Replacing a Master DC

[Chuck Hogard`]

I am in the process of replacing my W2K Master DC. What
do I need to do to make the new DC the master?

Thanks,
Chuck...

 

[Herb Martin]

I am in the process of replacing my W2K Master DC. What

do I need to do to make the new DC the master?

First move each of the 5 Master roles to another DC -- use the
GUI tools or (probably easier) NTDSUtil (roles) to do this.

Make sure you have a(nother) GC left too.

 

[Guest]

Five Master roles? I see three in AD Users and
Computers. They are RID, PDC, and Infrastructure. Is
there more somewhere else? Will this happen automagically
if I demote my old DC?

Chuck..

 

[Benoit Boudeville [Exchange MVP]]

what do you call a "master DC" ? the one holding the PDC emulator role ?

open AD Users & Computers, right click the MMC root, select "connecto domain controller", choose
the one you want to make the PDC emulator/RID/Infrastructure master

then right-click the domain name and select operation masters, transfer all the 3 roles to the new DC
wait for a full domain replication (about 15 minutes)
demote the old DC by using dcpromo (don't check "this is the last DC in my domain" !)

verify that the WINS database followed the PDC emulator change (if using WINS of course)
verify the DNS record was removed from the DNS zone (if not, remove it manually)

 

[Chuck Hogard]

Never mind. I found the Schema master and the Domain
naming master settings

Chuck..

 

[Chuck Hogard]

Thanks! Found all five roles and got them changed. Now
to make sure that all the DNS stuff got removed. This was
a DNS server also and the new one is taking over that role
as well. I've tried turning off the old server and the
DNS still functioned correctly so I'm assuming that it
should function correctly.

Chuck..

-----Original Message-----

what do you call a "master DC" ? the one holding the PDC emulator role ?

open AD Users & Computers, right click the MMC root,

select "connecto domain controller", choose

the one you want to make the PDC

emulator/RID/Infrastructure master

then right-click the domain name and select operation

masters, transfer all the 3 roles to the new DC

wait for a full domain replication (about 15 minutes)
demote the old DC by using dcpromo (don't check "this is the last DC in my domain" !)

verify that the WINS database followed the PDC emulator

change (if using WINS of course)

 

[Herb Martin]

Five Master roles? I see three in AD Users and
Computers. They are RID, PDC, and Infrastructure. Is
there more somewhere else? Will this happen automagically
if I demote my old DC?

Everyone Forest -- and therefore the 1st domain -- always has
5 roles.

Each additional domain within a forest (after the 1st domain) has
only 3 additional.

Schema Master is moved in the AD Schema Editor which is NOT
automatically configured in Administrative Tools. The Domain Naming
Master is controlled through the AD Domains and Trust MMC.

This is part of the reason for using NTDSUtil to handle all 5 -- it's
the only tool that does them all and even though it is a command line
tool, when you need to seize or transfer all of the roles it is easier.

Remember that Global Catalog (GC) is not one of the 5 single master
roles, and is configured in the DC-Server's NTDS properties within
AD Sites and Services.

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 13:51:55 -0700, in
microsoft.public.win2000.active_directory,
(e-mail address removed)
([email protected]) said,

Five Master roles? I see three in AD Users and
Computers. They are RID, PDC, and Infrastructure. Is
there more somewhere else?

Yes. Schema Master and Infrastructure Master.

Will this happen automagically
if I demote my old DC?

Yes.

Laura

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 19:19:16 -0500, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,

Everyone Forest -- and therefore the 1st domain -- always has
5 roles.

Each additional domain within a forest (after the 1st domain) has
only 3 additional.

Schema Master is moved in the AD Schema Editor

No, it is by default on the first DC in the forest root. Since the
schema master is the only machine that can write to the schema, it is
the "schema editor". However, there is no automagic "move"

which is NOT
automatically configured in Administrative Tools.

Um, you can configure it in the Schema snap-in.

The Domain Naming
Master is controlled through the AD Domains and Trust MMC.

As can be other FSMO roles. Explore further.

This is part of the reason for using NTDSUtil to handle all 5 -- it's
the only tool that does them all and even though it is a command line
tool, when you need to seize or transfer all of the roles it is easier.

I would disagree heartily. For most people, NTDSUtil is complete
overkill and far more error-prone. The only time most people should
use it is when removing defunct data (dirty dead DCs). While I love
NTDSUtil, I would *not* recommend that people who don't know much
about FSMO roles should use it when they can transfer roles easily
via the GUI.

Remember that Global Catalog (GC) is not one of the 5 single master
roles,

No, it certainly is not. There are five FSMO roles:

1 Domain Naming Master per forest.
1 Schema Master per forest.
1 PDC Emulator per domain.
1 Infrastructure master per domain.
1 RID Master per domain.

