Enterprise Server Strategies for the CIOI recently accepted a position at a company with a single domain forest and three Domain Controllers. However, none of the DC's was holding the Schema Master role. I seized the role on one DC, but when I tried to install Exchange 2003 on a member server, it failed, with a message that it cannot contact or query the Schema Master. When I log in to the DC that has the SM role and run replmon, the properties of the server show that it is holding the role. However, when I click on the Query button it fails with an error that it cannot contact or bind to the DC holding that role, even though I am running locally on that DC! I can't find anything close to this situation on TechNet. Can you help?
Requires Free Membership to View
First, are you sure that this was always a single domain forest? If they had originally had a placeholder domain and a child domain, you could be faced with a bigger problem. If that is not the case then, you may go through some steps. I like to use NTDSUTIL to work with the FSMO roles. It often will display information that the graphical tools don't or are found in multiple locations. NTDSUTIL is on every windows 2000 machine. Here is what you would do:
Schema - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configura tion,DC=MYDOMAIN,DC=com
Domain - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configura tion,DC=MYDOMAIN,DC=com
PDC - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuratio n,DC=MYDOMAIN,DC=com
RID - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuratio n,DC=MYDOMAIN,DC=com
Infrastructure - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=C onfiguration,DC=MYDOMAIN,DC=com
Now just quit until you exit. Repeat this procedure on all of the domain controllers so that you are clear on what they think are the FSMO role holders.
Next you will need to check on replication. Check the Event log's Directory Services and File Replication for errors or warnings. Some of the Microsoft warnings about replication are underrated and really should be errors. If DC's cannot replicate to other DCs eventually you can stall replication altogether. A bad situation to say the least. You can use replmon.exe from the Support tools to get more information. Also, run DCDIAG on each one of the domain controllers and check out any warnings or errors produced. This utility will also let you know if the problem is related to name resolution and DNS.
If there are multiple DCs that believe that they are the Schema master, you may have to demote one DC to get it to clear its information and promote it back up. This may also involve some manual cleanup of AD.
- C:\>ntdsutil
- ntdsutil: roles
- fsmo maintenance: connections
- server connections: connect to server [myserver]
Binding to msspueblomain ...
Connected to msspueblomain using credentials of locally logged on user
- server connections: quit
- fsmo maintenance: select operation target
- select operation target: list roles for connected server
Schema - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configura tion,DC=MYDOMAIN,DC=com
Domain - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configura tion,DC=MYDOMAIN,DC=com
PDC - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuratio n,DC=MYDOMAIN,DC=com
RID - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuratio n,DC=MYDOMAIN,DC=com
Infrastructure - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=MYSITE,CN=Sites,CN=C onfiguration,DC=MYDOMAIN,DC=com
Now just quit until you exit. Repeat this procedure on all of the domain controllers so that you are clear on what they think are the FSMO role holders.
Next you will need to check on replication. Check the Event log's Directory Services and File Replication for errors or warnings. Some of the Microsoft warnings about replication are underrated and really should be errors. If DC's cannot replicate to other DCs eventually you can stall replication altogether. A bad situation to say the least. You can use replmon.exe from the Support tools to get more information. Also, run DCDIAG on each one of the domain controllers and check out any warnings or errors produced. This utility will also let you know if the problem is related to name resolution and DNS.
If there are multiple DCs that believe that they are the Schema master, you may have to demote one DC to get it to clear its information and promote it back up. This may also involve some manual cleanup of AD.
This was first published in August 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation