Adc To Pdc Fsmo Roles Transfer
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Adc To Pdc Fsmo Roles Transfer as PDF for free.
More details
- Words: 5,100
- Pages: 16
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. The five FSMO roles are: • • • • •
Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, nonoperational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in this article. If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days. If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network. What will happen if you do not perform the seize in time? This table has the info: FSMO Role
Loss implications
Schema
The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming
Unless you are going to run DCPROMO, then you
will not miss this FSMO role. RID
Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator
Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure
Group memberships may be incomplete. If you only have one domain, then there will be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again. The following table summarizes the FSMO seizing restrictions: FSMO Role
Restrictions
Schema Domain Naming
Original must be reinstalled
RID PDC Emulator Infrastructure
Can transfer back to original
Another consideration before performing the seize operation is the administrator's group membership, as this table lists: FSMO Role
Administrator must be a member of
Schema
Schema Admins
Domain Naming
Enterprise Admins
RID PDC Emulator
Domain Admins
Infrastructure To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:'WINDOWS>ntdsutil ntdsutil:
2. Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 3. Type connections, and then press ENTER. fsmo maintenance: connections server connections:
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
5. At the server connections: prompt, type q, and then press ENTER again. server connections: q fsmo maintenance:
6. Type seize, where is the role you want to seize. For example, to seize the
RID Master role, you would type seize rid master: Options are: Seize Seize Seize Seize Seize
domain naming master infrastructure master PDC RID master schema master
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. 8. Repeat steps 6 and 7 until you've seized all the required FSMO roles. 9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
TRANSFERING
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article. The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example. In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, nonoperational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: • • •
Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following group: FSMO Role
Administrator must be a member of
Schema
Schema Admins
Domain Naming
Enterprise Admins
RID PDC Emulator
Domain Admins
Infrastructure Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles: 1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder, the target, and press OK. 4. Right-click the Active Directory Users and Computers icon again and press Operation Masters. 5. Select the appropriate tab for the role you wish to transfer and press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Domain Naming Master via GUI To Transfer the Domain Naming Master Role: 1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder and press OK. 4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 5. Press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Schema Master via GUI To Transfer the Schema Master Role: 1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation. 3. From the Run command open an MMC Console by typing MMC. 4. On the Console menu, press Add/Remove Snap-in. 5. Press Add. Select Active Directory Schema. 6. Press Add and press Close. Press OK. 7. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller. 8. Press Specify .... and type the name of the new role holder. Press OK. 9. Right-click right-click the Active Directory Schema icon again and press Operation Masters. 10. Press the Change button. 11. Press OK all the way out. Transferring the FSMO Roles via Ntdsutil To transfer the FSMO roles from the Ntdsutil command: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:'WINDOWS>ntdsutil ntdsutil:
2. Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 3. Type connections, and then press ENTER. fsmo maintenance: connections server connections:
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
5. At the server connections: prompt, type q, and then press ENTER again. server connections: q fsmo maintenance:
6. Type transfer. where is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master: Options are: Transfer Transfer Transfer Transfer Transfer
domain naming master infrastructure master PDC RID master schema master
7. You will receive a warning window asking if you want to perform the transfer. Click on Yes. 8. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe. 9. Restart the server and make sure you update your backup. MICROSOFT DOCUMENTATION Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:
•
Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
•
Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
•
RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
•
PDC emulator - The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain
controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
•
Infrastructure master - The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
•
An administrator reassigns the role by using a GUI administrative tool.
•
An administrator reassigns the role by using the ntdsutil /roles command.
•
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:
•
The current role holder is operational and can be accessed on the network by the new FSMO owner.
•
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
•
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
•
The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
•
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
•
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inboundreplicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.
The partition for each FSMO role is in the following list: FSMO role
Partition
Schema
CN=Schema,CN=configuration,DC=
Domain Naming Master CN=configuration,DC= PDC
DC=<domain>
RID
DC=<domain>
Infrastructure
DC=<domain>
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inboundreplicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Back to the top
Transfer FSMO roles To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1.
