windows-server-2003 – 从死Windows域控制器中获取FSMO角色

前端之家收集整理的这篇文章主要介绍了windows-server-2003 – 从死Windows域控制器中获取FSMO角色前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我已经看到了关于这样做的其他问题和文件,但有些事情仍然让我困惑.以下是我看过的文件和问题:

> Retire a Dead Windows 2003 Domain Controller
>来自Petri的Seizing FSMO Roles
> Using NTDSUtil.exe to transfer or seize FSMO roles to a domain controller – Microsoft知识库
> FSMO placement and optimization on Active Directory domain contollers – Microsoft知识库
> How to remove data in Active Directory after an unsuccessful domain controller demotion

该环境包含两个Windows服务器和众多客户端.域控制器是运行Windows 2000 Native AD的Windows 2003 SP2.另一台服务器(根本不是DC)是Windows 2000 SP4(它托管病毒检查实用程序).

来自netdom query fsmo的结果:

Schema owner                missing.office.local

Domain role owner           myself.office.local

PDC role                    missing.office.local

RID pool manager            missing.office.local

Infrastructure owner        missing.office.local

The command completed successfully.

dcdiag的结果:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\MYSELF
      Starting test: Connectivity
         The host 841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local could not be resolved to an
         IP address.  Check the DNS server,DHCP,server name,etc
         Although the Guid DNS name
         (841d395a-2139-49d9-82c1-7c7e31ccb33b._msdcs.office.local) couldn't be
         resolved,the server name (MYSELF.office.local) resolved to the IP
         address (192.168.9.101) and was pingable.  Check that the IP address
         is registered correctly with the DNS server. 
         ......................... MYSELF Failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\MYSELF
      Skipping all tests,because server MYSELF is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : office
      Starting test: CrossRefValidation
         ......................... office passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... office passed test CheckSDRefDom

   Running enterprise tests on : office.local
      Starting test: Intersite
         ......................... office.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_required) call Failed,error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... office.local Failed test FsmoCheck

这是我的问题(原谅我,如果他们是太多的初学者问题):

>从netdom查询fsmo中列出的角色是否与我在其他地方列出的相同?例如,Domain角色所有者是否与Domain Naming Master相同? RID池管理器是否与RID角色相同?
>如果我抓住其中一个角色,可能会发生什么坏事?
>用户会注意到吗?
>这种设置已经持续了很长时间,人们的功能正常或多或少;抓住PDC角色会改变这个吗?
>其中一些文件预测了在一个DC上拥有所有角色的可怕后果.客户群不超过20天 – 也许不到10天 – 在一个DC上扮演所有角色是一个真正的问题吗?
>执行Microsoft推荐的从Active Directory中删除旧DC的清理过程是否有任何警告?

另外 – 一个几乎相切的问题 – 如果我将域升级到Windows 2003 AD(现在或将来),这是否会改变FSMO角色的占用情况?

PS:我怀疑DNS问题与尝试使用不支持Microsoft动态DNS的非Microsoft DNS有关;我认为有一个Windows DNS运行,但尚未审核它正常运行和设置.

Are the roles listed from netdom query fsmo the same ones I’ve seen listed elsewhere? For example,is Domain role owner the same as Domain Naming Master? Is RID Pool Manager the same as the RID role?

对,就是这样.不知道为什么他们在那个特定的显示器上的名字略有不同.

What are the bad things that could happen if I seize one of these roles?

癫痫发作本身?不是很多.被警告的大多数潜在问题都是关于在它的角色被抓住之后重新开启旧的DC – 即便如此,那里有很多歇斯底里的风险并没有很多;需要一些非常奇怪的场景才能打破癫痫发作而不是转移角色.为了暂时停下来,让我们回顾角色和潜在的风险:

>架构大师:这个让每个人都非常抽搐,但打破它并不是一个非常可能的场景.文档说你应该永远不会在抓住角色之后重新打开旧架构大师,我称之为危言耸听.旧服务器将被告知角色更改,并且一旦它被更改,它将放弃角色.这里的潜在风险是,如果对新架构主机进行了更改,然后旧架构主机联机,则在从其他DC复制之前,在旧服务器上进行不同的,冲突的架构更改.这种情况不太可能,但会破坏您的域名.
> Naming Master:与Schema master相同的交易,在获取其角色之后但在获得癫痫发作知识之前,您需要在旧DC上进行更改(在这种情况下,在林中创建一个新域).
> PDC模拟器:没有风险,它不对任何风险分歧负责.
> RID Master:你需要一个混乱的复制结构来打破这个 – 想象你有2个DC;已经占用了一个不知道其角色的旧RID主机,以及一个新的RID主机.在这种情况下,您需要创建足够的对象以耗尽两者上的RID池(它们在500秒内分发),并让它们自己分配重叠池.创建具有相同RID的对象,重新连接域控制器,并观察启示录.
>基础设施大师:老实说,世界上大约50%的域甚至根本没有工作的基础设施大师,因为它在GC上不起作用.无论如何,你不能用癫痫发作来打破它.

Will users notice?

他们不应该.

This set up has been going for a long time and people have been functioning more or less normally; is seizing the PDC role going to change this?

没有.使用单个DC,根本不会丢失PDC的任何功能,除非您的非PDC DC无法与其想要的源(缺少的PDC)同步时间.

Moreso:

>当您尝试更新架构时,您将只会错过架构主机
>当您尝试在林中创建新域时,您将只会错过命名主机
>当您创建太多对象并耗尽DC的RID池时,您将只会错过RID Master(如果您继续按原样运行,这可能是您最常遇到的)
>您只会错过多域林中全局编录组更新的Infrastructure Master

Some of these documents predict dire consequences to having all roles on one DC. With a client base of no more than 20 – and perhaps less than 10 most days – is having all roles on one DC a real problem?

不 – 但得到第二个DC.您不希望唯一的DC失败.

Are there any caveats to performing the cleanup process recommended by Microsoft to remove the old DC from Active Directory?

是的 – 小心点但是磨砺你的ntdsutil刀并撕下旧数据 – 那里的额外垃圾无助于域的可维护性.

猜你在找的Windows相关文章