Two methods for transferring Domain Controller roles

How to transfer domain controller roles

When the domain crashes or we buy a new server and need to use the new machine as the master domain controller, We need to transfer the role, when the original primary domain is online, we can use the graphical interface MMC console to transfer roles. After the primary domain crashes, we need to use the ntdsutil tool to transfer the role if we use the sub-domain controller to gain permission. Next I will introduce two methods for transferring the five roles in AD. Five roles are believed to be known by people on earth, Hoho.

PS: To transfer a role, you must note that the extra-domain is set to GC so that the extra-domain can be upgraded to the primary domain. The GC method is as follows: open the ad site and Service Manager-sites-default-first-site-name-servers, find the out-of-stock Domain Server, and double-click to open the server, the following is an NTDs settings. Right-click Properties and select "all" on the displayed properties page.

Bureau catalog "and then click OK. Wait 5-10 minutes until the domain rewrite completes the previous operation.

PS: some steps are from the network. This article describes the points of attention for the synthesis and description.

1. Use a graphical interfaceMMCTo transfer a domain controller role

1. Transfer the architecture host role

You can use the Active Directory schema host Management Unit to transfer the schema host role. You must first register schmmgmt. dll

File before you can use this snap-in. Register schmmgmt. dll

Click Start, and then click Run. In the displayed dialog box, type regsvr32 schmmgmt. dll and click OK.

When you receive a message indicating that the operation is successful, click OK.

1. Click Start and run, type MMC in the open box, and click OK.

2. Click Add/delete snap-in on the File menu ".

3. Click Add.

4. Click Active Directory architecture, add, close, and OK.

5. In the console tree, right-click the Active Directory schema and click Change domain controller.

6. Click the specified name, type the domain controller name that will become the new role owner, and click OK.

7. In the console tree, right-click Active Directory architecture, and then click operate host.

8. Click Change.

9. Click OK to confirm that you want to transfer the role, and then click Close.

Ii. Transfer domain name host role

1. Click Start, point to administrative tools, and click Active Directory domain and trust relationship ".

2. Right-click "Active Directory domain and trust relationship" and click "connect to domain controller ".

Note: If you do not want to transfer a role to the domain controller on it, you must perform this step. You do not need to perform this step if you have connected to the domain controller whose color is to be transferred.

3. Perform one of the following operations: • In the enter other domain controller Name box, type the name of the domain controller that will become the new role holder, and then click OK.

-In the "or" select an available domain controller "list, click the domain controller that will become the new role owner, and then click OK.

4. In the console tree, right-click Active Directory domain and trust relationship, and then click operate host.

5. Click Change.

6. Click OK to confirm that you want to transfer the role, and then click Close.

Iii. TransferRIDHost role,PDCSimulator role and structure host role

1. Click Start, point to administrative tools, and then click Active Directory users and computers ".

2. Right-click "Active Directory users and computers" and click "connect to domain controller ".

Note: If you do not want to transfer a role to the domain controller on it, you must perform this step. You do not need to perform this step if you have connected to the domain controller whose color is to be transferred.

3. Perform one of the following operations: • In the enter other domain controller Name box, type the name of the domain controller that will become the new role holder, and then click OK.

"Or, select an available domain controller" list, click the domain controller that will become the new role owner, and then click OK.

4. In the console tree, right-click Active Directory users and computers, point to all tasks, and then click operate hosts.

5. Click the corresponding Tab Of the role (RID, PDC, or structure) to be transferred, and then click Change.

6. Click OK to confirm that you want to transfer the role, and then click Close

Ii. UseNtdsutilTool transfer domain controller role and clear nonexistent Domain Controller

1. Use ntdsutil to clear invalid DC Information

If your backup domain is abc.mstc.com and the primary domain is ctu.mstc.com, the backup domain is broken. Run the following command on the master domain with super tools installed:

C: \> ntdsutil

Ntdsutil: Metadata cleanup-clear unused server objects

Metadata cleanup: Select Operation target-selected site, server, domain, role and naming context

Select Operation target: connections-connect to a specific domain controller

Server connections: connect to server ctu.mstc.com -- bind to CTU.