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3.
Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
4.
Type connections, and then press ENTER.
5.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
6.
At the server connections prompt, type q, and then press ENTER.
7.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Back to the top
Seize FSMO roles To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1.
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3.
Type roles, and then press ENTER.
4.
Type connections, and then press ENTER.
5.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
6.
At the server connections prompt, type q, and then press ENTER.
7.
Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Notes
o
Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base:
223346 FSMO placement and optimization on Windows 2000 domain controllers
o
If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article:
216498 How to remove data in active directory after an unsuccessful domain controller demotion
o
Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003
Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
o
Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
o
Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.
To test whether a domain controller is also a global catalog server:
1.
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-sitename if no other sites are available.
3.
Open the Servers folder, and then click the domain controller.
4.
In the domain controller's folder, double-click NTDS Settings.
5.
On the Action menu, click Properties.
6.
On the General tab, view the Global Catalog check box to see if it is selected.
For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base: 197132 Windows 2000 Active Directory FSMO roles 223787 Flexible Single Master Operation transfer and seizure process
FSMO Roles In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
•
Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
•
Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
•
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
•
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
•
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility. Back to the top
Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
1.
Click Start, and then click Run.
2.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
3.
Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
1.
Click Start, click Run, type mmc in the Open box, and then click OK.
2.
On the File, menu click Add/Remove Snap-in.
3.
Click Add.
4.
Click Active Directory Schema, click Add, click Close, and then click OK.
5.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
6.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
7.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
8.
Click Change.
9.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the Domain Naming Master Role
1.
Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3.
Do one of the following:
o
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or-
o
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
5.
Click Change.
6.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3.
Do one of the following:
o
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or-
o
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
5.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
6.
Click OK to confirm that you want to transfer the role, and then click Close.
Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, nonoperational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in this article. If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days. If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network. What will happen if you do not perform the seize in time? This table has the info: FSMO Role
Loss implications
Schema
The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming
Unless you are going to run DCPROMO, then you
will not miss this FSMO role. RID
Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator
Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure
Group memberships may be incomplete. If you only have one domain, then there will be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again. The following table summarizes the FSMO seizing restrictions: FSMO Role
Restrictions
Schema Domain Naming
Original must be reinstalled
RID PDC Emulator Infrastructure
Can transfer back to original
Another consideration before performing the seize operation is the administrator's group membership, as this table lists: FSMO Role
Administrator must be a member of
Schema
Schema Admins
Domain Naming
Enterprise Admins
RID PDC Emulator
Domain Admins
Infrastructure To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:'WINDOWS>ntdsutil ntdsutil:
2. Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 3. Type connections, and then press ENTER. fsmo maintenance: connections server connections:
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
5. At the server connections: prompt, type q, and then press ENTER again. server connections: q fsmo maintenance:
6. Type seize
RID Master role, you would type seize rid master: Options are: Seize Seize Seize Seize Seize
domain naming master infrastructure master PDC RID master schema master
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. 8. Repeat steps 6 and 7 until you've seized all the required FSMO roles. 9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
TRANSFERING
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article. The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example. In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, nonoperational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: • • •
Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following group: FSMO Role
Administrator must be a member of
Schema
Schema Admins
Domain Naming
Enterprise Admins
RID PDC Emulator
Domain Admins
Infrastructure Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles: 1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder, the target, and press OK. 4. Right-click the Active Directory Users and Computers icon again and press Operation Masters. 5. Select the appropriate tab for the role you wish to transfer and press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Domain Naming Master via GUI To Transfer the Domain Naming Master Role: 1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder and press OK. 4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 5. Press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Schema Master via GUI To Transfer the Schema Master Role: 1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation. 3. From the Run command open an MMC Console by typing MMC. 4. On the Console menu, press Add/Remove Snap-in. 5. Press Add. Select Active Directory Schema. 6. Press Add and press Close. Press OK. 7. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller. 8. Press Specify .... and type the name of the new role holder. Press OK. 9. Right-click right-click the Active Directory Schema icon again and press Operation Masters. 10. Press the Change button. 11. Press OK all the way out. Transferring the FSMO Roles via Ntdsutil To transfer the FSMO roles from the Ntdsutil command: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:'WINDOWS>ntdsutil ntdsutil:
2. Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 3. Type connections, and then press ENTER. fsmo maintenance: connections server connections:
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
5. At the server connections: prompt, type q, and then press ENTER again. server connections: q fsmo maintenance:
6. Type transfer
For example, to transfer the RID Master role, you would type transfer rid master: Options are: Transfer Transfer Transfer Transfer Transfer
domain naming master infrastructure master PDC RID master schema master
7. You will receive a warning window asking if you want to perform the transfer. Click on Yes. 8. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe. 9. Restart the server and make sure you update your backup. MICROSOFT DOCUMENTATION Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:
•
Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
•
Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
•
RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
•
PDC emulator - The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain
controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
•
Infrastructure master - The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
•
An administrator reassigns the role by using a GUI administrative tool.
•
An administrator reassigns the role by using the ntdsutil /roles command.
•
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:
•
The current role holder is operational and can be accessed on the network by the new FSMO owner.
•
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
•
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
•
The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
•
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
•
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inboundreplicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=
The partition for each FSMO role is in the following list: FSMO role
Partition
Schema
CN=Schema,CN=configuration,DC=
Domain Naming Master CN=configuration,DC=
DC=<domain>
RID
DC=<domain>
Infrastructure
DC=<domain>
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inboundreplicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Back to the top
Transfer FSMO roles To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1.
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3.
Type roles, and then press ENTER.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
4.
Type connections, and then press ENTER.
5.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
6.
At the server connections prompt, type q, and then press ENTER.
7.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Back to the top
Seize FSMO roles To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1.
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3.
Type roles, and then press ENTER.
4.
Type connections, and then press ENTER.
5.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
6.
At the server connections prompt, type q, and then press ENTER.
7.
Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Notes
o
Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base:
223346 FSMO placement and optimization on Windows 2000 domain controllers
o
If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article:
216498 How to remove data in active directory after an unsuccessful domain controller demotion
o
Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003
Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
o
Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
o
Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.
To test whether a domain controller is also a global catalog server:
1.
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-sitename if no other sites are available.
3.
Open the Servers folder, and then click the domain controller.
4.
In the domain controller's folder, double-click NTDS Settings.
5.
On the Action menu, click Properties.
6.
On the General tab, view the Global Catalog check box to see if it is selected.
For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base: 197132 Windows 2000 Active Directory FSMO roles 223787 Flexible Single Master Operation transfer and seizure process
FSMO Roles In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
•
Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
•
Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
•
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
•
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
•
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility. Back to the top
Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
1.
Click Start, and then click Run.
2.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
3.
Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
1.
Click Start, click Run, type mmc in the Open box, and then click OK.
2.
On the File, menu click Add/Remove Snap-in.
3.
Click Add.
4.
Click Active Directory Schema, click Add, click Close, and then click OK.
5.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
6.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
7.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
8.
Click Change.
9.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the Domain Naming Master Role
1.
Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3.
Do one of the following:
o
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or-
o
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
5.
Click Change.
6.
Click OK to confirm that you want to transfer the role, and then click Close.
Back to the top
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3.
Do one of the following:
o
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or-
o
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
5.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
6.
Click OK to confirm that you want to transfer the role, and then click Close.
Related Documents
Adc To Pdc Fsmo Roles Transfer
June 2020 1
Fsmo Roles
June 2020 1
Fsmo
November 2019 2
Fsmo
November 2019 1
Fsmo
November 2019 3