hitechauto
asked on
DOMAIN ROLS
Hi Guys
I have a friend that has 2 server 2003 boxes
His PDC is giving him plenty of troubles with blue screens and so on, there is a member server on that domain which i want to help him transfer the roles to the member server and make it the PDC to pull the existing PDC off the domain for repairs and so on.
Please help with possible problems during this process and the correct procesures in doing so.
I know that i would have to transfer the rols from the PDC to the member server and demote the existing PDC...
Is there anything else of major importance???
PLEASE HELP
I have a friend that has 2 server 2003 boxes
His PDC is giving him plenty of troubles with blue screens and so on, there is a member server on that domain which i want to help him transfer the roles to the member server and make it the PDC to pull the existing PDC off the domain for repairs and so on.
Please help with possible problems during this process and the correct procesures in doing so.
I know that i would have to transfer the rols from the PDC to the member server and demote the existing PDC...
Is there anything else of major importance???
PLEASE HELP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pete Long
Stop!!!!!!!!!!!!!!! - the PDC emulator is the most important server in a 2003 domain - dont believe me? - shut it down and try and do something in ADUC??
get the PDC emulator on a reliable server - or replication will flater the KCC link checkers will start to fail and it will run like a pig
FSMO roles there are 5 FSMO roles which are
· Schema master - Forest-wide and one per forest.
· Domain naming master - Forest-wide and one per forest.
· RID master - Domain-specific and one for each domain.
· PDC - PDC Emulator is domain-specific and one for each domain.
· Infrastructure master - Domain-specific and one for each domain.
5. To do this you need to use the “ntdsutil” tool
To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.
Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.
To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.
Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2. Type roles, and then press ENTER.
To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".
Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.
If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalogue.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132
To check if a domain controller is also a global catalogue server:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, locate the Global Catalogue check box to see if it is selected.
*****References*****
Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?kbid=255504
Windows 2000 Active Directory FSMO Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132
Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787
Dumpfsmos.cmd: Dump FSMO Roles (XP, 2K and 2K3)
Dump FSMO Roles (DumpFSMOs) is a command-line tool that displays the operations master (also known as flexible single master operations or FSMO) roles target server's domain and forest. Using Dump FSMO Roles you can find the names of the domain controllers that are performing operations master roles.
There are five operation master roles. Two of them exist at the forest level, meaning that only one server fills that role for the entire forest. These are the schema master and the domain naming master. The remaining three roles exist at the domain level, meaning that one server fills that operations master role for every domain in the forest. These include RID master, primary domain controller emulator, and infrastructure master
The following rights are required to run DumpFSMOs:
• Builtin\Administrator, to run the tool locally.
• Domain\Administrator or Enterprise\Administrator, to run the tool remotely.
File Required
• Dumpfsmos.cmd
Files included in the 2K3 Resource Kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
Download and run rktools.exe then extract it to a folder.
FSMO roles there are 5 FSMO roles which are
· Schema master - Forest-wide and one per forest.
· Domain naming master - Forest-wide and one per forest.
· RID master - Domain-specific and one for each domain.
· PDC - PDC Emulator is domain-specific and one for each domain.
· Infrastructure master - Domain-specific and one for each domain.
5. To do this you need to use the “ntdsutil” tool
To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.
Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.
To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.
Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2. Type roles, and then press ENTER.
To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".
Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.
If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalogue.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132
To check if a domain controller is also a global catalogue server:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, locate the Global Catalogue check box to see if it is selected.
*****References*****
Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?kbid=255504
Windows 2000 Active Directory FSMO Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132
Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787
Dumpfsmos.cmd: Dump FSMO Roles (XP, 2K and 2K3)
Dump FSMO Roles (DumpFSMOs) is a command-line tool that displays the operations master (also known as flexible single master operations or FSMO) roles target server's domain and forest. Using Dump FSMO Roles you can find the names of the domain controllers that are performing operations master roles.
There are five operation master roles. Two of them exist at the forest level, meaning that only one server fills that role for the entire forest. These are the schema master and the domain naming master. The remaining three roles exist at the domain level, meaning that one server fills that operations master role for every domain in the forest. These include RID master, primary domain controller emulator, and infrastructure master
The following rights are required to run DumpFSMOs:
• Builtin\Administrator, to run the tool locally.
• Domain\Administrator or Enterprise\Administrator, to run the tool remotely.
File Required
• Dumpfsmos.cmd
Files included in the 2K3 Resource Kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
Download and run rktools.exe then extract it to a folder.
As you point out PDC Emulator is one of the FMSO roles. I did say "assign all of the FMSO roles" to the new server. I was just pointing out as an aside that in Windows 2000 parlance PDC is not as it was in NT. Hope I didn't give the wrong impression. The original poster spoke of demoting the original PDC which is NT methodology and not Windows 200X.
No Probs wasnt trying to overshout you - its just most people consign PDC methodology to NT4 and while thats a sensible thing to do, PDC emulator is crucially important - which it shouldnt be in a multi master environment - but it is :)
Best Wishes
Pete
Best Wishes
Pete
Fair enough. I see your point. Sorry if I gave the impression PDC emulator wasn't important. I was just trying to help OP get into W2K+ mindset.
Do you think the MS blurb is sometimes guilty of giving the impression PDC is no longer in existence. That doesn't help your cause does it?! As you say it shouldn't be an issue in multimaster. Maybe one day..... But is AD truly multimaster?
If all the machines are 2000+ what does the PDC emulator do then? The wording in the MS KB article seems to (ambiguously) imply it then just does:
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Doesn't say anything about ADUC etc.
Do you think the MS blurb is sometimes guilty of giving the impression PDC is no longer in existence. That doesn't help your cause does it?! As you say it shouldn't be an issue in multimaster. Maybe one day..... But is AD truly multimaster?
If all the machines are 2000+ what does the PDC emulator do then? The wording in the MS KB article seems to (ambiguously) imply it then just does:
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Doesn't say anything about ADUC etc.
>>MS blurb is sometimes guilty of giving the impression PDC is no longer in existence
yes :)
>> But is AD truly multimaster
on paper :)
>>Doesn't say anything about ADUC
shutdown PDC open ADUC try and do something :)
yes :)
>> But is AD truly multimaster
on paper :)
>>Doesn't say anything about ADUC
shutdown PDC open ADUC try and do something :)
Interesting. I will give that a try. Best wait until my users all go home though ;)