Seizing FSMO Roles Question

We are losing connection to our head office (company splitting up) and want
to make sure that our local office IT stays fully functional with the least
amount of down time.

Head office W2k DC currently holds all FSMO roles, local office has a W2k DC
and both office have exchange server. I intend to promote a W2k3 server to
DC in the local office and leave it over night to sync. We are loosing
access to this local W2k DC hence I'm not seizing the roles to it. The next
day I intent to disconnect the WAN link between the offices and then seize
the FSMO roles to the newly promoted W2k3 server. I am wondering at what
stage should I disconnect the local W2k DC to make sure it doesn't cause any
problems?

Appreciate any advice

gR

PS - We can't transfer the roles as the head office needs to remain fully
operational. Once we disconnect the WAN and seize the roles we will never
reconnect the WAN.

Once you disconnect an Seize the Roles you can never connect back again.

You have to disconnect before you seize the Roles
Afterwards you have to do the Metadata Cleanup steps.

Later I would create a New Domain and Migrate over to it with ADMT and
eliminate the old domain entirely.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"gerryR" <> wrote in message
news:OA$V%...
> We are losing connection to our head office (company splitting up) and
> want to make sure that our local office IT stays fully functional with the
> least amount of down time.
>
> Head office W2k DC currently holds all FSMO roles, local office has a W2k
> DC and both office have exchange server. I intend to promote a W2k3
> server to DC in the local office and leave it over night to sync. We are
> loosing access to this local W2k DC hence I'm not seizing the roles to it.
> The next day I intent to disconnect the WAN link between the offices and
> then seize the FSMO roles to the newly promoted W2k3 server. I am
> wondering at what stage should I disconnect the local W2k DC to make sure
> it doesn't cause any problems?
>
> Appreciate any advice
>
> gR
>
> PS - We can't transfer the roles as the head office needs to remain fully
> operational. Once we disconnect the WAN and seize the roles we will never
> reconnect the WAN.
>
>
>

Hello gerryR,

Theoretical you can do it this way, if you can make sure the networks will
NEVER be connected anymore. But what about people and there computers, do
they travel between the companies with their machines? As the computers are
still belonging to the same domain they run into trouble if they connect
to the other part of the domain.

Check with the support tools that everything is healthy:
dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
netdiag /v >c:\netdiag.txt [from each DC, netdiag may work but isn't supported
with Windows server 2008 and higher]
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt (if more then
one DC exists)
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


So if you have done the disconnection, i second Phillip's suggestion to migrate
one of the domains with ADMT to a new one, even if this is more work.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are losing connection to our head office (company splitting up) and
> want to make sure that our local office IT stays fully functional with
> the least amount of down time.
>
> Head office W2k DC currently holds all FSMO roles, local office has a
> W2k DC and both office have exchange server. I intend to promote a
> W2k3 server to DC in the local office and leave it over night to sync.
> We are loosing access to this local W2k DC hence I'm not seizing the
> roles to it. The next day I intent to disconnect the WAN link between
> the offices and then seize the FSMO roles to the newly promoted W2k3
> server. I am wondering at what stage should I disconnect the local
> W2k DC to make sure it doesn't cause any problems?
>
> Appreciate any advice
>
> gR
>
> PS - We can't transfer the roles as the head office needs to remain
> fully operational. Once we disconnect the WAN and seize the roles we
> will never reconnect the WAN.
>

Hi, thanks for the replies.

The company is no longer, some people from the local office started up a new
company and purchased some of the PCs and servers. The head office will
remain open for a few weeks/ months to wind down.

Once I disconnect the link (VPN over SDSL) it will not be reconnected, ever.
I'm still unsure about what to do with the existing local DC which will not
be kept. Should I disconnect it before or after promoting the new DC or
before or after seizing the FSMO roles?

I understand a new domain would be a cleaner way of doing things but the
time involved and cost associated with that are not really an option at the
min. They're looking for quickest, cheapest with least disruption.

When you say there would be a problem people connecting to both networks, is
that just if they connect to the head office, then the local one after the
roles are seized and then back to the head office? I ask because some
people may be moving up from there who are currently connected to the head
office network but once they move up and connect to the local network they
would not be reconnecting to the head office network ever.

