How to transfer domain controller roles
When the domain crashes or we buy a new server and need to use the new machine as the master domain controller, We need to transfer the role, when the original primary domain is online, we can use the graphical interface MMC console to transfer roles. After the primary domain crashes, we need to use the ntdsutil tool to transfer the role if we use the sub-domain controller to gain permission. Next I will introduce two methods for transferring the five roles in AD. Five roles are believed to be known by people on earth, Hoho.
PS: To transfer a role, you must note that the extra-domain is set to GC so that the extra-domain can be upgraded to the primary domain. The GC method is as follows: open the ad site and Service Manager-sites-default-first-site-name-servers, find the out-of-stock Domain Server, and double-click to open the server, the following is an NTDs settings. Right-click Properties and select "all" on the displayed properties page.
Bureau catalog "and then click OK. Wait 5-10 minutes until the domain rewrite completes the previous operation.
Use the graphical interface MMC to transfer the domain controller role
Transfer architecture host role
You can use the Active Directory schema host Management Unit to transfer the schema host role. You must first register schmmgmt. dll
File before you can use this snap-in. Register schmmgmt. dll
Click Start, and then click Run. In the displayed dialog box, type regsvr32 schmmgmt. dll and click OK.
When you receive a message indicating that the operation is successful, click OK.
1. Click Start and run, type MMC in the open box, and click OK.
2. Click Add/delete snap-in on the File menu ".
3. Click Add.
4. Click Active Directory architecture, add, close, and OK.
5. In the console tree, right-click the Active Directory schema and click Change domain controller.
6. Click the specified name, type the domain controller name that will become the new role owner, and click OK.
7. In the console tree, right-click Active Directory architecture, and then click operate host.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer domain name host role
1. Click Start, point to administrative tools, and click Active Directory domain and trust relationship ".
2. Right-click "Active Directory domain and trust relationship" and click "connect to domain controller ".
Note: If you do not want to transfer a role to the domain controller on it, you must perform this step. You do not need to perform this step if you have connected to the domain controller whose color is to be transferred.
3. Perform one of the following operations: • In the enter other domain controller Name box, type the name of the domain controller that will become the new role holder, and then click OK.
-In the "or" select an available domain controller "list, click the domain controller that will become the new role owner, and then click OK.
4. In the console tree, right-click Active Directory domain and trust relationship, and then click operate host.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID host role, PDC simulator role, and schema host role
1. Click Start, point to administrative tools, and then click Active Directory users and computers ".
2. Right-click "Active Directory users and computers" and click "connect to domain controller ".
Note: If you do not want to transfer a role to the domain controller on it, you must perform this step. You do not need to perform this step if you have connected to the domain controller whose color is to be transferred.
3. Perform one of the following operations: • In the enter other domain controller Name box, type the name of the domain controller that will become the new role holder, and then click OK.
"Or, select an available domain controller" list, click the domain controller that will become the new role owner, and then click OK.
4. In the console tree, right-click Active Directory users and computers, point to all tasks, and then click operate hosts.
5. Click the corresponding Tab Of the role (RID, PDC, or structure) to be transferred, and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close
Use ntdsutil to transfer a domain controller role and clear a domain controller that does not exist.
1. Use ntdsutil to clear invalid DC Information
If your backup domain is abc.mstc.com and the primary domain is ctu.mstc.com, the backup domain is broken. Run the following command on the master domain with super tools installed:
C: \> ntdsutil
Ntdsutil: Metadata cleanup-clear unused server objects
Metadata cleanup: Select Operation target-selected site, server, domain, role and naming context
Select Operation target: connections-connect to a specific domain controller
Server connections: connect to server ctu.mstc.com -- bind to CTU.
Use the user's creden。 to connect to CTU.
Server connections: Quit-Return to the directory of the previous Layer
Select Operation target: List site-list sites in the enterprise (1 site found, marked as 0)
Locate site 1
0-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com Select Operation target: select site 0-set the site marked as 0 to the site selected
Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com
No current domain, no current name context of the server
Select Operation target: List domains-list all fields that contain cross references.
