Solved

moving win2k PDC from one server to another:

Posted on 2003-11-26
6
680 Views
Last Modified: 2011-09-20
Getting a new server and we want to trash the old one... What we would like to do is make the new server a PDC somehow by moving all the AD info over to the new one
0
Comment
Question by:certpros
  • 4
6 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 50 total points
Comment Utility
Hi certpros,
New Domain Controller

First DON’T consider using a cloning tool like Norton/Symantec Ghost to make an image of the server, this is fraught with pitfalls!
Consider keeping the old Domain Controller running, having two domain controllers build redundancy/Fault tolerance into your network.

1.      Build the new server in the live environment, put on all the relevant service packs (remember MS service packs are inclusive, SP2 includes SP1 etc) and join the server to the domain (You Must have the rights to do this)
2.      Promote the New server to a domain controller by running DCPromo (The server MUST be able to see DNS or it will fail) to run DC Promo Click Start >Run >type “dcpromo” {enter}
3.      When the server has finished and rebooted, you need to make the decision on weather to keep the old Domain Controller (I would say yes) If you do then your job is finished.
4.      You will now need to “seize” the FSMO roles there are 5 FSMO roles which are

·      Schema master - Forest-wide and one per forest.
·      Domain naming master - Forest-wide and one per forest.
·      RID master - Domain-specific and one for each domain.
·      PDC - PDC Emulator is domain-specific and one for each domain.
·      Infrastructure master - Domain-specific and one for each domain.
5.      To do this you need to use the “ntdsutil” tool

To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1.      On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2.      Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3.      Type connections, and then press ENTER.
4.      Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5.      At the server connections: prompt, type q, and then press ENTER again.
6.      Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7.      After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalog.

To check if a domain controller is also a global catalog server:
1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.      Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3.      Open the Servers folder, and then click the domain controller.
4.      In the domain controller's folder, double-click NTDS Settings.
5.      On the Action menu, click Properties.
6.      On the General tab, locate the Global Catalog check box to see if it is selected.
*****References*****

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?kbid=255504

Windows 2000 Active Directory FSMO Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132

Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

Cheers!
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
ThanQ
0
 
LVL 4

Expert Comment

by:srose6
Comment Utility
The text above from PeteLong is right on the money. Covered all bases. I am a systems admin who inherited a neglected piece of @#$% domain upon my first day of employment and had to do the same thing. I am an MCSE+I with about 10 years in the field and you can't go wrong with the above sound advice. The management team where I work approved all purchase orders but the cooling system so 12 power edge servers ran in a room at 95+ degrees for months.... anyway I have to give PeteLong his props he rocks on this one.

If you want to see a really screwed up domain check out the question I posted at
http://www.experts-exchange.com/Security/Q_20809472.html

Steve
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Steve

Thanks M8 good to be in good company

Pete Long
0
 

Expert Comment

by:antony_af
Comment Utility
Hi,
the procedure you wrote is well explained and seems to me as the right explaination.
I do know that we don't had to affect the infrastruture master role to the same domain controler as the global catalog;  but if i am going to delete definitly the first DC after the replication to the second DC, so how come i cannot affect the infrastructure master role to the new DC which suppose to be the GC.

as u said, all 5 FSMO roles must be in a domain and the forest ..
and on the other hand, the first DC of the Domain and of the forest has by default the 5 FSMO roles; so  what is the solution ??

Anthony
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
hehe chicken and egg eh? YES I take you point, and what if a company only has one server?

The True answer is "It doesnt really matter" Ive had GC and all  FSMO roles and Exchange running on one server for three years and Ive never seen a problem. the seperate GC statement is common MS best policy. (please dont ask me to find the info I got that from, but I have read it elsewhere)

If I had to guess why, Id say it cuts down on network traffic, but thats the only reason I can see.

Regards

Pete
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Server Hard Drive Expansion 2 138
Visual C++ Runtime Error on Windows 2000 Server 2 1,437
auto copy 8 610
Application Deployment - Simple 7 628
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now