[Active Directory]How to migrate FSMO to other Domain Controllers (DC)

2013-12-16

Situation:
Last week, I had a very good discussion with a company in TN, and they wanted to have a migration of DC to another Server. Something we need to take care of it before doing it, especially it’s a main GC role even it's not a FSMO.
First, you really need to know what the main 5 FSMO roles mean that on DCs before you do anything on DC,?

Original PNG blueprint is here
Forest Wide Roles:
  • Schema Master
The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.
  • Domain Naming
When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:
  • Relative ID (RID) Master
Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
  • PDC Emulator
The PDC emulator acts as a Windows NT PDC for backwards compaitbility, it can process updates to a BDC.
It is also responsible for time syncronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.
  • Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalog is used to compare data as it recieves regular updates for all objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.
=======================================
After went throughout these 5 roles basic knowledge. Now you can do a migration on this 5 roles
Opportunities:
Maintain hardware in one of the machine
Decommission old FSMO, migrate to the new one
 
Tools:
  • Active Directory Users and Computers – able to change RID pool manager, PDC and Infrastructure master
  • Active Directory Domains and Trusts – able to change Domain naming Master
  • Active Directory Structure/Infrastructure – add it from MMC, able to change Schema Master
 
Steps:
  • Search which servers are the main FSMO, type this command
Netdom query fsmo
PS. Must operate in each local server, not remote

 
  • Change RID pool manager, PDC and Infrastructure Master

PS. DO NOT put Infrastructure Master to a GC role DC, unless All DCs in your domain are GC  

1. Open Active Directory Users and Computers, click “Operation Masters” of Domain Root
clip_image001
2. In this area, you can change RID pool manager, PDC and Infrastructure Master
If you want to change, just click “Change” button
clip_image003
 
  • Change “Domain Naming Operations Master”
1. Open “Active directory Domains and Trusts”, Click “Operations Master” under the Domain Root
clip_image004

2. In this area, you can change “Domain Naming Operations Master
If you want to change, just click “Change” button
clip_image005
 
  • Change “Schema Master”
If you want to change “Schema Master” role, you have to register “schmmgmt.dll” first
1. go to “CMD” command windows, and type this command
Regsvr32 schmmgmt.dll
clip_image006

2. go to “CMD” command and type “mmc” then click “OK”
clip_image007

3. Click “Add/Remove Snap-in
clip_image008

4. Add “Active Directory Schema”
clip_image010

5. Although you are in the local Domain Controller Server, but it still connects to the current Domain Controller.
You need to change your role to reign to the local DC, then you are able to change “Schema Master” role
clip_image011

6. Changed your role if you have more than one “Schema Master” roles
clip_image013
7. Click “Operations Master”
clip_image014
8. Click “Change” if you want
clip_image015
9. Done
10. type command to query FSMO
Netdom query fsmo
11. Not done yet, type this command, if no error, you are good
DCDiag /v 
or
         DCDiag /test:knowsofroleholders /v
to see which DC owns which roles and vise verse

12. command Line to query whole uses
       dsquery * -attr objectsid -filter objectcategory=user



No comments

Post a Comment

Newer
Newer Post
Older
Older Post
Subscribe to: Post Comments (Atom)