• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Loss of a Domain Controller

    When a domain controller fails, the Kerberos service running at the clients will become aware of the loss when the locally cached Kerberos tickets time out and the Kerberos service attempts to renew them. When the client realizes that its logon server is not responding, it queries DNS for alternative domain controllers and uses one of them to reauthenticate. The user is none the wiser.

    If the failed domain controller is the only domain controller in a site, the clients must reauthenticate across the WAN. This slows down the authentication, depending on the speed of the site link. During the period when a local domain controller is unavailable, LDAP queries such as searching for printers or using Outlook in an Exchange 2000 environment will be slow thanks to the latency across the WAN link.

    If no other domain controllers are available for reauthentication, the client's Kerberos tickets will eventually expire and it will lose connection with member servers. If the clients log off, they can log back on with cached credentials but those credentials will not be sufficient to get access to member servers.

    So, it is important to keep in mind that a cut WAN link can cause a loss of connection to local Windows servers if there are no local domain controllers. Your option would be to put a fallback WAN connection in place, such as an ISDN line that only goes hot when the primary connection goes down. Or, you can install a local domain controller. As we'll see in the next section, this domain controller either needs to be a Global Catalog server or it must be configured to cache Global Catalog records.

    GC-Less Logons

    Under normal circumstances, if a domain controller hosting a copy of the Global Catalog is not available, users are not permitted to log on to a domain. This is because the GC holds the membership list for Universal groups.

    In addition, if users log on using their UPN (user@company.com), a GC is required to "crack" the UPN into its constituent parts. Windows XP will cache the cracked name after a user logs on the first time, but Windows 2000 needs a GC each time a user submits a UPN at logon.

    In Windows Server 2003, a new feature has been added that permits standard domain controllers to cache Universal group membership information. This enables those domain controllers to authenticate users when a GC is unavailable. The Universal group membership cache does not turn a domain controller into a GC. The caching domain controller does not listen for LDAP queries on port 3268 and it does not host objects from other domains apart from Universal group memberships.

    Universal group caching does not require additional processors or memory on the part of the domain controllers in the site. When enabled, the Universal group cache is refreshed every eight hours. If a user is added to a Universal group after the last refresh, the permissions associated with that group (and any group to which that group belongs) will not be included in the user's PAC and therefore will not be included in any local access tokens created for the user on member servers. The Universal group membership cache holds about 500 groups.

    You should enable Universal group membership caching for every site that does not have a Global Catalog server. Configure a site for GC-less logon caching by following Procedure 10.1.

    Procedure 10.1 Enabling Universal Group Membership Caching

    1. Open AD Sites and Services.

    2. Highlight the site you want to configure.

    3. In the right pane, open the Properties window for the NTDS Site Settings object. Figure 10.1 shows an example.

      Figure 10.1. NTDS Settings Properties window showing GC-Less Logon option.

      graphics/10fig01.gif

    4. Select the option Enable Universal Group Membership Caching. Leave the Refresh Cache From pick list empty. The Knowledge Consistency Checker (KCC) will determine the closest site with a GC server.

    5. Click OK to save the change and close the window.

    Performing Metadata Cleanup on Failed Domain Controller

    If you are unable to restore a failed domain controller, you must clean out references to it in Active Directory. This so-called metadata must be removed before you can promote another server with the same name to be a domain controller. If you lose an entire domain, you must also remove the metadata information for that domain before creating another domain by the same name.

    The tool to perform this metadata cleanup is a text-based utility called Ntdsutil. The cleanup is done with Active Directory up and running. Follow Procedure 10.2.

    Procedure 10.2 Performing Metadata Cleanup

    1. Run Ntdsutil.

    2. At the ntdsutil: prompt, enter metadata cleanup. This opens the metadata cleanup: prompt.

    3. Enter ? for an options list:

      metadata cleanup: ?
       ?                                  - Show this help information
       Connections                        - Connect to a specific domain controller
       Help                               - Show this help information
       Quit                               - Return to the prior menu
       Remove selected domain             - Remove DS objects for selected domain
       Remove selected Naming Context     - Remove DS objects for selected Naming Context
       Remove selected server             - Remove DS objects for selected server
       Select operation target            - Select sites, servers, domains, roles and
                                              naming contexts
      
    4. Enter connections and then enter ? for an options list:

      
      Clear creds                        - Clear prior connection credentials
      Connect to domain %s               - Connect to DNS domain name
      Connect to server %s               - Connect to server, DNS name or IP address
      Help                               - Print this help information
      Info                               - Show connection information
      Quit                               - Return to the prior menu
      Set creds %s %s %s                   - Set connection creds as domain, user, pwd (Use 
      graphics/ccc.gif"NULL" for null password)
      
    5. If you are working from a member server and you are not logged on with administrator credentials, use the set creds command to define your binding credentials.

    6. Enter connect to server <dsa> to bind to a server, where <dsa> is the fully qualified DNS name of the domain controller where you want to make the update to the Directory. Any functioning domain controller will do. The entries and transaction results so far look like this:

      server connections: set creds company.com administrator pw
      server connections: connect to server dc-01.company.com
      Binding to dc-11.company.com as user(administrator) in domain(company.com) ...
      Connected to dc-11.company.com as user(administrator) in domain(company.com) .
      
    7. Enter select operation target. This opens the select operation target: prompt. Enter ? for an options list:

      Connections                        - Connect to a specific domain controller
      Help                               - Print this help information
      List current selections            - List the current site/domain/server
      List domains                       - Lists all domains which have Cross-Refs
      List domains in site               - Lists domains in the selected site
      List roles for connected server    - Lists roles connected server knows about
      List servers for domain in site    - Lists servers for selected domain and site
      List servers in site               - Lists servers in selected site
      List sites                         - List sites in the enterprise
      Quit                               - Return to the prior menu
      Select domain %d                   - Make domain %d the selected domain
      Select server %d                   - Make server %d the selected server
      Select site %d                       - Make site %d the selected site
      
    8. Enter list sites. An example output looks like this:

      select operation target: list sites
      Found 4 site(s)
      0 - CN=Phoenix,CN=Sites,CN=Configuration,DC=company,DC=com
      1 - CN=Houston,CN=Sites,CN=Configuration,DC=company,DC=com
      2 - CN=Albuquerque,CN=Sites,CN=Configuration,DC=company,DC=com
      3 - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
      
    9. Enter select site <#> where <#> is the number of the site containing the server you want to remove:

      select operation target: select site 1
      Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
      No current domain
      No current server
      
    10. Enter list domains in site. An example output looks like this:

      select operation target: list domains in site
      
      Found 1 domain(s)
      0 - DC=subsidiary,DC=com
      1 Ц DC=company,DC=com
      
    11. Enter select domain <#> where <#> is the number of the domain containing the server you want to remove:

      select operation target: select domain 1
      
      Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
      Domain - DC=company,DC=com
      No current server
      
    12. Enter list servers for domain in site. An example output looks like this:

      select operation target: list servers for domain in site
      
      Found 1 server(s)
      0 - CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration, DC=company,DC=com
      
    13. Enter select server <#> where <#> is the number of the server you want to remove. An example output looks like this:

      select operation target: select server 0
      
      Site - CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
      Domain - DC=subsidiary,DC=com
      Server - CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company,DC=com
      DSA object - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Salt_Lake,CN=Sites,
           CN=Configuration,DC=company,DC=com
      DNS host name - DC-11.company.com
      Computer object - CN=DC-11,OU=Domain Controllers,DC=company,DC=com
      
    14. We've now targeted the server object we want to delete. Enter q to return to the metadata cleanup: prompt.

    15. Enter remove selected server. A message window appears prompting you to verify your request.

    16. Click Yes and the deed is done. An example output looks like this:

      
      Metadata cleanup: remove selected server
      "CN=DC-11,CN=Servers,CN=Salt_Lake,CN=Sites,CN=Configuration,DC=company, DC=com" removed 
      graphics/ccc.giffrom server "dc-01.company.com"
      
    17. Quit out of Ntdsutil and wait for the change to replicate.

    You can use the same technique to remove a domain that was not fully deleted when the last domain controller was removed from service. Needless to say, be very careful that you don't delete any operational domains.