0-Dc = MSTC, Dc = com
Select Operation target: Select domain 0-specify the domain marked as 0 as the selected domain
Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com
Domain-Dc = MSTC, Dc = com does not have the current name context of the current server
Select Operation target: list servers for domain in site-list the servers in the selected domain and site (find two servers: 0-abc.mstc.com; 1-ctu. mstc.com)
Find 2 servers
0-Cn = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =
MSTC, Dc = com
1-Cn = adddc, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =
MSTC, Dc = com
Select Operation target: Select Server 0-set the server (ABC) marked as 0 to the selected Server
-- That is, the DC to be deleted
Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = Acme, Dc = com
Domain-Dc = MSTC, Dc = com
Server-
CN = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =
MSTC, Dc = com
DSA object-Cn = NTDs
Settings, Cn = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configur
DNS host name-abc.mstc.com
Computer object-Cn = ABC, ou = domain controllers, Dc = MSTC, Dc = com
Current naming context
Select Operation target: Quit-Return to the directory of the previous Layer
Metadata cleanup: Remove Select Server-delete the DS object from the selected server. In the displayed dialog box, select "yes ",
"CN = ABC, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =
MSTC, Dc = com "deleted, from the server" CTU"
Now, the DC object abc.mstc.com disappears in your ad.
2. Use ntdsutil to transfer the FSMO roles.
When you run the dcpromo.exe program and install ad, you will be granted five FSMO colors to the first domain controller in the directory forest. Two FSMO roles are in the directory forest range, and the other three are in the domain range. If a subdomain is created
The created role will not be changed. A directory forest with two domains will have eight FSMO, two of which are directory forest-specific roles, each of which has three FSMO roles specific to the domain. These five roles are schema master-schema host, domain naming
Master-Domain Name host, RID master-Rid host, PDC master-PDC, and infrastructure master-structure host. There are two ways to move these roles to another computer: one is to move, but two computers must be in normal operation status. If one of them is offline, you can only use the second method. Use the ntdsutil tool to forcibly obtain these roles. If your master node breaks down and all these roles are on the master node, run the following command on the new domain controller or backup Domain Controller installed with support tools: first, run the command in cmd.
Netdom query/D: domain name FSMO
Check which roles are on which server, and then run the command in cmd.
"Ntdsutil" can be entered if you do not know how to write the command? Get help,
"Roles"
"Connections"
"Connect to server name" is bound to a current online DC. After the connection is successful, enter Q to exit and return to the previous layer (roles) for role migration.
"Seize schema master"
"Seize domain naming master"
"Seize rid master"
"Seize PDC"
"Seize infrastructure master"
The preceding five commands are used to migrate the five roles mentioned above to the server we previously bound. Return to cmd again and run "netdom query/D: domain name FSMO" to check whether the role has been migrated.
On the General tab, find the Global Catalog check box to check whether it is selected. If it is normal, the role conversion is successful.
3. deploy the AD data file offline. as Microsoft has provided a description of the entire operation process, I will just repeat it here and add some additional instructions to avoid unnecessary catastrophic errors, this is a key operation, and once an error occurs, it will be disastrous.
1. Use necessary backup software to back up each Dc you are about to operate. If no professional backup software is available, use ntbackup.
To.
2. Restart DC and press F8 to enter the directory service recovery mode for ad operations.
3. If the hard disk has enough space, back up the current NTDs. Dit file again and copy it to a temporary folder.
As a backup until all the finishing work is completed successfully. Remember, do not rename the file, otherwise the entire compression process cannot be completed.
4. type the following command in the command line:
A) ntdsutil B) files
C) Info (write down the path of the current NTDs. Dit .)
D) type compact to "C: \ compact" to compress NTDs. the DIT file is saved in this folder. If the file does not exist, ntdsutil will automatically create one (this folder can be any name ).
5. To exit the ntdsutil interface, enter the following command twice in a row:
A) Quit B) quit
6. Use the compressed NTDs. Dit in the C: \ compact folder to overwrite the current NTDs. dit.
7. Delete all. log files in the ad database file folder.
8. Restart the DC normally.
9. If everything is normal, you can delete the copied NTDs. Dit file.