Documentation For Domain Controller

Migration

Transferring FSMO Roles from one DC to

another
Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder
are online and operational is called Transferring, and is described in this article.

The transfer of an FSMO role is the suggested form of moving a FSMO role between domain
controllers and can be initiated by the administrator or by demoting a domain controller. However, the
transfer process is not initiated automatically by the operating system, for example a server in a shut-
down state. FSMO roles are not automatically relocated during the shutdown process - this must be
considered when shutting down a domain controller that has an FSMO role for maintenance, for
example.

In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data
that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior
to transferring the role to ensure that any changes have been recorded before the role change.

However, when the original FSMO role holder went offline or became non operational for a long
period of time, the administrator might consider moving the FSMO role from the original, non-
operational holder, to a different DC. The process of moving the FSMO role from a non-operational
role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC
snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following
three MMC snap-in tools:

• Active Directory Schema snap-in

• Active Directory Domains and Trusts snap-in
• Active Directory Users and Computers snap-in

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role Administrator must be a member of

Schema Schema Admins
Domain Naming Enterprise Admins
 RID
PDC Emulator Domain Admins
Infrastructure

Transferring the RID Master, PDC Emulator, and

Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO
Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools
folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon
next to Active Directory Users and Computers and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder, the target, and press OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

Transferring the Domain Naming Master via GUI

To Transfer the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon
next to Active Directory Domains and Trusts and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

2. Press OK. You should receive a success confirmation.

3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
Active Directory Schema icon in the Console Root and press Change Domain Controller.
 8. Press Specify .... and type the name of the new role holder. Press OK.
9. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
10. Press the Change button.
11. Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.

2. Type roles, and then press ENTER.

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then
press ENTER.

3. Type connections, and then press ENTER.

4. Type connect to server <servername>, where <servername> is the name of the server you
want to use, and then press ENTER.

5. At the server connections: prompt, type q, and then press ENTER again.

6. Type transfer <role>. where <role> is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:

Options are:

7. You will receive a warning window asking if you want to perform the transfer. Click on Yes.
8. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
9. Restart the server and make sure you update your backup.
How do I install a second Domain Controller in
my Active Directory domain on my Windows
2003 Server?
First make sure you read and understand Active Directory Installation Requirements. If you don't comply
with all the requirements of that article you will not be able to set up your AD (for example: you don't have
a NIC or you're using a computer that's not connected to a LAN).

Note: This article is only good for understanding how to install the SECOND DC in an EXISTING
DOMAIN in and EXISTING AD FOREST.

Daniel's recommendations
If you are looking to really master Active Directory (or other
Networking skills), I strongly recommend that you try Train
Signal. I've discovered this company a few months ago and I
always send people their way because the training is so good.
You can see more HERE.

Daniel Petri

Note: For the installation of the FIRST DC in the AD Domain read How to Install Active Directory
on Windows 2003.

Here is a quick list of what you must have:

• An NTFS partition with enough free space

• The Domain Admin's username and password
• The correct operating system version
• A NIC
• Properly configured TCP/IP (IP address, subnet mask and - optional -
default gateway)
• A network connection (to a hub or to another computer via a crossover
cable)
• A persistent and un-interrupted connection with the domain's existing DC
• An operational DNS server which holds the relevant SRV Record
information for the AD domain and forest
• The Domain name for the domain that you want to join
• The Windows 2003 CD media (or at least the i386 folder)
• Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

For a Windows 2000 version of this article please read How to Install a Replica DC in an Existing AD
Domain on Windows 2000.

Step 1: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use the IP address of the DNS server, so it
will point to it when registering SRV records and when querying the DNS database.

Configure TCP/IP

1. Click Start, point to Settings and then click Control Panel.

2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties.

5. Assign this server a static IP address, subnet mask, and gateway address
(optional). Enter the DNS server's IP address in the Preferred DNS server
box.

Note: You MUST have an operational DNS server that already serves as the DNS server of
the domain/forest.

6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix"
10. Check "Register this connection's addresses in DNS". If this Windows
2000-based DNS server is on an intranet, it should only point to its own
IP address for DNS; do not enter IP addresses for other DNS servers
here. If this server needs to resolve names on the Internet, it should
have a forwarder configured.
11. Click OK to close the Advanced TCP/IP Settings properties.
12. Click OK to accept the changes to your TCP/IP configuration.
13. Click OK to close the Local Area Connections properties.
Step 2: Running DCPROMO
After completing all the previous steps and after double checking your requirements you should now
run Dcpromo.exe from the Run command.

Note: In Windows Server 2003, unlike Windows 2000, you can choose to install the Replica DC from
a backed-up media thus saving considerable amounts of time and bandwidth. Read Install DC from
Media in Windows Server 2003 for more info.

1. Click Start, point to Run and type "dcpromo".

2. The wizard windows will appear. Click Next.

3. In the Operating System Compatibility window click Next.

4. Choose Additional Domain Controller for an existing domain and click Next.

4. In the Network Credentials window enter the username and password for a Domain Admin
in the domain you're trying to join. also enter the full DNS domain name. Click Next.

This step might take some time because the computer is searching for the DNS server.

Note: Although the wizard will let you get to the last window and begin to attempt to join the domain,
if you enter the wrong username or password, because of the wrong credentials you'll get an error
message:
If you enter the domain name in a wrong way you'll get this error message:

The wizard will not be able to continue past the domain name window.

If you have wrong DNS settings, i.e. the computer "thinks" that it should be "talking" to one DNS
server, while in fact it should be using another DNS server, you'll get an error message like this one:

5. In the Additional Domain Controller window type or browse to select the domain to which
you want to add the replica DC.

6. Accept the Database and Log file location dialog box (unless you want to change them of
course). The location of the files is by default %systemroot%\NTDS, and you should not
change it unless you have performance issues in mind. Click Next.
7. Accept the Sysvol folder location dialog box (unless you want to change it of course). The
location of the files is by default %systemroot%\SYSVOL, and you should not change it
unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition.
This folder will hold all the GPO and scripts you'll create, and will be replicated to all other
Domain Controllers. Click Next.

8. Enter the Restore Mode administrator's password. Whatever you do - remember it! Without
it you'll have a hard time restoring the AD if you ever need to do so. Click Next.

9. Review your settings and if you like what you see - Click Next.

10. See the wizard going through the various stages of installing AD. Whatever you do -
NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made a
mistake and want to undo it, you'd better let the wizard finish and then run it again to undo
the AD.

11. If all went well you'll see the final confirmation window. Click Finish.
 12. You must reboot in order for the AD to function properly. Click Restart now.

Step 3: Checking the AD installation

You should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management tools installed.

2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See
that all OUs and Containers are there. See that your DC is listed in the Domain Controllers
Container.

3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-
Name, and that in it your server is listed along with the other DC in the domain/forest.

4. Open the DNS console. See that your new DC has registered itself in the 4 SRV Record
folders.

One reason for the lack of registration of SRV records is the fact the net NETLOGON service has
somehow failed to register the SRV Records in the DNS zone.

You should try to restart the NETLOGON service to force the SRV registration.

From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now
see the 4 SRV record folders.

5. Check the NTDS folder for the presence of the required files.
 6. Check the SYSVOL folder for the presence of the required subfolders.

7. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed