Real Life Case Study of Decommissioning FSMO Servers
by Crispin Horsfield
If you’re about to decommission a server then you need to be aware of FSMO (Flexible Single Master Operation). Although Windows Server 2003 no longer employs PDCs and BDCs in their original roles, there are still echoes of their existence around. Therefore, it’s vital to transfer the FSMO role to another server if the server you are decommissioning holds any of the five FSMO roles.
Case Study Example of Decommissioning FSMO Servers
- Basic FSMO Server Clean-up
- Collect info
- Transfer FSMO Roles
- DNS (I’m not a DNS guru)
- Active Directory
- About Crispin Horsfield
1. Applications, move off all files and applications that you want to keep onto another computer. Obvious, but there may be DLLs lurking in the following places that may also need moving:
C:\Program files\Common files
Also, check through Add/Remove programs in the Control Panel to make sure that you’ve covered all the bases. There may also be configuration files and registry settings that are associated with applications that you want to keep.
2. IIS, examine the websites and delete or move as appropriate.
3. DNS, take a close look at the DNS service (mine was a bit flaky so I removed dodgy entries). DO NOT stop this service.
4. DHCP, make sure that no computers are using any of the scopes and then delete them. I then stopped the DHCP service.
If you’re going to tape and re-install, then check the name and type of all significant drivers e.g. network cards, RAID systems, etc.
With RAID drivers go to Windows-key/Pause-Break –> System Icon, Hardware, Device manager and select your RAID driver. Go through to Properties, then the Driver tab. Note down the name of the device, the Driver Provider and version. There’s probably a new driver available from the manufacturer’s website. You may also need a floppy disk (remember them) to store the precious driver. Make sure that your licence key is available for that server (it’s stuck to the side on Dell servers).
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
From the above I selected:
To transfer the FSMO roles by using the ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the ntdsutil utility.
This can take time to filter through so depending on the size of your system you have a cup of tea, large meal or leave it overnight.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
Start > Programs > Administrative Tools > DNS
For each Forward Lookup Zone change the Start of Authority to the new primary DNS server.
1. Right-click on the zone.
2. Select Properties
3. Select Start of Authority tab.
4. Change the Primary Server to the new value.
This can also take time to filter through depending on your TTL settings, caches, etc. More tea, cake and sleep.
One gotcha can be if (for some reason or other, perhaps even a group policy) the DNSClient setting* in the registry of client machines is set to the old DNS server. Mine was set manually before I learned the joys of Active Directory Sites and Services. I used to point the DNSClient towards the nearest DNS server when I moved computers between locations. I use DHCP now to achieve the same thing and the DNSClient setting has been deleted.
Clearly if it’s a Group Policy setting (and I don’t know where that would be set), it needs changing.
*I just open up regedit and search for DNSClient.
You can stop and/or remove DNS should you wish at this point.
Run dcpromo on the server to be decommissioned. This can take a while.
Once your server has been ‘decommissioned’, turn it off and leave it for a week or so before attempting to re-install Windows Server 2003 (or any other operating system). This means that you should be able to recover should you have missed something vital, by the simple expedient of turning it back on.
Finally, this seems to have worked for me, but others may be running services that also need to be gracefully decommissioned.
I’m not a full-time SysAdmin, but a software developer and web designer who gets the job of keeping the servers in order. My aim is to automate and remotely manage as much as I can. Being a programmer I prefer managed solutions (eg VB.NET) over scripted solutions.
Caveat Crispin says:
No warranty, express or implied, with the above notes.
Crispin – That case study was a great example of FSMO, thank you. It’s always great to have the benefit from a real life experience.
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
If you like this page then please share it with your friends