Posted on 2005-03-10
Medium Priority
Last Modified: 2012-05-05
Hi Guys

I have a friend that has 2 server 2003 boxes

His PDC is giving him plenty of troubles with blue screens and so on, there is a member server on that domain which i want to help him transfer the roles to the member server and make it the PDC to pull the existing PDC off the domain for repairs and so on.

Please help with possible problems during this process and the correct procesures in doing so.

I know that i would have to transfer the rols from the PDC to the member server and demote the existing PDC...

Is there anything else of major importance???

Question by:hitechauto
  • 4
  • 4

Accepted Solution

Caltor earned 2000 total points
ID: 13504970
Hi hitechauto,
Not really such a thing as a PDC these days. DCPROMO the member server to doman controller. Make it a global catalog and assign all of the FMSO roles. Make sure you get a working DNS setup on the new DC and test it thoroughly (logon/logoff etc) with the other server offline. Watch your DHCP options are giving out the correct addresses to allow for the new server. DNS server address for example. Proxy,gateway....etc.
The new server should only point to itself for DNS and you should probably force replication through AD sites and services.

LVL 58

Expert Comment

by:Pete Long
ID: 13505048
Stop!!!!!!!!!!!!!!! - the PDC emulator is the most important server in a 2003 domain - dont believe me? -  shut it down and try and do something in ADUC??
LVL 58

Expert Comment

by:Pete Long
ID: 13505057
get the PDC emulator on a reliable server - or replication will flater the KCC link checkers will start to fail and it will run like a pig

FSMO roles there are 5 FSMO roles which are

·      Schema master - Forest-wide and one per forest.
·      Domain naming master - Forest-wide and one per forest.
·      RID master - Domain-specific and one for each domain.
·      PDC - PDC Emulator is domain-specific and one for each domain.
·      Infrastructure master - Domain-specific and one for each domain.
5.      To do this you need to use the “ntdsutil” tool

To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1.      On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2.      Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3.      Type connections, and then press ENTER.
4.      Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5.      At the server connections: prompt, type q, and then press ENTER again.
6.      Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7.      After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalogue.

To check if a domain controller is also a global catalogue server:
1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.      Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3.      Open the Servers folder, and then click the domain controller.
4.      In the domain controller's folder, double-click NTDS Settings.
5.      On the Action menu, click Properties.
6.      On the General tab, locate the Global Catalogue check box to see if it is selected.

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

Windows 2000 Active Directory FSMO Roles

Flexible Single Master Operation Transfer and Seizure Process

Dumpfsmos.cmd: Dump FSMO Roles (XP, 2K and 2K3)

Dump FSMO Roles (DumpFSMOs) is a command-line tool that displays the operations master (also known as flexible single master operations or FSMO) roles target server's domain and forest. Using Dump FSMO Roles you can find the names of the domain controllers that are performing operations master roles.
There are five operation master roles. Two of them exist at the forest level, meaning that only one server fills that role for the entire forest. These are the schema master and the domain naming master. The remaining three roles exist at the domain level, meaning that one server fills that operations master role for every domain in the forest. These include RID master, primary domain controller emulator, and infrastructure master
The following rights are required to run DumpFSMOs:
•      Builtin\Administrator, to run the tool locally.
•      Domain\Administrator or Enterprise\Administrator, to run the tool remotely.
File Required
•      Dumpfsmos.cmd
Files included in the 2K3 Resource Kit
Download and run rktools.exe then extract it to a folder.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 13505509
As you point out PDC Emulator is one of the FMSO roles. I did say "assign all of the FMSO roles" to the new server. I was just pointing out as an aside that in Windows 2000 parlance PDC is not as it was in NT. Hope I didn't give the wrong impression. The original poster spoke of demoting the original PDC which is NT methodology and not Windows 200X.
LVL 58

Expert Comment

by:Pete Long
ID: 13508091
No Probs wasnt trying to overshout you - its just most people consign PDC methodology to NT4 and while thats a sensible thing to do, PDC emulator is crucially important - which it shouldnt be in a multi master environment - but it is :)

Best Wishes


Expert Comment

ID: 13508435
Fair enough. I see your point. Sorry if I gave the impression PDC emulator wasn't important. I was just trying to help OP get into W2K+ mindset.
Do you think the MS blurb is sometimes guilty of giving the impression PDC is no longer in existence. That doesn't help your cause does it?! As you say it shouldn't be an issue in multimaster. Maybe one day..... But is AD truly multimaster?
If all the machines are 2000+ what does the PDC emulator do then? The wording in the MS KB article seems to (ambiguously) imply it then just does:
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.  
Account lockout is processed on the PDC emulator.  
Doesn't say anything about ADUC etc.
LVL 58

Expert Comment

by:Pete Long
ID: 13514572
>>MS blurb is sometimes guilty of giving the impression PDC is no longer in existence

yes :)

>> But is AD truly multimaster

on paper :)

>>Doesn't say anything about ADUC

shutdown PDC open ADUC try and do something :)

Expert Comment

ID: 13533021
Interesting. I will give that a try. Best wait until my users all go home though ;)

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question