Role transfer between Windows server 2012 domain controllers and cleanup of domain control methods, enabling secondary domain control to be promoted to primary domain control

Source: Internet
Author: User
Tags domain server

This chapter describes the role transfer between Windows Server 2012 domain controllers and the removal of domain control methods. According to the different application scenarios, the operation methods are summarized and summarized.

Here are 2 scenarios:

Scenario 1: The primary domain controller and the secondary domain controller are functioning normally, and the AD replication functionality can be implemented between each other. The secondary domain controller needs to be promoted to primary domain controller, and the primary domain controller is demoted to a normal member server; This scenario is typically applied to the master domain controller for system upgrades (transferring domain roles before downgrading, then installing or upgrading the high-version system, Re-transfer the role to the primary domain controller role) or use a higher-profile server to replace the primary domain controller (using a highly configured server configured as a secondary domain controller, and then transferring the primary domain controller role to the host, the original host becomes the secondary domain controller, and the high-configuration host becomes the primary domain controller)

Scenario 2: the secondary domain control server is functioning properly, and the primary domain control server is down due to a sudden emergency failure and the primary domain does not function properly. A secondary domain control server is required to force the RID, PDC, domain, Schema, naming roles, and GC functions to become the new primary domain control, and to force the deletion of the existing primary domain control information in the domain; This scenario is typically applied to the primary domain system or data corruption does not work properly. Forced contention for 5 roles promoted to primary domain controller by secondary domain control, and removal of residual master domain controller information. When the original master domain host is re-joined to the domain (after reinstalling the system), it is recommended to use a different hostname and IP address.


Scenario One:

environment : Primary domain controller ds01.bicionline.org, secondary domain controller pdc01.bicionline.org, two domain control servers are operating normally, each other can achieve AD replication. Purpose : The primary domain control server transfers RID, PDC, domain, Schema, naming role, and GC functions to the secondary domain controller and demote it to a normal server. solution : Through a graphical interface or command line interface for role transfer, through the Service Manager domain demotion, delete the DNS server in all areas of the original primary domain control DNS records, delete the ' site and service ' in the master domain control server.


Graphical interface operation:

  1. Pass the PDC, RID, infrastructure roles:

    Log on to the pdc01.bicionline.org secondary domain server, go to Active Directory users and Computers pdc01.bicionline.org, right-click bicionline.org to select the operations master, Make changes to 3 host roles:


  2. Pass the schema master role:

    Windwos Server 2012 Registers the regsvr32 schmmgmt command to view the domain schema through the MMC. Such as

    A, registered domain schema


    B. Open the MMC console and add the cell "Active Directory schema".


    C. Right-click on "Active Directory schema pdc01.bicionline.org" to select the "Operations master" option.


  3. Pass-through domain naming operations master:

    Go to Active Directory domain and trust relationship pdc01.bicionline.org, right-click to select Operations master and make changes to the naming role:



Command-Line Operations:

  1. The previous steps are performed via the graphical interface, and the role transfer can also be achieved by means of the Ntdsutil tool: steps below

    Run-cmd-ntdsutil Carriage return #

    Tip: Enter? , you can view the command line and command function comments that can be entered in this mode.

    Roles return//Role feature options

    Connections return//Enter connection mode

    Connect to server pdc01.bicionline.org Enter//Connect PDC01 server

    Quit Enter//exit

    Transfer naming master Enter//connect the connected server as a named host

    Transfer Infrastructure Master Enter

    Transfer PDC return

    Transfer RID Master return

    Transfer schema Master Enter


To demote a domain

    1. Log on to the ds01.bicionline.org server to remove the AD domain feature and DNS server functionality.

      A. Go to Server Manager and select the "Remove Roles and Features" option.

      B, cancel the Active directory Domain Services option, and then select demote this domain controller.


      C, the default next.


      D, tick "continue delete", default next.


      E, add the DNS credentials, using the domain Administrator account bicionline\administrator. Default Next.


      E. Enter the new administrator password. Default next.


      E, default demotion. Wait for the uninstallation to complete and restart.


Scenario Two:

environment : Primary domain controller ds01.bicionline.org, secondary domain controller pdc01.bicionline.org, the auxiliary domain control server is functioning normally, the primary domain control server is down and cannot be recovered. Purpose : The secondary domain control server forcibly seizes RID, PDC, domain, Schema, naming roles, and GC functions as a new primary domain control and forces the deletion of legacy primary domain control information in the domain. workaround : Force the capture of 5 roles through the Ntdsutil tool, remove the original domain control server, remove the existing primary domain-controlled DNS records from all zones in the DNS server, and delete the ' sites and Services ' master domain server.

Steps to resolve:

  1. Role transfer can also be achieved by Ntdsutil tools: Steps are as follows

    Run-cmd-ntdsutil Carriage return #

    Tip: Enter? , you can view the command line and command function comments that can be entered in this mode.

    Roles return//Role feature options

    Connections return//Enter connection mode

    Connect to server pdc01.bicionline.org Enter//Connect PDC01 server

    Quit Enter//exit

    Seize naming master return//overwrite the named host role on the connected server

    Seize infrastructure Master Enter

    Seize PDC return

    Seize RID Master return

    Seize schema Master Enter


  2. Cleanup of DS01 server residue information (metadata)

    Run--cmd---ntdsutil

    Metadata cleanup return//Enter server object cleanup mode

    Select operation target Enter//Enter Operation Object Selection mode

    Connections return//Enter connection mode

    Connect to server PDC01 Enter//Connect to PDC01 server side

    Quit Enter

    List sites Enter//list the sites in the currently connected domain

    Select site 0//Choose Station 0

    List domains in site/list domains in sites

    Select domain 0//Choose field 0

    List servers for domain in site//list all servers in 0 site 0 domains

    Select server 0//selected domain will be deleted (domain control)

    Remove selected server//Remove the selected server (domain control)


  3. Delete the DNS records for DS01 in each zone in the DNS server, remove the DS01 server from ' sites and Services ', and configure PDC01 as a GC (global catalog), which are easily ignored, and keep in mind.


In summary, for different scenarios to achieve the role of the primary domain controller and the secondary domain controller transfer, it is recommended to do a good job before the operation of data backup, and in the cleanup of the primary domain residual information carefully.


Role transfer between Windows server 2012 domain controllers and cleanup of domain control methods, enabling secondary domain control to be promoted to primary domain control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.