Sie sind auf Seite 1von 10

1

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil
ntdsutil:
1. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and
then press ENTER.
1. Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
1. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the
RID Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
1. You will receive a warning window asking if you want to perform the seize. Click on Yes.

2

fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002
(UNAVAILABLE)
, data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The
current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then
seize all roles. Determine which roles are to be on which remaining domain controllers so that all
five roles are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is
because a GC server holds a partial replica of every object in the forest.






3

am writing this because I had Active Directory go corrupt on me on the Primary Domain
Controller.
This step by step "How To" will walk you through how to transfer FSMO roles that cannot be
transferred using the Operations Master command in Active Directory.
1.
Primary Domain Controller (DC1) online?
a. Yes
Proceed to step 2
b. No
Skip to step 5

2.
Uninstall Active Directory From DC1
dcpromo or dcpromo /forceremove

3.
Remove DNS From DC1
Using "Manage Your Server Utility" from the start menu, click Add/Remove Roles then
Remove DNS

4.
Move DC1 to a work group
1. WIN + Pause/Break or start menu, right click my computer and select properties
2. Click computer name tab
3. Click change
4. Select workgroup
5. Enter Workgroup name
*YOU MUST RENAME THE COMPUTER AS WELL*
6. Shutdown machine

5.
Remove Orphaned Domain Controller (DC1)
1. Log on to the Secondary Domain Controller (DC2)
2.Click Start, point to Run then type CMD, then press ENTER.
3. Type ntdsutil then press ENTER.
4. Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration parameters must be
specified before the removal can occur.
5. Type connections and press ENTER. This menu is used to connect to the specific server
where the changes occur.
6. Type, connect to server DC2, and then press ENTER.
7. Type quit then press ENTER.
8. Type select operation target then press ENTER.
9. Type list domains then press ENTER.
10. Type select domain number and press ENTER.
*Where number is, the number associated with the domain the server you are removing is a

4

member of.
11. Type list sites then press ENTER.
12 Type select site number then press ENTER.
*Where number is, the number associated with the site the server you are removing is a
member of. *It will not prompt you stating that it is connected.*
13. Type list servers in site then press ENTER.
14. Type select server number then press ENTER.
*Where number is, the number associated with the server you want to remove. It will not
prompt you stating that it is connected.
15. Type quit then press ENTER.
16. Type remove selected server then press ENTER.
17. Type quit then press ENTER.
*Quit the Ntdsutil utility.
18. Remove the cname record in the _msdcs.root domain of forest zone in DNS.
19. In the DNS console, use the DNS MMC to delete the A record in DNS.
*Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs
container, right-click cname, and then click Delete.
*In the DNS console, click the domain name under Forward Lookup Zones, and then remove
this server from the Name Servers tab.
6.
Remove Old Domain Controller From Active Directory
1. Remove old computer account by using "Active Directory Sites and Services" tool.
2. Remove old DNS and WINS records of the orphaned Domain Controller.
3. Use "ADSIEdit" to remove old computer records from the Active Directory.
*OU=Domain Controllers,DC=domain,DC=local
*CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
*CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=domain,DC=local
4. Search through all directories in DNS management console and delete any and all reference
to DC1.
*Check properties of all records

7.
See if domain controller is a global catalog server

5

1. Click Start, point to Programs, point to Administrative Tools, and then click Active
Directory Sites and Services.
2. Double-click Sites in the left pane.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.
8.
Reinstall OS on DC1
This is per Microsoft and pretty much all articles I have read. <--- This can be avoided. If you
rename the server, change the IP and disable networking while you do everything else. You
can give the old IP to the new backup DC (with a different name) and bring the old DC back
into the domain as a computer (with a different name).
Edit: You can bring it back into the Domain with the same computer name as long as you
remove all trace of it being a domain controller within DNS. In fact if you remove AD
without using the /forceremove it will even ask if you want to add it to the domain.



Dcdiag
Repadmin /showrepl












6

How to Transfer and Seize FSMO role of a Domain Controller using
ntdsutil utility
October 24, 2012 Leave a comment
How to Transfer and Seize FSMO role of a Domain Controller using ntdsutil utility
There are graceful way to transfer FSMO role of a domain controller in a forest.which will be
known to everybody and it is easy to do in Active Directory Users and Computers and Active
Directory Domains and Trusts console,there are some screens below which will remind you the
steps which all are self explanatory. This article is inspired form these M$ KB Articles:-
http://support.microsoft.com/kb/255504 , http://support.microsoft.com/kb/324801 .
To find FSMO role, on command prompt type :- netdom query FSMO
Open Active Directory Users and Computers and right the domain name and select Operations
Master from the context menu.


7



Open Active Directory Domains and Trusts and right the domain name and select Operations
Master from the context menu.


For schema master, first register the file schmmgmt.dll by using this command regsvr32
schmmgmt.dll
8


Go to mmc ,add the snap in Active Directory Domains Schema and Right-click on Active
Directory Domains Schema, and select Operations Master from the context menu.


The above steps are all graceful transfer of FSMO roles. For some reason like me I, had a
situation in one of my client, I cant do the graceful transfer,then I had gone through some hard
way to transfer and seize the domain controller ,Let me share that with you guys. Below is the
screen that I have got when I tried for the graceful move.

9

In this article we will use ntdsutil
http://technet.microsoft.com/en-us/library/cc976711.aspx
Type ntdsutil in the administrative command prompt, then on the ntdsutil prompt type roles, then
FSMO maintenance prompt type connect to <your Domain Controller>then type q. Now you
can transfer or seize role to your working domain Controller. Below is the screen for the
command used along with ntdsutil




What are the difference between transferring a FSMO role and seizing?
Seizing is a destructive FSMO process and you should only use, if the existing server with the
FSMO is no longer available. If the domain controller that is the Schema Master FSMO role
holder is temporarily unavailable, DO NOT seizes the Schema Master role. If you are going to
seize the Schema Master, It is better that permanently disconnect the current Schema Master
10

from the network and also recommended to reformat the original schema master drive.
Transferring of FSMO is not a destructive process and you can transfer the roles to any domain
controller in the forest based on the recommendation.


http://nideesh.wordpress.com/2012/10/24/how-to-transfer-and-seize-fsmo-role-of-a-domain-
controller-using-ntdsutil-utility/
http://technet.microsoft.com/en-us/library/cc976711.aspx