Saturday, May 8, 2010

FSMO roles and how to transfer roles

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. For best performance and recovery purposes you should not have all 5 FMSO roles on the same DC unless just to temporarily transfer to it for short-term maintenance. These are high level steps to transfer the Windows 2003 FSMO Roles to another DC for maintenance to be performed on the original DC.

For best performance and recovery purposes you should never have all 5 FMSO roles on the same DC unless just to temporarily transfer to it for short-term maintenance.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool.

Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

  • · Active Directory Schema snap-in
  • · Active Directory Domains and Trusts snap-in
  • · Active Directory Users and Computers snap-in

If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility. Please use extreme caution when using this utility.

Transferring FSMO Roles – high level steps

Below are the high level steps required to perform any FSMO role transfers. What additional Change Management steps would be required would be determined following normal Change Management guidelines. At a minimum an RFC would always be required with a backup and restore plan.

If you have never transferred FSMO roles including the Schema Master role before you should perform this first in the lab. If you would perform a step out of sequence or when other DCs are not fully synchronized with the FSMO DCs you could have to revert to your back out plan.

  1. Go into Sites and Sites for that domain and force replication
  2. Check Event Viewer to see when the last reboot of both servers occurred, if over a week or prior to any other changes, then reboot both servers separately prior to proceeding to ensure stable after the reboot.
  3. Go into the Event viewer on all DCs and verify that Directory Services Replication has occurred successfully on all DCs, and no major errors on the target DCs. You can verify replication using EV or RepAdmin
  4. Verify all trusts are working using NLTest.exe
  5. Perform an NTBackup including System State and all drive data to an off disk location
  6. Verify that backup is restorable
  7. View and record the FSMO roles for the forest and target domain
  8. Transfer the Domain Naming Master Role
  9. Verify in Event Viewer or using NTDSutil, or MMC snap-in that the role transferred successfully.
  10. Go into Sites and Sites for that domain and force replication
  11. Verify successful replication to all DCs using Event Viewer, or repadmin /showrepl command, nltest, etc.
  12. Transfer RID Master, PDC Emulator, and Infrastructure Master Roles
  13. Verify in Event Viewer or using NTDSutil, or MMC snap-in that the role transferred successfully.
  14. Go into Sites and Sites for that domain and force replication
  15. Allow 30 minutes for all role changes to replicate throughout the forest, more if previously you found replication problems.
  16. Go into the Event viewer on all DCs and verify that Directory Services Replication has occurred successfully on all DCs, and no major errors on the target DCs. You can verify replication using EV or RepAdmin
  17. Transfer the Schema Master Role
  18. Verify in Event Viewer or using NTDSutil, or MMC snap-in that the role transferred successfully.
  19. Go into Sites and Sites for that domain and force replication
  20. Allow 30 minutes for all role changes to replicate throughout the forest, more if previously you found replication problems.
  21. Go into the Event viewer on all DCs and verify that Directory Services Replication has occurred successfully on all DCs, and no major errors on the target DCs. You can verify replication using EV or RepAdmin

Transferring FSMO Roles – Detailed Steps

The following steps to transfer FSMO Roles are from Microsoft white papers referenced below. These are not specific to any one environment, but are general steps.

Transfer the Domain Naming Master Role

  1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

  2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

  3. You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  4. Do one of the following:

    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

  5. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

  6. Click Change.

  7. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

  3. You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  4. Do one of the following:

    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  5. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  6. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
  7. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Schema Master Role

It is very important that you ensure you have a complete backup and verified replication is successful on all DCs prior to transferring the Schema Master Role. If you have replication problems you could transfer the role and it not be accepted in the target DC or it accepts it and the remaining DCs still see the original schema master as still holding the role. This conflict would cause Forest wide problems potentially. So use with caution.

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.

This document is based on the best practices for transferring FSMO Roles from Microsoft at:

http://support.microsoft.com/kb/324801

http://support.microsoft.com/kb/255690/

http://technet2.microsoft.com/WindowsServer/en/Library/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df21033.mspx?mfr=true

Published: 1/4/2008 9:09 PM

1 comment: