Its just how AD works.
While it is possible to kill all your DCs in that domain, as I mentioned
before, you simply have a time bomb on your hands.
Correct, you cannot collapse that first (root) domain. That domain will
always exist although it could be renamed if necessary. Probably the best
solution will involve moving into a whole new forest set up the way you want
it but it depends entirely on the dependencies for apps, file shares, etc.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Thanks Joe,
Yes, the goal is to keep xx.vdy.com and do away with xx-first.vdy.com. I
figured that because of the disjointed namespace, what "they" called the
"root" was just a peer domain in a forest.(I figured this because there is
not a top level domain like vdy.com that I would call the "parent") I have
never built an AD forest that did not follow the Parent/children hierarchy:
top.com > child.top.com > adolescent.top.com etc.
Ours is a disjointed namespace starting with xx-first.vdy.com with another
called xx.vdy.com. So I figured I could get away with collapsing the
xx-first while keeping the xx domain intact. It seems, based on what Y'all
(Tennessean talk for you fellows) are saying, that though it is disjointed,
they are still very much a parent/child relationship model, though not
apparent.
Therefore, I cannot collapse the first domain but would have to migrate and
rename from the other domain. Is that correct?
BTW: this configuration was done during a time when our NDS engineers
switched over to AD and MS suggestions were to have an empty root for the
domain. It was all new to them at the time. (AD 2000)
Any thoughts?
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, August 12, 2008 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
So the goal is to go to a single domain forest with the domain named
xx.vdy.com?
If so, two options:
1. Migrate all of the xx.vdy.com objects into xx-first.vdy.com, dcpromo
xx.vdy.com out of existence and rename the root.
2. Migrate the data from the first forect to another forest with a single
domain. Play with this in the lab, I have never played with this when the
domains were the same name. I could visualize all sorts of issues there
because of that. May have to rename the domain first and I am not even
positive that would work.
Mostly I recommend going into a lab and play play play.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Thanks Steve,
I thought so. I just needed to see if there was a way. Looks like we're
going the hard way. Any recommendations/articles/best practice/etc of how to
migrate?
Thanks again.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Tuesday, August 12, 2008 11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
The first domain in the forest will always be the forest root and you cannot
decommission it without standing up a new forest and migrating the child
that is left. The forest root is responsible for additional infrastructure
support beyond just the FSMO roles. For example it is responsible for
Kerberos routing amongst the transitive trusts, forest trust establishment,
etc. Decommissioning the first domain in the forest even if you plan to
have just another single domain child is not a supported configuration.
Thanks,
-Steve
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Tuesday, August 12, 2008 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
Allow me explain our unique situation/architecture before I ask the next
question:
We have two domains.
xx-first.vdy.com and xx.vdy.com
There is no vdy.com domain serving as the forest root to the child domains
as there would be in a traditional forest root/child structure, i.e.:
Vdy.com
xx-first.vdy.com xx.vdy.com
With that said:
The first domain that was built was XX-first.vdy.com
An additional domain called xx.vdy.com was built as a new tree in the same
forest.
XX-first holds schema master and Domain naming master, along with its other
domain FSMO roles.
I want to decommission xx-first.vdy.com
Can this be done by just DCpromo'ing all dc's in the domain and collapsing
it? Or would that have adverse affects on the other xx Domain? (of course we
would move the FSMO roles)
Thanks for the help.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, August 12, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving Scema Master FSMO role.
This FSMO move can be done. No issues.
You cannot decomm a FR domain - you can decomm individual DCs from the FR
domain tho.
neil
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: 12 August 2008 16:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Scema Master FSMO role.
I have a forest root DC that is to be decommissioned and need to move the
Schema master role to another DC. Can it be moved to a DC in a child domain,
along with the Domain Naming Master? What are the implications of doing so
if the FR is decommissioned permanently.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or without viruses.
The Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
|
|