?
Solved

DOMAIN ROLS

Posted on 2005-03-10
8
Medium Priority
?
624 Views
Last Modified: 2012-05-05
Hi Guys

I have a friend that has 2 server 2003 boxes

His PDC is giving him plenty of troubles with blue screens and so on, there is a member server on that domain which i want to help him transfer the roles to the member server and make it the PDC to pull the existing PDC off the domain for repairs and so on.

Please help with possible problems during this process and the correct procesures in doing so.

I know that i would have to transfer the rols from the PDC to the member server and demote the existing PDC...

Is there anything else of major importance???

PLEASE HELP
0
Comment
Question by:hitechauto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 3

Accepted Solution

by:
Caltor earned 2000 total points
ID: 13504970
Hi hitechauto,
Not really such a thing as a PDC these days. DCPROMO the member server to doman controller. Make it a global catalog and assign all of the FMSO roles. Make sure you get a working DNS setup on the new DC and test it thoroughly (logon/logoff etc) with the other server offline. Watch your DHCP options are giving out the correct addresses to allow for the new server. DNS server address for example. Proxy,gateway....etc.
The new server should only point to itself for DNS and you should probably force replication through AD sites and services.

Cheers!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13505048
Stop!!!!!!!!!!!!!!! - the PDC emulator is the most important server in a 2003 domain - dont believe me? -  shut it down and try and do something in ADUC??
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13505057
get the PDC emulator on a reliable server - or replication will flater the KCC link checkers will start to fail and it will run like a pig

FSMO roles there are 5 FSMO roles which are

·      Schema master - Forest-wide and one per forest.
·      Domain naming master - Forest-wide and one per forest.
·      RID master - Domain-specific and one for each domain.
·      PDC - PDC Emulator is domain-specific and one for each domain.
·      Infrastructure master - Domain-specific and one for each domain.
5.      To do this you need to use the “ntdsutil” tool

To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1.      On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2.      Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3.      Type connections, and then press ENTER.
4.      Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5.      At the server connections: prompt, type q, and then press ENTER again.
6.      Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7.      After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalogue.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132

To check if a domain controller is also a global catalogue server:
1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.      Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3.      Open the Servers folder, and then click the domain controller.
4.      In the domain controller's folder, double-click NTDS Settings.
5.      On the Action menu, click Properties.
6.      On the General tab, locate the Global Catalogue check box to see if it is selected.
*****References*****

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?kbid=255504

Windows 2000 Active Directory FSMO Roles
http://support.microsoft.com/default.aspx?scid=kb;EN-US;197132

Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223787

Dumpfsmos.cmd: Dump FSMO Roles (XP, 2K and 2K3)

Dump FSMO Roles (DumpFSMOs) is a command-line tool that displays the operations master (also known as flexible single master operations or FSMO) roles target server's domain and forest. Using Dump FSMO Roles you can find the names of the domain controllers that are performing operations master roles.
There are five operation master roles. Two of them exist at the forest level, meaning that only one server fills that role for the entire forest. These are the schema master and the domain naming master. The remaining three roles exist at the domain level, meaning that one server fills that operations master role for every domain in the forest. These include RID master, primary domain controller emulator, and infrastructure master
The following rights are required to run DumpFSMOs:
•      Builtin\Administrator, to run the tool locally.
•      Domain\Administrator or Enterprise\Administrator, to run the tool remotely.
File Required
•      Dumpfsmos.cmd
Files included in the 2K3 Resource Kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
Download and run rktools.exe then extract it to a folder.
0
7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

 
LVL 3

Expert Comment

by:Caltor
ID: 13505509
As you point out PDC Emulator is one of the FMSO roles. I did say "assign all of the FMSO roles" to the new server. I was just pointing out as an aside that in Windows 2000 parlance PDC is not as it was in NT. Hope I didn't give the wrong impression. The original poster spoke of demoting the original PDC which is NT methodology and not Windows 200X.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13508091
No Probs wasnt trying to overshout you - its just most people consign PDC methodology to NT4 and while thats a sensible thing to do, PDC emulator is crucially important - which it shouldnt be in a multi master environment - but it is :)

Best Wishes

Pete
0
 
LVL 3

Expert Comment

by:Caltor
ID: 13508435
Fair enough. I see your point. Sorry if I gave the impression PDC emulator wasn't important. I was just trying to help OP get into W2K+ mindset.
Do you think the MS blurb is sometimes guilty of giving the impression PDC is no longer in existence. That doesn't help your cause does it?! As you say it shouldn't be an issue in multimaster. Maybe one day..... But is AD truly multimaster?
If all the machines are 2000+ what does the PDC emulator do then? The wording in the MS KB article seems to (ambiguously) imply it then just does:
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.  
Account lockout is processed on the PDC emulator.  
Doesn't say anything about ADUC etc.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13514572
>>MS blurb is sometimes guilty of giving the impression PDC is no longer in existence

yes :)

>> But is AD truly multimaster

on paper :)

>>Doesn't say anything about ADUC

shutdown PDC open ADUC try and do something :)
0
 
LVL 3

Expert Comment

by:Caltor
ID: 13533021
Interesting. I will give that a try. Best wait until my users all go home though ;)
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question