Thanks again for the info
Gerry

"gerryR" <> wrote in message
news:OA$V#...
> We are losing connection to our head office (company splitting up) and
> want to make sure that our local office IT stays fully functional with the
> least amount of down time.
>
> Head office W2k DC currently holds all FSMO roles, local office has a W2k
> DC and both office have exchange server. I intend to promote a W2k3
> server to DC in the local office and leave it over night to sync. We are
> loosing access to this local W2k DC hence I'm not seizing the roles to it.
> The next day I intent to disconnect the WAN link between the offices and
> then seize the FSMO roles to the newly promoted W2k3 server. I am
> wondering at what stage should I disconnect the local W2k DC to make sure
> it doesn't cause any problems?
>
> Appreciate any advice
>
> gR
>
> PS - We can't transfer the roles as the head office needs to remain fully
> operational. Once we disconnect the WAN and seize the roles we will never
> reconnect the WAN.
>
>
>

Hello gerryR,

To add a new DC to the domain make sure either you do it before disconnection
or when the existing DC has already all FSMO roles seized. Don't try to add
a new machine without the domain complete up and running.

Scenario after disconnection:
If userA and machineA from "maindomain" come into "sitedomain" which actually
still is the SAME as maindomain, SID hasn't changed, the sitedomain has still
information about userA and machineA in AD UC listed and also the SIDs are
the same with the difference that all saved dates, password change etc.,
in sitedomain are older then the current ones from maindomain.
So if machineA is connected to sitedomain first problems will come, machine
password and if this maybe works, userA's password will be different.

Hopefully i explained it so you can understand, what problems can happen
even if the networks are never connected after disconnection.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi, thanks for the replies.
>
> The company is no longer, some people from the local office started up
> a new company and purchased some of the PCs and servers. The head
> office will remain open for a few weeks/ months to wind down.
>
> Once I disconnect the link (VPN over SDSL) it will not be reconnected,
> ever. I'm still unsure about what to do with the existing local DC
> which will not be kept. Should I disconnect it before or after
> promoting the new DC or before or after seizing the FSMO roles?
>
> I understand a new domain would be a cleaner way of doing things but
> the time involved and cost associated with that are not really an
> option at the min. They're looking for quickest, cheapest with least
> disruption.
>
> When you say there would be a problem people connecting to both
> networks, is that just if they connect to the head office, then the
> local one after the roles are seized and then back to the head office?
> I ask because some people may be moving up from there who are
> currently connected to the head office network but once they move up
> and connect to the local network they would not be reconnecting to the
> head office network ever.
>
> Thanks again for the info
> Gerry
> "gerryR" <> wrote in message
> news:OA$V#...
>
>> We are losing connection to our head office (company splitting up)
>> and want to make sure that our local office IT stays fully functional
>> with the least amount of down time.
>>
>> Head office W2k DC currently holds all FSMO roles, local office has a
>> W2k DC and both office have exchange server. I intend to promote a
>> W2k3 server to DC in the local office and leave it over night to
>> sync. We are loosing access to this local W2k DC hence I'm not
>> seizing the roles to it. The next day I intent to disconnect the WAN
>> link between the offices and then seize the FSMO roles to the newly
>> promoted W2k3 server. I am wondering at what stage should I
>> disconnect the local W2k DC to make sure it doesn't cause any
>> problems?
>>
>> Appreciate any advice
>>
>> gR
>>
>> PS - We can't transfer the roles as the head office needs to remain
>> fully operational. Once we disconnect the WAN and seize the roles we
>> will never reconnect the WAN.
>>

"gerryR" <> wrote in message
news:...
> Once I disconnect the link (VPN over SDSL) it will not be reconnected,
> ever. I'm still unsure about what to do with the existing local DC which
> will not be kept. Should I disconnect it before or after promoting the
> new DC or before or after seizing the FSMO roles?

1. disconnect
2. seize roles
3. do metadata clean up to remove the "other" DC that is not there anynmore
4. done

> I understand a new domain would be a cleaner way of doing things but the
> time involved and cost associated with that are not really an option at
> the min. They're looking for quickest, cheapest with least disruption.

1. There is no "cost"
2. Doing the "right thing" is *always* an option. There is a big
difference between something "not being an option" and just simply someone
"not wanting" to do it.
3. Doing the ADMT migration is probably the most important thing in the
whole process conerning your future. If I were involved in that situation
the ADMT Migration would be mandetory.