    FSMO Loss

    A few tasks are not suitable for multiple-master operation and must be handled by a single server. These tasks are called Flexible Single Master Operations (FSMOs). The server that is assigned a FSMO is called the FSMO role master. Chapter 8, "Designing Windows Server 2003 Domains," discussed the jobs assigned to FSMOs. The following is a quick overview:

    • Domain Naming Master. This FSMO is responsible for ensuring the uniqueness of domain names in a forest. There is one Domain Naming Master in a forest.

    • Schema Master. This FSMO holds the only read/write copy of the schema. There is one Schema Master in a forest.

    • PDC Emulator. This FSMO replicates updates to classic NTbackup Domain Controllers (BDCs) while in Mixed. It also acts as a clearinghouse for password updates and a time standard for other domain controllers in a domain. There is one PDC Emulator in each domain.

    • RID Master. This FSMO holds the master copy of the Relative ID number list. In Mixed, these RIDs are passed out sequentially. In Native, each domain controller gets a bank of RIDs from the RID Master. There is one RID Master in each domain.

    • Infrastructure Master. This FSMO is responsible for the rapid transmission of name changes that affect inter-domain group memberships in a forest. There is one Infrastructure Master in each domain.

    A short outage of a FSMO role master does not warrant special action, but if you plan on taking a role master down for an extended period, you should transfer its role or roles to another domain controller. This is especially true if the server is going under the knife with little hope of recovery.

    If a FSMO role master crashes and cannot be recovered, you must seize its role or roles on behalf of another domain controller. In a normal transfer, the original role master must be online to accept the transfer request. In a seizure, the original role master is not online and the new role master simply takes the role.

    After seizing a role, don't put the superceded role master back on the network. Treat it like Smokey Bear treats a campfire. Drown it, stir it, and drown it again. This prevents the old role master from passing out invalid information or providing a second means of updating controlled structures like the Schema or Partition container.

    Role Master Designation

    The item that designates a particular server as a FSMO role master takes the form of an attribute in the Active Directory object that controls a particular FSMO. For instance, the Domain object controls the PDC Emulator role. A FSMO attribute on this object contains the distinguished name of the server that has been designated as the PDC Emulator. When you transfer or seize a role, you change the distinguished name assigned to this role master attribute.

    Recovering a Lost PDC Emulator

    The only exception to the "don't bring back a superceded role master" rule is the PDC Emulator. If a superceded PDC Emulator is brought back online, it gets the name of the new PDC Emulator via replication and politely stops all of its role master activities.

    In practice, the RID Master is usually placed on the same server as the PDC Emulator, so you would not put this server back in operation. Putting a superceded RID Master in operation can result in two objects having the same RID, which can cause security problems as well as database consistency errors. If the RID Master and PDC Emulator are on the same server and you must seize the role to another server, scrub the drive on the original sever and re-install Windows Server 2003.

    Transferring a FSMO Role Master

    When transferring a FSMO to a new role master, you have the option of using an MMC console or a command-line tool. The MMC console you use depends on the role you're transferring. Table 10.1 lists the FSMO roles and their associated MMC consoles along with precautions for placing the role.

    Table 10.1. FSMO Transfer Information

    FSMO Role

    Console

    Precautions

    PDC Emulator

    Users and Computers

    Ensure the PDC Emulator stays in communication with all downlevel NT BDCs. In addition, because the PDC Emulator acts as a "court of last resort" for password validation, make sure it stays connected to make the WAN.

    RID Master

    Users and Computers

    Put this role master on the same server as the PDC Emulator. If you absolutely must put the RID Master on a different domain controller, make sure it stays well connected to the PDC Emulator. In Mixed, the RID Master must be available to create each new user, computer, or group.

    Infrastructure Master

    Users and Computers

    Put this role master on any domain controller that is not a Global Catalog server. See the side bar titled "Infrastructure Master Operation."

