You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Show
To transfer the FSMO role the administrator must be a member of the following group: FSMO RoleAdministrator must be a member ofSchemaSchema AdminsDomain NamingEnterprise AdminsRIDDomain AdminsPDC EmulatorInfrastructure Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUITo Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
Transferring the Domain Naming Master via GUITo Transfer the Domain Naming Master Role:
Transferring the Schema Master via GUITo Transfer the Schema Master Role:
regsvr32 schmmgmt.dll
Transferring the FSMO Roles via NtdsutilTo transfer the FSMO roles from the Ntdsutil command:
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS>ntdsutil ntdsutil:
ntdsutil: roles fsmo maintenance: Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK 4Right-click Active Directory Domains and Trusts in the top-left pane, and then click Operations Masters to view the server holding the Domain Naming Master role. Configuring & Implementing… Transferring the Domain Naming Master Role Click Start | Administrative Tools | Active Directory Domains and Trusts. 2Right-click Active Directory Domains and Trusts, and click Change Active Directory Domain Controller, unless you are already on the DC to which you are transferring the role. Select the This Domain Controller or AD LDS instance, enter the name of the DC that will be the new role holder, and then click OK. 3In the console tree, right-click Active Directory Domains and Trusts, and then select Operations Master. Click Change. 4Click OK for confirmation, and click Close. Read moreNavigate DownView chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597492737000021 MCSA/MCSE 70–294: Working with Forests and DomainsMichael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2004 Locating, Transferring, and Seizing the Domain Naming Master RoleThe Domain Naming Master DC controls the addition or removal of domains in the forest, AND adding and removing any cross-references to domains in external LDAP directories. There can be only one Domain Naming Master in the forest. Refer to Exercise 4.12 for instructions on how to identify the DC that is performing the Domain Naming Master operation role for your forest. Refer to Exercise 4.13 for instructions on how to transfer the Domain Naming Master operations role for your forest to a different DC, and Exercise 4.16 for steps to seize the role to another DC in case of a failure. Exercise 4.12 Locating the Domain Naming Operations Master1.Log on as an Enterprise Administrator in the forest you are checking. 2.Click Start | Run, type: mmc, and then click OK. 3.On the menu bar, click File | Add/Remove Snap-in, click Add, double click Active Directory Domains and Trusts, click Close, and then click OK. 4.Right-click Active Directory Domains and Trusts in the top left pane, and then click Operations Masters to view the server holding the domain naming master role as shown in Figure 4.37. Exercise 4.13 Transferring the domain naming master role1.Click Start | Administrative Tools | Active Directory Domains and Trusts. 2.Right-click Active Directory Domains and Trusts, and click Connect to Domain Controller, unless you are already on the DC to which you are transferring to the role. In the Enter the name of another domain controller window, type the name of the DC that will be the new role holder, and then click OK. Optionally, in the Or, select an available domain controller list, click the DC that will be the new role holder, and click OK. See Figure 4.38. 3.In the console tree, right-click Active Directory Domains and Trusts, and then select Operations Master as shown in Figure 4.39. 4.Click Change. 5.Click OK for confirmation, and click Close. EXAM WARNINGRemember that in a Windows 2000 or Windows 2000 functional-level forest, the Domain Naming Master must also be a GC server. After the upgrade to the Windows Server 2003 forest functional level, that restriction is lifted and you can then separate the two functions. Windows Server 2003 Domain Naming Masters are no longer required to host the GC. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500106 MCSA/MCSE 70-294: Active Directory Infrastructure OverviewMichael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2003 Understanding How Active Directory Works6. You are making changes to object classes and attributes used in Active Directory. On which of the following DCs will you make these changes? A.Schema Master B.RID Master C.Infrastructure Master D.PDC Emulator 7.Your network consists of two forests, with two domains in one forest and three domains in the other. Based on this information, how many of the following master roles will be in the forests and domains? A.There will be five Schema Masters, Domain Naming Masters, RID Masters, PDC Emulators, and Infrastructure Masters. B.There will be two Schema Masters, Domain Naming Masters, RID Masters, PDC Emulators, and Infrastructure Masters. C.There will be five Schema Masters and Domain Naming Masters, and two RID Masters, PDC Emulators, and Infrastructure Masters. D.There will be two Schema Masters and Domain Naming Masters, and five RID Masters, PDC Emulators, and Infrastructure Masters. 8.A user recently changed her last name, and you make changes to the user object in the directory to reflect this. Just before the change, inter-site replication has taken place using the default schedule. Just after the change, a link between the DC on which the changes were made and the DC in the other site fails. It will be another hour until the link is back up again. There are four DCs in each site. Which of the following will occur? A.Replication between the DCs will occur normally, because at least two connections to each DC are created by the Knowledge Consistency Checker (KCC). Because one has failed, the other connection will be used. B.Replication between the DCs won’t occur. After 15 seconds, a notification of the change will be sent out, and replication partners will then request updated data. C.Replication will occur normally, because the information won’t be replicated until three hours after the last replication. D.Another link will be used to replicate the data, based on the information gathered by the topology generator. