Is there a PDC in my win2000 domain?

[Guest]

I have two domain controllers in my windows 2000 Active Directory domain
which was set up before I started working for my current employer. I'm
retiring one of them. I was previously told it is the "main" domain
controller? What does that mean? Is there a "primary domain controller" in
windows 2000? What do I need to check before I demote this server? I've
already built another domain controller so now I have 3 running... so
basically I'm just trying to figure out the best way to demote this
(supposedly) "main" domain controller.

thanks for any help you can provide,

jason

 

[Jeff Loupe]

You need to ensure that the DC you are retiring does not own any of the FSMO
roles. More information regarding the roles is here:
http://support.microsoft.com/kb/q197132/

You should transfer the roles to the server that is going to stay on the
network. For info go here:
http://www.petri.co.il/transferring_fsmo_roles.htm

When they talk about the "Main DC" they are probably referring to the first
DC created in the domain, which by default will own all the FSMO roles. If
you shut off this DC without first transferring the roles, you will need to
seize the roles from a working DC. For info go here:
http://www.petri.co.il/seizing_fsmo_roles.htm

Hope that helps - good luck!

 

[Joe Richards [MVP]]

Yes there is still a PDC in Windows 2000 and above. People like to say there
isn't and it is just an emulator but for all practical purposes, there is a PDC.

Basically they split up the roles a PDC used to have into different roles called
FSMOs. You move these FSMOs from one machine to another. However if you demote a
machine that holds a role, it will divest any roles it has so you won't lose the
roles. If you lose a DC due to hardware failure or something like that, you can
also seize the roles as needed. This is all documented in various Windows books
and in the KB and technet, search on FSMO maintenance.

 

[Enkidu]

I have two domain controllers in my windows 2000 Active
Directory domain which was set up before I started working
for my current employer. I'm retiring one of them. I was
previously told it is the "main" domain controller? What
does that mean? Is there a "primary domain controller" in
windows 2000? What do I need to check before I demote
this server? I've already built another domain controller
so now I have 3 running... so basically I'm just trying
to figure out the best way to demote this (supposedly)
"main" domain controller.

Just run dcpromo and the roles should be transferred to one
of the other DCs. However the DC being demoted should be
working 100% correctly in the Domain otherwise you may well
strike problems.

You could transfer the roles FSMO roles by hand - Jeff and
Joe have covered that! Then demote the DC. I've done it both
ways without any problems.

Cheers,

Cliff

 

[Jorge_de_Almeida_Pinto]

I have two domain controllers in my windows 2000 Active
Directory domain
which was set up before I started working for my current
employer. I'm
retiring one of them. I was previously told it is the "main"
domain
controller? What does that mean? Is there a "primary domain
controller" in
windows 2000? What do I need to check before I demote this
server? I've
already built another domain controller so now I have 3
running... so
basically I'm just trying to figure out the best way to demote
this
(supposedly) "main" domain controller.

thanks for any help you can provide,

jason

In AD all DCs are the same within a domain. There are not primaries or
secondaries to create objects.

However for some functions a primary roles must exist to prevent
collisions. In each forest you have 2 Flexible Single Masters of
Operations (FSMO) begin the Domain Naming Master and the Schema Master
In each domain within a forest you have 3 FSMOs being the PDC
Emulator, the RID Master and the Infrastructure master. What every
FSMO does? See: http://support.microsoft.com/kb/q197132/

By default the FSMO roles are hosted by the first DC installed in a
forest/domain unless you have transfered them to another DC, which is
possible.
For how to transfer (while the old FSMO role owner is still available)
or to seize (while the old FSMO role owner not availabel anymore and
it will not be available soon) and view which DCs are the FSMO role
owners see:
http://www.petri.co.il/transferring_fsmo_roles.htm
http://support.microsoft.com/default.aspx?kbid=324801&product=winsvr2003

It is a best practice to first transfer one or more FSMO roles before
demoting the DC

 

[Cary Shultz [A.D. MVP]]

Jay,

As already stated, you can use many tools to determine which Domain
Controller holds which of the five FSMO roles. By default, the first DC in
the Forest holds all five of the FSMO roles. There are five FSMO roles: the
Schema Master, the Domain Naming Master, the PDC Emulator, the RID Master
and the Infrastructure Master. The first two are Forest-wide and the last
three are Domain-wide.

One way to determine which DC holds which role - if any - is to install the
Support Tools located on the WIN2000 Service Pack CD ( or downloaded from
the MS web site ) and then run 'netdom query fsmo' - without the quotes.
You can also run 'dcdiag /v' - again, without the quotes - or look at
replmon.

You can also use scripting to do this.

As already mentioned, you can simply run 'dcpromo' on a DC and any FSMO
roles that it might hold are supposed to be transferred to another DC. I
have done this many times in a test lab and it has always worked. However,
I really like to choose which DC is going to get which roles ( er, if there
are only two DCs and you are dcpromoing one of them then the placement is
pretty obvious...but if you have three then there is a choice... ). You can
transfer any and all FSMO roles from one DC to any other either via the GUI
or via the command line. Please look at the following links for both
options:

GUI
http://support.microsoft.com/?id=255690

Command line
http://support.microsoft.com/?id=255504

You also want to make sure that you transfer any services that might be
running on the 'to-be-demoted' DC. Things like DHCP come to mind. You also
want to make sure that the 'surviving' DC is running DNS and is a Global
Catalog Server. Please look at the following link for how to make a DC a
Global Catalog Server:

http://support.microsoft.com/?id=313994

If you should have any problems with the dcpromo process you might have to
look into a metadata cleanup. What is this? In the case of an ungraceful
demotion the surviving DC will think that the other DC is still there. It
is really not there, but the surviving DC thinks that it is. So, it tries
to replicate with it - and a few other things. So, you would have to go on
the surviving DC and remove references to the 'dead' DC. ntdsutil and
adsiedit are two utilities that you might have to use. Here is a link on
how to do this:

http://support.microsoft.com/?id=216498

HTH,

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Joe Richards [MVP]]

I am going to give you a hard time on this Jorge.

In AD all DCs are the same within a domain.

Nope. That is what the FSMO is all about, saying that DC x is better than DC y.
If you mean that DC x has no more built in capability than DC y then I agree
with that statement, but that was equally true in NT4 prior to AD. All DCs had
the exact same functionality, you specified which one, however had the ability
to do certain things, such as create objects. All copies of the SAM on all DCs
was writeable, only the BDCs did not allow users to submit write requests to
them, they themselves could write to their own database all day though, look at
lastlogon and bad password and other non-replicated attributes.

There are not primaries or secondaries to create objects.

Sure there is, create a schema object on a non-Schema FSMO machine.

However for some functions a primary roles must exist to prevent
collisions.

The relationship isn't primary/secondary. It is mostly only. You can ONLY modify
the schema from the schema FSMO, you can only get RIDS from a RID Master (though
all DCs will get pools of them to work with so they don't have to communicate
directly with the RID Master all of the time). You can only create new NCs if
the domain naming master is available, etc.


joe