Promote Active Directory Replica DC With No Access to FSMOs

Windows 2008 R2 domain controllers and functional levels. Network connectivity is as follows:

DC03 ------ DC02 ------ DC01(FSMOs)

DC01 holds all the FSMOs. DC03, which has not been promoted yet, is currently communicating just fine with DC02. All of the FSMO roles are on DC01. All Sites, Subnets, and Site Link objects are correctly configured to represent the network situation shown above.

DC03 cannot communicate directly with DC01.

DCPromo on DC03 is currently failing because DCPromo runs some tests of direct network connectivity to the FSMO role holder. It's attempting an LDAP bind to the RID Master, which is failing, and at that point DCPromo assumes the RID Master is offline. But it is not offline.

Is there a way I can bypass the connectivity tests? DC03 is currently syncing with DC02 just fine and can read all the Active Directory it wants to from it.

I thought about doing an Install From Media, but I'd like more confirmation that it'll actually work before I try it, and I don't see any evidence that an IFM installation skips the connectivity tests that regular DCPromo does.

PS - Without moving the FSMO roles.


Solution 1:

It seems as though the RID Master and PDC Emulator should be able to communicate directly with all DCs in the domain, though I haven't been able to find it spelled out exactly in those terms.

This TechNet article seems to hint at that.

Place roles on domain controllers that are can be accessed by the computers that need access to a given role, especially on networks that are not fully routed. For example, to obtain a current or standby RID pool, or perform pass-through authentication, all DCs need network access to the RID and PDC role holders in their respective domains.

This other article also says:

Domain controllers in sites C and D cannot access the RID master in site A to obtain an initial RID pool after the Active Directory installation and to refresh RID pools as they become depleted.

Though, that article does make an opaque reference to site link bridging.

From what I can tell, site link bridging does not apply in the cases or RID issuance, or the services offered by the PDC emulator like failed auth forwarding or time sync, since these do not rely replication and site link bridges are only for replication. There must be direct connectivity to the DCs with these roles.

If you remove the "PS" at the end of your question, I can offer a solution :)