DC fsmo role issue

wrx7m

Yeah. This type of scenario and even worse ones are why seizing FSMO roles is a thing. In this situation, you should have just chalked up the infected DC-A as a complete loss (in terms of AD) and just seized the roles on DC-B. Restoring a DC would only be done if all DCs were wiped out.

wrx7m

After seizing the roles on DC-B, you could then remove DC-A from AD, DNS, etc (if it is an older version, you would have to do metadata cleanup in ADSIedit). Afterward, you could add a new server, promote it to a DC and be back up and running.

bbigford

@wrx7m said in DC fsmo role issue:

Yeah. This type of scenario and even worse ones are why seizing FSMO roles is a thing. In this situation, you should have just chalked up the infected DC-A as a complete loss (in terms of AD) and just seized the roles on DC-B. Restoring a DC would only be done if all DCs were wiped out.

Agreed. Restoring a DC (especially FSMO role holder) back that far is just asking for trouble.

I would seize the roles on whatever DC you want to hold your forest roles. Pick any one you like. After that, go through DNS and start removing anything with that old server. Might have to look for it in ADSI Edit as well, if it no longer exists in Active Directory.

dbeato

@bbigford said in DC fsmo role issue:

@wrx7m said in DC fsmo role issue:

Yeah. This type of scenario and even worse ones are why seizing FSMO roles is a thing. In this situation, you should have just chalked up the infected DC-A as a complete loss (in terms of AD) and just seized the roles on DC-B. Restoring a DC would only be done if all DCs were wiped out.

Agreed. Restoring a DC (especially FSMO role holder) back that far is just asking for trouble.

I would seize the roles on whatever DC you want to hold your forest roles. Pick any one you like. After that, go through DNS and start removing anything with that old server. Might have to look for it in ADSI Edit as well, if it no longer exists in Active Directory.

Yes, that’s true and also avoid any USN rollbacks.

Fredtx

Thanks everyone. I did put DC-A offline and seized the roles to 2012 DC (newer). Theres a total of 7 DC. I was able to get one of them to replicate, but it still thinks the “Deleted DC” is holding 4 of the 5 roles, but shows the 2012 DC holding the Domain Naming Role. However, the 2012 DC sees itself as the fsmo holder for all roles. I have not deleted the DC-A from ADSAS yet, only the computer object and dns records.

JaredBusch

Restoring a DC to a month ago when there were other working controllers was a mistake. because at that point all kinds of things were going to get conflicted.

Restoring a DC is nothing in a SMB with only a single DC.

But you just intentionally broke all the replication.

I honestly have no idea how to fix something this messed up.

Fredtx

@jaredbusch said in DC fsmo role issue:

But you just intentionally broke all the replication.

I honestly have no idea how to fix something this messed up.

Wasn't intentionally, but definitely a lesson learned.

Fredtx

@wrx7m said in DC fsmo role issue:

After seizing the roles on DC-B, you could then remove DC-A from AD, DNS, etc (if it is an older version, you would have to do metadata cleanup in ADSIedit). Afterward, you could add a new server, promote it to a DC and be back up and running.

The PDC was 2008r2. The new PDC is 2012 standard while other remaining DC is 2008. Does metadata cleanup apply to 2008?

Obsolesce

@fredtx said in DC fsmo role issue:

Does metadata cleanup apply to 2008?

Yes

dbeato

@fredtx said in DC fsmo role issue:

@wrx7m said in DC fsmo role issue:

After seizing the roles on DC-B, you could then remove DC-A from AD, DNS, etc (if it is an older version, you would have to do metadata cleanup in ADSIedit). Afterward, you could add a new server, promote it to a DC and be back up and running.

The PDC was 2008r2. The new PDC is 2012 standard while other remaining DC is 2008. Does metadata cleanup apply to 2008?

Applies to all the DCs when removed and failing to be removed properly.

BRRABill

@jaredbusch said

Restoring a DC is nothing in a SMB with only a single DC.

As has been discussed many times here on ML, it really is so easy, it's a wonder why it isn't done more. (AKA, the single DC route.)

Fredtx

@brrabill said in DC fsmo role issue:

@jaredbusch said

Restoring a DC is nothing in a SMB with only a single DC.

As has been discussed many times here on ML, it really is so easy, it's a wonder why it isn't done more. (AKA, the single DC route.)

Wouldn’t users in sites that don’t have a local DC experience performance issues?

scottalanmiller

@fredtx said in DC fsmo role issue:

@brrabill said in DC fsmo role issue:

@jaredbusch said

Restoring a DC is nothing in a SMB with only a single DC.

As has been discussed many times here on ML, it really is so easy, it's a wonder why it isn't done more. (AKA, the single DC route.)

Wouldn’t users in sites that don’t have a local DC experience performance issues?

Not typically, AD does essentially nothing. The amount of time it takes to pass a password around in this day and age is milliseconds. A few milliseconds during a login operation is not something people notice in the least.