0

Can FSMO roles be switched over a period of time? or do I have to do them all at once, same day? I wanted to move a role, wait, see if anything blows up, wait a few days, do another one.

I have a forest root that is on it's last leg, but I don't want to destroy everything. Thanks. Windows 2000 Forest and Domain.

johnny
  • 2,328
  • 9
  • 37
  • 57
  • Windows 2000? Seriously? Well, take my answer below with a grain of salt - the last time I touched a w2k domain was ~8 years ago. :) – EEAA May 14 '12 at 14:23
  • I'm curious why you consider the forest root to be on its last legs? Would love to know what your concerns are. :) – Lewis May 14 '12 at 14:29
  • It got a virus and everything is blowing up. It's a rootkit of some kind, and nothing will remove it. Tools that try bsod the computer. safemode is bsod. – johnny May 14 '12 at 14:43
  • Ah, I see now. You think of one of your DCs as the "forest root". A forest root in AD terms is simply the highest level domain (thus root). Don't panic about moving FSMO roles, the moving of a FSMO role does little more than set a flag in Active Directory to identify which DC is responsible for that role. It does sound like decommissioning is the right way to go but don't worry about FSMO transfers, it's simple and pain free. If necessary and the DC finally does blow up, FSMO roles can be seized using NTDSUTIL. Arm yourself with good info on how to clean AD after role seizure. – Lewis May 14 '12 at 14:44
  • I only know it's the first computer in the domain. – johnny May 14 '12 at 14:45
  • If it's the first DC in the domain, it will hold all FSMO roles unless some have been previously moved. If you have two DCs currently, bring a third one online. Ensure both working DCs have DNS installed and clients are using them as primary and secondary DNS servers. Configure all DCs as a Global Catalogs, transfer FSMOs to either of the other DC s and then decommission the flaky DC. – Lewis May 14 '12 at 14:54
  • Unfortunately, the virus won't allow me to transfer roles. – johnny May 14 '12 at 14:56
  • As painful as it is, it's probably time to restore a known-good backup. – EEAA May 14 '12 at 15:03

2 Answers2

2

Each FSMO role is more or less independent of the other roles. If you had enough DCs, you could assign a role individually to each of them if you wanted, though for a variety of reasons, you probably don't want to do this.

So yes, your plan sounds reasonable.

In fact, I've actually never heard of or experienced issues with moving roles around. As long as you make sure your domain controllers are healthy and that replication is happening as it should, you shouldn't see any issues.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Well, the forest root is messed up. That's why I need to move the rolls. The plan is to demote the root and make the working DC the master. – johnny May 14 '12 at 14:24
0

Yes they can but with some caveats depending on your domain configuration and placement of Global Catalogs.

Refer to: http://support.microsoft.com/kb/223346 for how to decide what goes where and why.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Lewis
  • 697
  • 4
  • 6