> Retire a Dead Windows 2003 Domain Controller
>来自Petri的Seizing FSMO Roles
> Using NTDSUtil.exe to transfer or seize FSMO roles to a domain controller – Microsoft知识库
> FSMO placement and optimization on Active Directory domain contollers – Microsoft知识库
> How to remove data in Active Directory after an unsuccessful domain controller demotion
该环境包含两个Windows服务器和众多客户端.域控制器是运行Windows 2000 Native AD的Windows 2003 SP2.另一台服务器(根本不是DC)是Windows 2000 SP4(它托管病毒检查实用程序).
来自netdom query fsmo的结果:
Schema owner missing.office.local Domain role owner myself.office.local PDC role missing.office.local RID pool manager missing.office.local Infrastructure owner missing.office.local The command completed successfully.
dcdiag的结果:
Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site\MYSELF Starting test: Connectivity The host 841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local could not be resolved to an IP address. Check the DNS server,DHCP,server name,etc Although the Guid DNS name (841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local) couldn't be resolved,the server name (MYSELF.office.local) resolved to the IP address (192.168.9.101) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... MYSELF Failed test Connectivity Doing primary tests Testing server: Default-First-Site\MYSELF Skipping all tests,because server MYSELF is not responding to directory service requests Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : office Starting test: CrossRefValidation ......................... office passed test CrossRefValidation Starting test: CheckSDRefDom ......................... office passed test CheckSDRefDom Running enterprise tests on : office.local Starting test: Intersite ......................... office.local passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(PDC_required) call Failed,error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. ......................... office.local Failed test FsmoCheck
这是我的问题(原谅我,如果他们是太多的初学者问题):
>从netdom查询fsmo中列出的角色是否与我在其他地方列出的相同?例如,Domain角色所有者是否与Domain Naming Master相同? RID池管理器是否与RID角色相同?
>如果我抓住其中一个角色,可能会发生什么坏事?
>用户会注意到吗?
>这种设置已经持续了很长时间,人们的功能正常或多或少;抓住PDC角色会改变这个吗?
>其中一些文件预测了在一个DC上拥有所有角色的可怕后果.客户群不超过20天 – 也许不到10天 – 在一个DC上扮演所有角色是一个真正的问题吗?
>执行Microsoft推荐的从Active Directory中删除旧DC的清理过程是否有任何警告?
另外 – 一个几乎相切的问题 – 如果我将域升级到Windows 2003 AD(现在或将来),这是否会改变FSMO角色的占用情况?
PS:我怀疑DNS问题与尝试使用不支持Microsoft动态DNS的非Microsoft DNS有关;我认为有一个Windows DNS运行,但尚未审核它正常运行和设置.
Are the roles listed from netdom query fsmo the same ones I’ve seen listed elsewhere? For example,is Domain role owner the same as Domain Naming Master? Is RID Pool Manager the same as the RID role?
对,就是这样.不知道为什么他们在那个特定的显示器上的名字略有不同.
What are the bad things that could happen if I seize one of these roles?
癫痫发作本身?不是很多.被警告的大多数潜在问题都是关于在它的角色被抓住之后重新开启旧的DC – 即便如此,那里有很多歇斯底里的风险并没有很多;需要一些非常奇怪的场景才能打破癫痫发作而不是转移角色.为了暂时停下来,让我们回顾角色和潜在的风险:
>架构大师:这个让每个人都非常抽搐,但打破它并不是一个非常可能的场景.文档说你应该永远不会在抓住角色之后重新打开旧架构大师,我称之为危言耸听.旧服务器将被告知角色更改,并且一旦它被更改,它将放弃角色.这里的潜在风险是,如果对新架构主机进行了更改,然后旧架构主机联机,则在从其他DC复制之前,在旧服务器上进行不同的,冲突的架构更改.这种情况不太可能,但会破坏您的域名.
> Naming Master:与Schema master相同的交易,在获取其角色之后但在获得癫痫发作知识之前,您需要在旧DC上进行更改(在这种情况下,在林中创建一个新域).
> PDC模拟器:没有风险,它不对任何风险分歧负责.
> RID Master:你需要一个混乱的复制结构来打破这个 – 想象你有2个DC;已经占用了一个不知道其角色的旧RID主机,以及一个新的RID主机.在这种情况下,您需要创建足够的对象以耗尽两者上的RID池(它们在500秒内分发),并让它们自己分配重叠池.创建具有相同RID的对象,重新连接域控制器,并观察启示录.
>基础设施大师:老实说,世界上大约50%的域甚至根本没有工作的基础设施大师,因为它在GC上不起作用.无论如何,你不能用癫痫发作来打破它.
Will users notice?
他们不应该.
This set up has been going for a long time and people have been functioning more or less normally; is seizing the PDC role going to change this?
没有.使用单个DC,根本不会丢失PDC的任何功能,除非您的非PDC DC无法与其想要的源(缺少的PDC)同步时间.
Moreso:
>当您尝试更新架构时,您将只会错过架构主机
>当您尝试在林中创建新域时,您将只会错过命名主机
>当您创建太多对象并耗尽DC的RID池时,您将只会错过RID Master(如果您继续按原样运行,这可能是您最常遇到的)
>您只会错过多域林中全局编录组更新的Infrastructure Master
Some of these documents predict dire consequences to having all roles on one DC. With a client base of no more than 20 – and perhaps less than 10 most days – is having all roles on one DC a real problem?
不 – 但得到第二个DC.您不希望唯一的DC失败.
Are there any caveats to performing the cleanup process recommended by Microsoft to remove the old DC from Active Directory?
是的 – 小心点但是磨砺你的ntdsutil刀并撕下旧数据 – 那里的额外垃圾无助于域的可维护性.