GCs are not, never have been, and never will be a FSMO role.

Laura

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 00:03:15 -0400, in
microsoft.public.win2000.active_directory, Laura A. Robinson
([email protected]) said,

Yes. Schema Master and Infrastructure Master.

Er, Domain Naming Master. Fingers and brain not speaking. ;-)

Laura

 

[Herb Martin]

Schema Master is moved in the AD Schema Editor

No, it is by default on the first DC in the forest root. Since the
schema master is the only machine that can write to the schema, it is
the "schema editor". However, there is no automagic "move"

What are you talking about? Of course the Schema Master is on a DC
but the GUI TOOL for moving it is the Schema Editor -- although I still
prefer NTDSUtil for moving all of the master roles.

Um, you can configure it in the Schema snap-in.

Yes, as I said, it is NOT "automatically" configured in Administrative tools
but like ANY MMC you can do so IF you first install AdminPak (in Win2000
the Schema editor snap-in isn't even automatically installed on a DC.)

I would disagree heartily. For most people, NTDSUtil is complete
overkill and far more error-prone. The only time most people should
use it is when removing defunct data (dirty dead DCs).

Let's see, a command line tool that require attention to specific syntax is
somehow more error prone than a "GUI tool" where any uninformed admin
can mess around?

While I love
NTDSUtil, I would *not* recommend that people who don't know much
about FSMO roles should use it when they can transfer roles easily
via the GUI.

No one who doesn't -- or cannot -- understand NTDSutil should be moving
ANY roles.

They and you should call a real admin.

GCs are not, never have been, and never will be a FSMO role.

As I said, but it is important to remind someone with a small domain that
intends to move all of the roles NOT to overlook the GC which is likely on
that same machine (by default.)

 

[Herb Martin]

Five Master roles? I see three in AD Users and

Yes. Schema Master and Infrastructure Master.

He included the Infrastructure Master -- you have overlooked the
Domain Naming Master (a forest only role) which was mentioned
above.

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 23:43:47 -0500, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,

What are you talking about? Of course the Schema Master is on a DC
but the GUI TOOL for moving it is the Schema Editor

Actually, I was having a hard time understanding what *you* were
talking about; thus the confusion.

-- although I still
prefer NTDSUtil for moving all of the master roles.

Great. It's still not ideal for people who don't know much about FSMO
roles in the first place.

Yes, as I said, it is NOT "automatically" configured in Administrative tools

Yes, Herb, I get it.

but like ANY MMC you can do so IF you first install AdminPak (in Win2000
the Schema editor snap-in isn't even automatically installed on a DC.)

Relevance? None.

Let's see, a command line tool that require attention to specific syntax is
somehow more error prone than a "GUI tool" where any uninformed admin
can mess around?

Herb, how many inexperienced admins have you ever seen use NTDSUtil
successfully?

No one who doesn't -- or cannot -- understand NTDSutil should be moving
ANY roles.

Oh, gee, and that never happens in the real world, right? Puh-leeze.

They and you should call a real admin.

Again, your response ignores reality. There are *many* admins who are
actively administering AD without fully understanding it. That's
reality. Your response that they should call a "real" admin is
ridiculous and belittling.

I work for a company with a lot of UNIX admins who can run rings
around me when it comes to UNIX administration, and they are most
*definitely* "real" admins. They administer the network of a company
that grosses more than five *billion* dollars a year, Herb. And if
one of them called me and asked me how to transfer FSMO roles, I
would walk them through using the GUI. I certainly wouldn't tell them
that they aren't "real" admins because they can't use NTDSUtil, nor
would I recommend that they use NTDSUtil for the job. Period.

As I said, but it is important to remind someone with a small domain that
intends to move all of the roles NOT to overlook the GC which is likely on
that same machine (by default.)

Is there some reason that you're acting like this when I was
reiterating what you said?

Laura

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 23:44:36 -0500, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,

He included the Infrastructure Master -- you have overlooked the
Domain Naming Master (a forest only role) which was mentioned
above.

I note that your post comes 26 minutes after I posted my own
correction. What was the point of this, Herb?

Laura

 

[Enkidu]

circa Sat, 25 Oct 2003 13:51:55 -0700, in
microsoft.public.win2000.active_directory,
(e-mail address removed)
([email protected]) said,

Yes. Schema Master and Infrastructure Master.


Yes.

Hm, will it? How does AD choose which surviving DC receives the roles?

Cheers,

Cliff

 

[Herb Martin]

Will this happen automagically

Hm, will it? How does AD choose which surviving DC receives the roles?