Use the user's creden。 to connect to CTU.

Server connections: Quit-Return to the directory of the previous Layer

Select Operation target: List site-list sites in the enterprise (1 site found, marked as 0)

Locate site 1

0-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com Select Operation target: select site 0-set the site marked as 0 to the site selected

Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com

No current domain, no current name context of the server

Select Operation target: List domains-list all fields that contain cross references.

0-Dc = MSTC, Dc = com

Select Operation target: Select domain 0-specify the domain marked as 0 as the selected domain

Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = MSTC, Dc = com

Domain-Dc = MSTC, Dc = com does not have the current name context of the current server

Select Operation target: list servers for domain in site-list the servers in the selected domain and site (find two servers: 0-abc.mstc.com; 1-ctu. mstc.com)

Find 2 servers

0-Cn = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =

MSTC, Dc = com

1-Cn = adddc, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =

MSTC, Dc = com

Select Operation target: Select Server 0-set the server (ABC) marked as 0 to the selected Server

-- That is, the DC to be deleted

Site-Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc = Acme, Dc = com

Domain-Dc = MSTC, Dc = com

Server-

CN = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =

MSTC, Dc = com

DSA object-Cn = NTDs

Settings, Cn = addemo, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configur

DNS host name-abc.mstc.com

Computer object-Cn = ABC, ou = domain controllers, Dc = MSTC, Dc = com

Current naming context

Select Operation target: Quit-Return to the directory of the previous Layer

Metadata cleanup: Remove Select Server-delete the DS object from the selected server. In the displayed dialog box, select "yes ",

"CN = ABC, Cn = servers, Cn = default-first-site-name, Cn = sites, Cn = configuration, Dc =

MSTC, Dc = com "deleted, from the server" CTU"

Now, the DC object abc.mstc.com disappears in your ad.

2. Use ntdsutil to transfer the FSMO roles.

When you run the dcpromo.exe program and install ad, you will be granted five FSMO colors to the first domain controller in the directory forest. Two FSMO roles are in the directory forest range, and the other three are in the domain range. If a subdomain is created

The created role will not be changed. A directory forest with two domains will have eight FSMO, two of which are directory forest-specific roles, each of which has three FSMO roles specific to the domain. These five roles are schema master-schema host, domain naming

Master-Domain Name host, RID master-Rid host, PDC master-PDC, and infrastructure master-structure host. There are two ways to move these roles to another computer: one is to move, but two computers must be in normal operation status. If one of them is offline, you can only use the second method. Use the ntdsutil tool to forcibly obtain these roles. If your master node breaks down and all these roles are on the master node, run the following command on the new domain controller or backup Domain Controller installed with support tools: first, run the command in cmd.

Netdom query/D: domain name FSMO

Check which roles are on which server, and then run the command in cmd.

"Ntdsutil" can be entered if you do not know how to write the command? Get help,

"Roles"

"Connections"

"Connect to server name" is bound to a current online DC. After the connection is successful, enter Q to exit and return to the previous layer (roles) for role migration.

"Seize schema master"

"Seize domain naming master"

"Seize rid master"

"Seize PDC"

"Seize infrastructure master"

The preceding five commands are used to migrate the five roles mentioned above to the server we previously bound. Return to cmd again and run "netdom query/D: domain name FSMO" to check whether the role has been migrated.

On the General tab, find the Global Catalog check box to check whether it is selected. If it is normal, the role conversion is successful.

3. deploy the AD data file offline. as Microsoft has provided a description of the entire operation process, I will just repeat it here and add some additional instructions to avoid unnecessary catastrophic errors, this is a key operation, and once an error occurs, it will be disastrous.