    Domain Naming Master

    Domains and Trusts

    Keep this rolemaster and the Schema Master on the same domain controller. These two roles are unique in the forest, so make sure they stay connected to the WAN.

    Schema Master

    Schema Management

    See Domain Naming Master instructions.

    Infrastructure Master Operation

    When you make a security principal (user, group, or computer) a member of a group, the distinguished name of the security principal is added to an attribute called Members for the group object in Active Directory. Active Directory maintains internal consistency by creating a back-link to the object representing the security principal. In this way, if the object name changes, the Member attribute in the group can be updated.

    When you, as the administrator of a domain in a forest, add a security principal from another domain to a group in your domain, Active Directory is faced with a dilemma. It cannot create a back-link to an object in another Domain naming context. It solves this dilemma by creating a phantom object, which is essentially a listing in its Domain naming context consisting of the distinguished name of the object, its GUID (Globally Unique Identifier), and its SID.

    The Infrastructure Master in a domain discovers name changes made to security principals represented by phantom records in its own domain. Without this service, the names displayed in group membership lists would not correspond to the new names in the source domains. This does not affect resource access because the SID has not changed, but it can be confusing for administrators.

    The Infrastructure Master accomplishes its task by periodically perusing the list of phantom records and checking their names against names in the Global Catalog. If it finds a mismatch, it updates the phantom record to reflect the new name. This change is then replicated to other domain controllers in its domain that have a copy of the phantom record.

    Global Catalog servers already have a copy of objects from other domains and therefore do not store phantom records. For this reason, it is important that the Infrastructure Master not be assigned to a Global Catalog server.

    Transferring a Role Master Using an MMC Console

    Refer to Table 10.1 to find the applicable console and then proceed with the transfer as directed in Procedure 10.3.

    Procedure 10.3 Changing a Role Master Using an MMC Console

    1. Open the applicable MMC console for the FSMO that you are going to transfer.

    2. If you are not at the domain controller that will become the new role master, right-click the very top icon, the one with the same name as the console. Select CONNECT TO DOMAIN CONTROLLER from the flyout menu.

    3. Select the name of the domain controller you want to be the new role master. This satisfies an LDAP requirement to bind to the server so that you can be authenticated.

    4. Click OK to connect to the domain controller.

    5. Right-click the top icon again. This time select OPERATIONS MASTER from the flyout menu. The Operations window appears.

    6. Select the tab associated with the role you want to transfer.

    7. Verify that the domain controller listed under Current Focus is the name of the server where you want the role to be transferred.

    8. Click Change. You are prompted to verify.

    9. Click OK. After a short wait, you'll be informed that the Operations Master was successfully transferred. The Operations tab now shows the new name under Current Operations Master.

    10. Click OK to close the window.

    At this point, you should wait for replication to fully converge so that all domain controllers know about the new role master. You can use the AD Sites and Services console or Replication Monitor (Replmon) from the Support Tools to force replication.

    Transferring a Role Master Using Ntdsutil

    If you prefer using a command-line tool (or you want to manage your servers via Telnet or SSH), you can use Ntdsutil to transfer role masters between domain controllers. Both the original role master and the target role master must be online (see Procedure 10.4).

    Procedure 10.4 Transferring a Role Master Using Ntdsutil

    1. Log on using an account with administrator privileges in the domain. If the transfer involves either of the enterprise roles, Schema Master or Domain Naming Master, you must also have administrator rights in the Configuration naming context.

    2. Open a command session and run ntdsutil.

    3. At the ntdsutil: prompt, enter roles. This opens the FSMO maintenance: prompt.

    4. Enter ? to get the options list:

      fsmo maintenance: ?
      