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500076 MCSE 70-293: Planning Server Roles and Server SecurityMartin Grasdal, ... Dr.Thomas W. ShinderTechnical Editor, in MCSE (Exam 70-293) Study Guide, 2003 Operations Master RolesBy default, all domain controllers are relatively equal. However, there are still some operations that need to be performed by a single domain controller in the domain or forest. To address these, Microsoft created the concept of operations masters. Operations masters serve many purposes. Some control where components of AD can be modified; others store specific information that is key to the healthy function of AD at the domain level. Because only one domain controller in a domain or forest fulfills a given role, these roles are also referred to as Flexible Single Master of Operations (FSMO) roles. Some FSMO roles are unique to each domain; others are unique to the forest. A forest is one or more domain trees that share a common schema, Global Catalog, and configuration information. The schema is used to define which types of objects (classes) and attributes can be used in AD. Without it, AD would have no way of knowing what objects can exist in the directory or what attributes apply to each object. The Global Catalog is a subset of information from AD. It stores a copy of all objects in its host domain, as well as a partial copy of objects in all of the other domains in the forest. There are five different types of master roles, each serving a specific purpose. Two of these master roles are applied at the forest level (forest-wide roles), and the others are applied at the domain level (domain-wide roles). The following are the forest-wide operations master roles: ■Schema master A domain controller that is in charge of all changes to the AD schema. As mentioned, the schema determines which object classes and attributes are used within the forest. If additional object classes or attributes need to be added, the schema is modified to accommodate these changes. The schema master is used to write to the directory’s schema, which is then replicated to other domain controllers in the forest. Updates to the schema can be performed only on the domain controller acting in this role. ■Domain naming master A domain controller that is in charge of adding new domains and removing unneeded ones from the forest. It is responsible for any changes to the domain namespace. This role prevents naming conflicts, because such changes can be performed only if the domain naming master is online. In addition to the two forest-wide master roles, there are three domain-wide master roles: relative ID (RID) master, primary domain controller (PDC) emulator, and infrastructure master. These roles are described in the following sections. Relative ID MasterThe relative ID master is responsible for allocating sequences of numbers (called relative IDs, or RIDs) that are used in creating new security principles in the domain. Security principles are user, group, and computer accounts. These numbers are issued to all domain controllers in the domain. When an object is created, a number that uniquely identifies the object is assigned to it. This number consists of two parts: a domain security ID (or computer SID if a local user or group account is being created) and an RID. Together, the domain SID and RID combine to form the object’s unique SID. The domain security ID is the same for all objects in that domain. The RID is unique to each object. Instead of using the name of a user, computer, or group, Windows uses the SID to identify and reference security principles. To avoid potential conflicts of domain controllers issuing the same number to an object, only one RID master exists in a domain. This controls the allocation of RID numbers to each domain controller. The domain controller can then assign the RIDs to objects when they are created. PDC EmulatorThe primary domain Controller (PDC) emulator is designed to act like a Windows NT PDC when the domain is in Windows 2000 mixed mode. This is necessary if Windows NT backup domain controllers (BDCs) still exist on the network. Clients earlier than Windows 2000 also use the PDC emulator for processing password changes, though installation of the AD client software on these systems enables them to change their password on any domain controller in the domain to which they authenticate. The PDC emulator also synchronizes the time on all domain controllers the domain. For replication accuracy, it is critical for all domain controllers to have synchronized time. Even if you do not have any servers running as BDCs on the network, the PDC emulator still serves a critical purpose in each domain. The PDC emulator receives preferred replication of all password changes performed on other domain controllers within the domain. When a password is changed on a domain controller, it is sent to the PDC emulator. If a user changes his or her password on one domain controller, and then attempts to log on to another, the second domain controller may still have old password information. Because this domain controller considers it a bad password, it forwards the authentication request to the PDC emulator to determine whether the password is actually valid. In addition, the PDC emulator initiates urgent replication so that the password change can propagate as soon as possible. Urgent replication is also used for other security-sensitive replication traffic, such as account lockouts. This operations master is by far the most critical at the domain level. Because of this, you should ensure that