Sunday, March 24, 2013

Changing roles between Domain Controllers (Active Directory)

submit to reddit
When testing any program that works with Active Directory, sometimes it is useful to know how to transfer roles between Domain Controllers. The objective of this article is not to explain the roles themselves, but to show how to transfer them. The roles I´ll be using are:

Intersite Topology Generator (ISTG)
FSMO roles:

  • Schema Master
  • Domain naming Master
  • Infrastructure Master
  • Relative ID Master (RID Master)
  • PDC emulator

You can read about them here and here.

So, let´s see what is this all about.

Requirements (This requirements are just an example. The methods described here also apply to other environments):

A Windows Server 2008 machine holding a domain (if you don´t know how to set up an Active Directory domain, you can check this).

A Windows Server 2008 machine as a second Domain Controller.

    Transfer ISTG roles
    Transfer FSMO roles
To transfer the ISTG role:

1. Make sure that you have administrator privileges. Go to one of the Domain Controllers (DC) and go to Start>Run>Type ADSIEDIT.msc and press Enter.

2. Right click ADSI edit>Connect to...
3. In Connection Point, select "Select a well known Naming Context", and select "Configuration". Press Ok.

4. Expand "Configuration [main Domain Controller]">"CN=Configuration,DC=yourDomain,DC=com">"CN=Sites"
5. Highlight "CN=Your site´s name"

6. Righ click "CN=NTDS Site Settings">Properties

7. Go to InterSite TopologyGenerator. Select it and press Edit
8. You´ll see an String editor like this:

You can see which DC is currently holding the ISTG role in the String of the Editor. It has this format:

CN=NTDS Settings,CN=VTWK8ROLES01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jm,DC=com

As you can see, the second "CN" has the name of the main DC. So, to transfer the ISTG role, just change that part. As an example, I'm transferring the ISTG role to a computer named VTWk8ROLES02, so the string would go like this:

CN=NTDS Settings,CN=VTWK8ROLES02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jm,DC=com

Once you do it, press OK and then Apply. And that's it. You have manually transferred the ISTG role to another Domain Controller.

FSMO roles:

1. First of all, you can check which computer is holding which role with a command. Open a command line and type netdom query fsmo. Press Enter.

The result is a list of the roles with the computer that is holding them.

2. Open another command line and write:

ntdsutil --> Press Enter
roles --> Press Enter

connections --> Press Enter
connect to server [name of the server to which the role will be transfered] --> In this case, I worte: connect to server VTWK8ROLES02

quit --> Press Enter

Now, you could consult the Help command to know how to transfer roles. You have the following options:

For example, let's transfer the PDC role. Write: transfer PDC  and press Enter--> The following dialog will be displayed:

Press Yes and you have transferred the role. You can run netdom query fsmo to verify that the role has changed.

Good luck!!

0 comentarios:

Post a Comment