Thursday, 18 October 2012

Step-by-Step guide to transfer FSMO roles in Windows Server 2008

The FSMO role holder is known as the Primary Domain Controller in a Domain. FSMO, also called Flexible Single Master Role will decide which DC should hold the Operation Master Role in a domain. During the installation of Domain Controller the FSMO role is automatically installed on the first server. If you have only one DC you don't want to do anything with the FSMO roles. But in a multiple server environment you may need to transfer the FSMO roles in some situations.There are totally five roles associated with FSMO.
  • This document will help you to transfer the FSMO roles to another DC.
The following are the five FSMO Roles :
  1. Schema Master Role
  2. Domain Naming Master
  3. RID Master
  4. PDC Master
  5. Infrastructure Master
You can use the command 'netdom query fsmo' to find out which DC is holding the FSMO roles.

This is an IMPORTANT thumb rule that you have to consider while transferring FSMO roles:

DO NOT place the Infrastructure Master Role in a DC where Global Catalog is configured unless all the Domain Controllers are configured as Global Catalog.

I will show how to manage Global Catalog in a DC latter in this guide.

Some Prerequisites

You have to follow this prerequisites before transferring FSMO roles.
  1. There should be a good connectivity between DC's.
  2. Proper Replication between DC's (You can use repadmin.exe to check the replication status and problems)
  3. Proper DC health (You can use dcdiag.exe to check the health of the DC)
  4. The DC that you are going to transfer should be configured as a NTP Time server (Refer http://yadhutony.blogspot.in/2012/10/ntp-time-server-configuration-in.html for configuration details)
To transfer the FSMO roles you can either use GUI or ntdsutil.exe in CLI. In our scenario I am going to use GUI to transfer the roles. 

Best Practises
  1. Schema Master and Domain Naming Master in one machine, which also hold the Global catalog
  2. PDC,RID (Infrastructure) in one machine.
  3. Do not place Infrastructure master role in a DC where Global catalog is enabled unless all the DC's are enabled with Global catalog
Also visit http://support.microsoft.com/kb/223346 for more details.

Transfering FSMO Roles

Scenario

>In our test scenario we have three DC's
The FQDN of the DC's are :
1. dc001.tony.com 2. dc002.tony.com 3. dc003.tony.com.
 
>Currently dc003.tony.com is the Operation master which hold all the FSMO roles in the domain tony.com.

>I am going to transfer the FSMO roles from dc003.tony.com to dc002.tony.com.
A.) Schema Master Role
 
We need to use Schema master snap-in to transfer the schema master role. To install the schema master snap-in you need to follow the below steps:
Register Schmmgmt.dll  
1.Open command prompt and type regsvr32 schmmgmt.dll

2.Click Start, click Run, type mmc, and then click OK
3.On the File, menu click Add/Remove Snap-in
 
4.Click Add

5.Click Active Directory Schema, click Add, click Close, and then click OK

Transferring Schema Master Role
1. Go to Schema master snap-in
 
2. Right-click Active Directory Schema and click Change Domain Controllers.
 
3. Now select the “domain controller” that you wanted to transfer the schema master role and click OK. In my case I need to transfer it to dc002.tony.com


4. Right-click Active Directory Schema and click Operation master > Change Schema master > Change 

 
 
Now the Schema Master Role is transferred to the preferred DC tony002.tony.com as you can see from the below screenshot.


B.) Transfer Domain Naming Master Role

1. Go to Active Directory Domain and Trust
2. Right-click the Active Directory Domain and Trust and click Change Active Directory Domain Controller

 
3. Now select the “domain controller” that you wanted to transfer the naming master role and click OK.


4. Right-click the Active Directory Domain and Trust and click Operation Master> Domain Naming Operation Master > Change.
Now the Naming Master Role is transferred to the preferred DC dc002.tony.com
  
 
C.) Transfer RID , PDC and Infrastructure Master

We can transfer these three roles using a single snap-in, Active Directory Users and Computers
1. Go to Active Directory Users and Computers
 
2. Right-click Active Directory Users and Computers > All Tasks >Change Domain Controller
3. Now select the “domain controller” that you wanted to transfer the operation master (RID, PDC, Infrastructure) role and click OK.


4. Right-click the Active Directory Domain and Trust and click Operation Master
Click RID tab > Click Change
  

5. Click PDC tab> Click Change

 
6. Click Infrastructure Master tab > Click Change

 
As soon as I try to change the Infrastructure master role I got a warning like “The Infrastructure master role should not be transferred to a GC server” Since all my DC's hold Global catalog I can safely ignore this warning and proceed. In your case DO NOT move Infrastructure master role unless all the DC's hold GC, else remove Global catalog and transfer Infrastructure master role.

 
Click Yes

By following the above steps you can successfully transfer the FSMO roles from one DC to another.
Also you can make sure that all the FSMO roles got transferred by running netdom query fsmo. See the result below:


  Administering Global Catalog in a DC

Global Catalog server hold the complete information about all the objects of its own domain. To know more about global catalog you can visit: http://technet.microsoft.com/en-us/library/cc730749.aspx

Here I am going to explain you how to enable or remove a Global Catalog Server.

1. Click Active Directory Sites and Services

2. In the console tree, double-click Sites, and then double-clicksitename”

3. Double-click Servers, click your domain controller, right-click NTDS Settings, and then click Properties.

4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to the server.

5. If the check box was already ticked untick it to remove the global catalog from the server.


6. Restart the Domain Controller.

No comments:

Post a Comment