Active Directory - FSMO Seizing, DRSM Password Reset and Dc health checks/best practices

As mentioned on old blog posts it is important to know which DCs (in your domain/Forest) are holding five Active directory roles using this command line.

 netdom query fsmo

 At the same time it is important to test your DCs health.

 https://www.alessandromazzanti.com/2015/05/server-commands-to-verify-domain.html.

 If you are facing unlike situation that DCs holding all 5 Ad roles (or few of them)  are no longer working you should start planning Seizing roles activity.

 Here it is a Microsoft article that well apply to all Microsoft Server versions.

 https://support.microsoft.com/en-sg/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

Here they are other important suggests:
  1. Microsoft best practices suggest to have at least a Physical Domain controller indeed to have all them virtualized:
  2. I warmly suggest to check all your server and to have local Administrator password (and account enabled).
  3. To check, on all your servers/Dcs to have indicated DNS1, DNS2 and DNS3 pointing to active DCs/DNS
  4. Have 5 AD roles splitted between at least two domain controllers.
  5. About Domain controllers have DRSM Administrator password, if not known proceed to have it resetted.

Posted by
Labels: , , , , , , , , , ,