it is carefully placed on your network and housed on a high-availability, high-capacity server. Infrastructure MasterThe infrastructure master is in charge of updating changes that are made to group memberships. When a user moves to a different domain and his or her group membership changes, it may take time for these changes to be reflected in the group. To remedy this, the infrastructure master is used to update such changes in its domain. The domain controller in the infrastructure master role compares its data to the Global Catalog, which is a subset of directory information for all domains in the forest and contains information on groups. The Global Catalog stores information on universal group memberships, in which users from any domain can be added and allowed access to any domain, and maps the memberships users have to specific groups. When changes occur to group membership, the infrastructure master updates its group-to-user references and replicates these changes to other domain controllers in the domain. TEST DAY TIPFSMO roles are an important part of a domain controller’s function on a network. FSMO roles that are unique to a forest affect all domains within that forest. FSMO roles that are unique to a domain apply only to that domain. There is only one schema master and one domain naming master in a forest. There is only one RID master, PDC emulator, and infrastructure master in a domain. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836937500063 Managing Active Directory Users, Groups, and ComputersIn How to Cheat at Windows System Administration Using Command Line Scripts, 2006 Managing Domain Controller AccountsBy their very nature, domain controllers are special and are managed differently than member servers and other computers. The server object type refers exclusively to domain controllers, and it offers a specific set of management capability. In this section, we will discuss use of DSQuery and DSMod for locating domain controllers and managing their roles. Searching for Domain Controllers in Active DirectoryThe technique for searching for domain controllers is identical to that for searching for any other object; however, domain controllers have properties that are unique to their object type and, thus, present unique criteria to use when searching. The following is complete command syntax for dsquery server. The –forest, –domain, and –site switches set the scope for searching to the current forest, and to the domain and site specified in the modifier. The –name and –description switches enable searching by the exact or partial name (using wildcards) and description. The –hasfsmo switch is described in detail in the next section. As seen in Figure 11.27, the command dsquery server, without switches and modifiers, returns a list of all domain controllers in the current forest.  Figure 11.27. Searching for Domain Controllers Searching for Domain Controllers with an Operations Master RolesManaging a distributed, enterprise-class implementation of Active Directory requires that the location of certain domain controllers with special roles is known. These special roles are called Flexible Single-Master Operation (FSMO) roles, and their placement around the network is a key contributor to a network's performance and stability. There is a special switch for dsquery server for searching for domain controllers with FSMO roles: The following list provides the full name associated with the five modifiers for the –hasfsmo switch: ▪schema Schema master. ▪name Domain naming master. ▪infr Infrastructure master. ▪pdc Primary domain controller (PDC) emulator. ▪rid Relative ID master. In Figure 11.28, dsquery server –hasfsmo is executed with each modifier. In this situation, one domain controller is holding all FSMO roles. Figure 11.28. Discovering Which Domain Controllers Have FSMO Roles Searching for GC ServersIn an enterprise deployment of Active Directory, placement of the GC is critical for determining the performance of users’ and computers’ interaction on the network. In order to accelerate authentication and access to network resources, GC servers should be placed on domain controllers in close proximity to the users who need access to them. Before changing the locations of copies of GCs, you must locate the domain controllers that host the copies. The command syntax for locating these domain controllers uses the –isgc switch, as shown in Figure 11.29: Figure 11.29. Searching for GC Servers Managing Roles of GC ServersAs stated in the preceding section, you can determine the perceived and actual performance of your network by where you place the GC servers on domain controllers. The disadvantage to adding copies of the GCs around your network is that they need to replicate with each other, and increasing the number of GC servers may degrade performance, especially across slow network links. You can add or remove GCs from domain controllers from the command line. The command for adding or removing a GC from an individual server is dsmod server. When using DSMod with other object types, the command permits you to set and modify myriad properties. With the server object type for domain controllers, it only permits you to set and modify the description and management of the GC role. The following is the full command syntax for dsmod server. To manage the GC role, however, the following command is required: Earlier in the chapter, we discussed the technique for locating domain controllers that host a copy of the GC. Figure 11.30 shows how to remove the GC from a server. Once the server is found, enter the following command: Figure 11.30. Managing GC Roles No confirmation is required to complete performance of this task, and the success message is displayed when complete. Adding the GC involves entering the same command using a server that is not currently hosting a copy of the GC, and changing the modifier for –isgc from no to yes. |
