The Directory service is unavailable FSMO
|
When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there's one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn't working for others. Show
PS C:\Windows\system32> Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster
cmdlet Move-ADDirectoryServerOperationMasterRole at command pipeline position 1
Supply values for the following parameters:
Identity: XXXXXXX
Move Operation Master Role
Do you want to move role 'SchemaMaster' to server 'XXXXXXX.domain.pl' ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Move-ADDirectoryServerOperationMasterRole : Access is denied
At line:1 char:1
+ Move-ADDirectoryServerOperationMasterRole -OperationMasterRole Schema ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (XXXXXXX:ADDirectoryServer) [Move-ADDirector...ationMasterRole], ADExcept
ion
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.MoveADDirectorySer
verOperationMasterRole
Access is denied for FSMO move role? What now? Double check of groups my user has – correct.  ForestMode and DomainMode – Correct PowerShell running as Administrator – correct So what could be wrong? Nothing that can be considered wrong on first sight. The trick is (for whatever reason) to change your Primary group to Schema Admins. By default, it should be Domain Users but if you're having problems with FSMO move, just set your Primary group to Schema Admins and you're good to go. Remember that you need to log out for the group changes to update properly. After you log back in you should be able to move FSMO role without a problem. You could try a manual seize if nothing else works. this is a last resort though I second that, Sould be only a last ressort, because it could leave you in some cases with problems in your AD. (I've seen this once, we seized roles to another server from a server that went down than came back unexpectedly and wasn't isolated. created a little mess.). Michael, are there any related events in your Eventlogs when you try to transfert schema master to Win2k8 ? When a directory is impaired or inoperable, the directory status message contains additional information. The status message is displayed in the Amazon Directory Service console, or returned in the member by the The following are the status messages for a Simple AD directory: The directory service's elastic network interface is not attachedDescription The critical elastic network interface (ENI) that was created on your behalf during directory creation to establish network connectivity with your VPC is not attached to the directory instance. Amazon applications backed by this directory will not be functional. Your directory cannot connect to your on-premises network. TroubleshootingIf the ENI is detached but still exists, contact Amazon Web Services Support. If the ENI is deleted, there is no way to resolve the issue and your directory is permanently unusable. You must delete the directory and create a new one. Issue(s) detected by instanceDescription An internal error was detected by the instance. This usually signifies that the monitoring service is actively attempting to recover the impaired instances. TroubleshootingIn most cases, this is a transient issue, and the directory eventually returns to the Active state. If the problem persists, contact Amazon Web Services Support for more assistance. The critical Amazon Directory Service reserved user is missing from the directoryDescription When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name To correct this issue, restore the directory to a previous snapshot that was created before the service account was deleted. Automatic snapshots are taken of your Simple AD directory one time a day. If it has been more than five days after this account was deleted, you may not be able to restore the directory to a state where this account exists. If you are not able to restore the directory from a snapshot where this account exists, your directory may become permanently unusable. If this is the case, you must delete your directory and create a new one. The critical Amazon Directory Service reserved user needs to belong to the Domain Admins groupDescription When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name Use the Active Directory Users and Computers tool to re-add the service account to the The critical Amazon Directory Service reserved user is disabledDescription When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name Use the Active Directory Users and Computers tool to re-enable the service account. The main domain controller does not have all FSMO rolesDescription All the FSMO roles are not owned by the Simple AD directory controller. Amazon Directory Service cannot guarantee certain behavior and functionality if the FSMO roles do not belong to the correct Simple AD directory controller. TroubleshootingUse Active Directory tools to move the FSMO roles back to the original working directory controller. For more information about moving the FSMO roles, go to https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds. If this does not correct the problem, please contact Amazon Web Services Support for more assistance. Domain controller replication failuresDescription The Simple AD directory controllers are failing to replicate with one another. This can be caused by one or more of the following issues:
For more information about your VPC network requirements, see either Amazon Managed Microsoft AD Amazon Managed Microsoft AD prerequisites, AD Connector AD Connector prerequisites, or Simple AD Simple AD prerequisites. If there is an unknown domain controller in your directory, you must demote it. If your VPC network setup is correct, but the error persists, please contact Amazon Web Services Support for more assistance. What does FSMO mean in Active Directory?Flexible Single-Master Operation (FSMO) placement and optimization on AD DCs - Windows Server. Certain operations are optimally done on a single domain controller.
What are the 5 FSMO roles in Active Directory?Schema Master, Domain Naming Master, Infrastructure Master, Primary Domain Controller Emulator, Relative ID Master are the five Flexible Single Master Operation or FSMO roles assigned to each domain in an Active Directory Forest.
Is DNS a FSMO role?Many AD books and websites describe five FSMO roles. There are actually seven. The two extra hidden roles are the Domain DNS Zone Master role and the Forest DNS Zone Master role.
What is FSMO in Azure?The Flexible Single-Master Operation (FSMO) roles are a combination of roles that are held by a single domain controller (DC) in a given Active Directory (AD) forest or domain.
|