It's a least a best practice to move the roles:
http://www.microsoft.com/technet/tr...rver2003/proddocs/standard/sag_ADdemoteDC.asp

Unless someone has evidence that it transfers automatically, the best
suggestion is to always transfer the roles manually before your DCPromo
a single master role holder.

 

[Cary Shultz [MVP]]

-----Original Message-----
circa Sat, 25 Oct 2003 23:44:36 -0500, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,
I note that your post comes 26 minutes after I posted my own
correction. What was the point of this, Herb?

Laura

Howdy! Howdy!

Laura, Herb! You two must really love each other! ;-)

I will chime in for a second if you two do not mind!

Herb, I would say that I prefer to use NTDSUtil over the
MMCs just like you do. However, I would venture to say
that probably 65% of the "admins" out there should
probably not try! That is just real world. It is too
easy to to use the ADUC MMC to transfer the three domain-
wide RSMO Roles and the ADDT MMC to transfer the Domain
Naming Master FSMO Role. NTDSUtil is a CLI - so already
50% of the crowd does not know what to do! Yes, I do
included it in my posts when people ask about FSMO
Roles. Hopefully they will play with it in a test
environment before actually having to use it in a
Production environment. This is why I mention it. If
they do not know about it they can not "learn" about it
and finally, one day, use it!

I would also say that there is probably a high percentage
of "admins" out there who really should not be admins.
It could be that the company is really small, the budget
is tight so someone is simply choosen ( probably because
he or she is good with Excel! ). It could also be that
he or she thinks too highly of his or her current skill
level and sells himself or herself very well when
speaking to the HR people. I had a friend who was a
WINNT 4.0 MSCE and she had a terrible time with the
concept of \\servername\sharename!! I kid you not!

I can tell you that I am having a really rough time here
in tiny Roanoke, VA. I moved here about eight months ago
( because of my wife! ) from a job in Beverly Hills, CA.
When I first arrived here in Roanoke I could not buy a
job! I spent a good amount of time in the NG and helped
a lot of people who probably did not know 20% of what I
do - yet they had jobs and I did not ( and by no means do
I think that I am 'better' than they are - you have to
start somewhere and there is a ton of 'material' with
AD! ). I was lucky and found a job after about three
months but that is coming to a close ( all the projects
have been completed so who knows if there will be enough
for the two of us - it is his company! Guess who is going
to win that one?! ). Still, the fact is that there are a
lot of people out there who really do not know what they
are doing when it comes to WIN2000 Active Directory and
all that this beast entails. Granted, I am not talking
about companies that have 25,000 employees around the
country and world and 5 Billion in sales! I am talking
about the little company, with anywhere from five to one
hundred employees ( typically ).

Anyway, it is nice to have discussions on "Hey, I do it
this way because I like it better than that way". Maybe
I can learn something from you or you can learn something
from me. That is the whole point of the NGs, right?

Cary

 

[Ace Fekay [MVP]]

In

Hm, will it? How does AD choose which surviving DC receives the roles?

Cheers,

Cliff

If there are more than two current DCs available to transfer to, I believe
it does it by random since DCPROMO looks in the SRV records for other
available DCs. If they are at default weights and priorities, it's a random
response, as would a client picking a service location.

I can't find any articles on this specific behavior, but assuming so because
of the way the SRV queries and responses work.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 22:17:12 +1300, in
microsoft.public.win2000.active_directory, Enkidu ([email protected])
said,

Hm, will it? How does AD choose which surviving DC receives the roles?

Yes, it will. Try it.

Given that the OP has only 1 DC if I'm reading his "master DC"
correctly, they would all go to that DC. In larger environments,
selection would probably not be what one would desire, which is why
you would not normally allow this. As for which DC(s) would be
selected to receive the transfers, that depends on the topology of
the environment.

Laura

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 11:02:40 -0600, in
microsoft.public.win2000.active_directory, Herb Martin
([email protected]) said,

It's a least a best practice to move the roles:

Of course it is, and nobody said otherwise. I answered the question
that was asked; I didn't suggest it was a best practice.

http://www.microsoft.com/technet/tr...rver2003/proddocs/standard/sag_ADdemoteDC.asp

That's a link for Win2K3, and there are additional considerations
with dcpromo in Win2K3 that didn't exist with Win2K, namely,
application partitions.

Unless someone has evidence that it transfers automatically,

I have tested it numerous times. Since my word is apparently not
"evidence" enough for you, Herb, I suggest that you try it before
questioning the veracity of the statement.

From your address, I see that you work at LearnQuick. Is that not a
CTEC? This information is covered in Microsoft Official Curriculum,
specifically, course 2154.

Laura