> When you say there would be a problem people connecting to both networks,
> is that just if they connect to the head office, then the local one after
> the roles are seized and then back to the head office? I ask because some
> people may be moving up from there who are currently connected to the head
> office network but once they move up and connect to the local network they
> would not be reconnecting to the head office network ever.

Their machines will work on both domains because they are not really "two"
Domains,...they are really "one" domain that has been brutally "chopped in
two". They have identical Machine Accounts with identical SIDs,...so at
first they will work in both places. But the more time passes the more "out
of wack" it will become and problems will start. Don't beg for
trouble,..they need to use their machine where they are going to use
them,...no running around back and forth.

Wait till they settle where they are doing to finally be with their
machine,...first,...then do the ADMT Migration.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

BTW - I'm not trying to give you a hard time (the way I write makes it seem
that way sometimes). I just hate to see people cause themselves future
problems by not doing the things that are best to do. On the other hand
people creating messes helps my paycheck when they call me in the clean it
up,..so I guess if everyone listened to me I would be unemployed :-)


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I think the others have answered your technical questions. If I was you
though I would go back to management and say the quickest, cheapest and least
disruptive approach is to create a new domain. I would actually say this is
the only approach.

It's typical of a business to want everything for nothing. But hacking a
domain in two will in most cases lead to more time and cost fixing problems
whilst at the same time disrupting the business.

Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA



"gerryR" wrote:

> Hi, thanks for the replies.
>
> The company is no longer, some people from the local office started up a new
> company and purchased some of the PCs and servers. The head office will
> remain open for a few weeks/ months to wind down.
>
> Once I disconnect the link (VPN over SDSL) it will not be reconnected, ever.
> I'm still unsure about what to do with the existing local DC which will not
> be kept. Should I disconnect it before or after promoting the new DC or
> before or after seizing the FSMO roles?
>
> I understand a new domain would be a cleaner way of doing things but the
> time involved and cost associated with that are not really an option at the
> min. They're looking for quickest, cheapest with least disruption.
>
> When you say there would be a problem people connecting to both networks, is
> that just if they connect to the head office, then the local one after the
> roles are seized and then back to the head office? I ask because some
> people may be moving up from there who are currently connected to the head
> office network but once they move up and connect to the local network they
> would not be reconnecting to the head office network ever.
>
> Thanks again for the info
> Gerry
>
> "gerryR" <> wrote in message
> news:OA$V#...
> > We are losing connection to our head office (company splitting up) and
> > want to make sure that our local office IT stays fully functional with the
> > least amount of down time.
> >
> > Head office W2k DC currently holds all FSMO roles, local office has a W2k
> > DC and both office have exchange server. I intend to promote a W2k3
> > server to DC in the local office and leave it over night to sync. We are
> > loosing access to this local W2k DC hence I'm not seizing the roles to it.
> > The next day I intent to disconnect the WAN link between the offices and
> > then seize the FSMO roles to the newly promoted W2k3 server. I am
> > wondering at what stage should I disconnect the local W2k DC to make sure
> > it doesn't cause any problems?
> >
> > Appreciate any advice
> >
> > gR
> >
> > PS - We can't transfer the roles as the head office needs to remain fully
> > operational. Once we disconnect the WAN and seize the roles we will never
> > reconnect the WAN.
> >
> >
> >
> .
>

"Joe Dunn" <> wrote in message
news:A656866A-7F66-4B6D-A027-...
>
> I think the others have answered your technical questions. If I was you
> though I would go back to management and say the quickest, cheapest and
> least
> disruptive approach is to create a new domain. I would actually say this
> is
> the only approach.
>
> It's typical of a business to want everything for nothing. But hacking a
> domain in two will in most cases lead to more time and cost fixing
> problems
> whilst at the same time disrupting the business.

That's just what I was thinking a while after my last post. Why chop the
Domain in half then do a migration to a new Domain,...when you can just
create a new *clean* Domain to begin with and use ADMT to migrate the needed
AD objects into to new one right from the start.

The migration with ADMT is non-destructive to the old Domain so there is no
harm that would be done there.

This is also a great way to avoid old "garbage" from the old Domain that
doesn't need messed with anyway.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------