Active Directory - Functional Level 승격이 안 되는 문제
윈도우 2012로 마이그레이션 하기 전에, 윈도우 2008 R2 Active Directory 서버의 (2003으로 설정된) 기능 수준을 승격시키려고 했습니다.
이를 위해, 다음과 같이 "Active Directory Domains and Trusts"에서 "Raise Forest Functional Level.." 메뉴를 선택하고,
R2 기능 수준으로 맞추고 "Raise" 버튼을 눌렀습니다.
음... ^^ 그런데, 무심한 AD는 다음과 같은 오류를 내뱉을 뿐이었습니다.
The functional level could not be raised. The error is: The requested
FSMO operation failed.
The current FSMO holder could not be contacted.
이벤트 로그를 보니, 다음과 같은 식의 경고가 발생한 기록이 있습니다.
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=test,DC=com
FSMO Server DN: CN=NTDS Settings\0ADEL:751d37c1-92b6-43f1-a3fb-d5a36e971142,CN=[AD서버이름],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
마침 얼마 전에, 2대의 AD 중에서 한 개를 임의로 삭제했던 기억이 났는데요. 그렇게 되면, 당연히 BDC로 운영되던 AD가 PDC로 승격될 줄 알았는데... 현재는 그렇지 못하다는 것을 나타내는 것 같았습니다.
그래서, 명시적으로 PDC로 올리기 위한 글을 검색해 봤는데요.
Seize the Operations Master Role
; https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816779(v=ws.10)
설명된 대로, 다음과 같은 일련의 명령을 실행했습니다.
C:\Windows\system32>ntdsutil
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: Roles
fsmo maintenance: Connections
server connections: Connect to server [AD서버이름]
Binding to [AD서버이름] ...
Connected to [AD서버이름] using credentials of locally logged on user.
server connections: quit
fsmo maintenance: Seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "[AD서버이름]" knows about 5 roles
...[생략]...
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "[AD서버이름]" knows about 5 roles
...[생략]...
fsmo maintenance:
위와 같은 식으로 문서에 따라, "Seize infrastructure master", "Seize pdc", "Seize rid master" 명령을 내려주었습니다.
자, 다시 "raise forest functional level"을 실행하면 ^^ 깔끔하게 성공!
[이 글에 대해서 여러분들과 의견을 공유하고 싶습니다. 틀리거나 미흡한 부분 또는 의문 사항이 있으시면 언제든 댓글 남겨주십시오.]