       ?                                  - Print this help information
       Connections                        - Connect to a specific domain controller
       Help                               - Print this help information
       Quit                               - Return to the prior menu
       Seize domain naming master         - Overwrite domain role on connected server
       Seize infrastructure master        - Overwrite infrastructure role on connected server
       Seize PDC                          - Overwrite PDC role on connected server
       Seize RID master                   - Overwrite RID role on connected server
       Seize schema master                - Overwrite schema role on connected server
       Select operation target            - Select sites, servers, domains and roles
       Transfer domain naming master      - Make connected server the domain naming master
       Transfer infrastructure master     - Make connected server the infrastructure master
       Transfer PDC                       - Make connected server the PDC
       Transfer RID master                - Make connected server the RID master
       Transfer schema master               - Make connected server the schema master
      
    5. Type connections. This opens the server connections prompt.

    6. Type ? to get the options list:

      
      server connections: ?
       ?                      - Print this help information
       Clear creds            - Clear prior connection credentials
       Connect to domain %s   - Connect to DNS domain name
       Connect to server %s   - Connect to server, DNS name or IP address
       Help                   - Print this help information
       Info                   - Show connection information
       Quit                   - Return to the prior menu
       Set creds %s %s %s       - Set connection creds as domain, user, pwd. Use "NULL" for 
      graphics/ccc.gifnull password
      
    7. Enter connect to server %s where %s is the fully qualified DNS name of the domain controller where you want to transfer the role. For example, enter connect to server company.com. If successful, you get the following report:

      server connections: connect to server dc-02.company.com.
      Binding to \\DC-02.company.com ...
      Connected to \\DC-02.company.com using credentials of locally logged on user
      
    8. If you want to use another account, use the set creds command prior to issuing the connect to server command.

    9. Enter q to exit the module and return to the FSMO maintenance prompt.

    10. Select a role to transfer and enter the applicable command. For example, to transfer the PDC Emulator, enter transfer PDC.

    11. A window appears requesting that you verify this operation. Click OK to initiate the role transfer.

    12. If the transfer operation fails, you get an error message and the role remains with its original master. For example, if the target server is already the role master, you are notified of this. If the transfer operation proceeds without error, Ntdsutil responds with a list of the current role masters, indicating a successful end to the operation:

      
      fsmo maintenance: transfer pdc
      Server "dc-01.subsidiary.com." knows about 5 roles
      Schema - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
      graphics/ccc.gifDC=company,DC=com
      Domain - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
      graphics/ccc.gifDC=company,DC=com
      PDC - CN=NTDS Settings,CN=DC-02,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
      graphics/ccc.gifDC=company,DC=com
      RID - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, CN=Configuration,
      graphics/ccc.gifDC=company,DC=com
      Infrastructure - CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Phoenix,CN=Sites, 
      graphics/ccc.gifCN=Configuration,DC=company,DC=com
      

    Shortcuts in Ntdsutil

    You only need to enter enough of each word in an Ntdsutil entry to make it unambiguous. For instance, rather than typing out connect to server, you can enter con t s.

    Seizing a FSMO Role Master

    If the domain controller hosting a FSMO role master crashes or is otherwise permanently unavailable, you cannot use the management consoles to transfer roles. You must seize the role using Ntdsutil.

    As a reminder, if you seize a FSMO from another domain controller, you must not reintroduce the superceded role master back onto the network. Formatting the hard drive is not too extreme.

    Verify that the new target role master is online and follow Procedure 10.5.

    Procedure 10.5 Seizing a FSMO Role

    1. Log on using an account with administrator privileges in the domain. If the seizure involves either of the enterprise roles, Schema Master or Domain Naming Master, you must also have administrator rights for the Configuration naming context.

    2. Open a command session and run Ntdsutil.

    3. Select roles from the prompt. This opens the FSMO maintenance prompt.

    4. Type connections. This opens the server connections prompt.

    5. Enter connect to server %s where %s is the fully qualified DNS name of the domain controller where you want to transfer the roleЧfor example, connect to server company.com. If successful, you get the following report:

      server connections: connect to server dc-03.company.com.
      Binding to \\DC-03.company.com ...
      Connected to \\DC-03.company.com using credentials of locally logged on user
      
    6. Enter q to exit the module and return to FSMO maintenance.

    7. Select a role to seize. For example, to seize the RID Master role you would enter seize RID master. A window appears requesting that you verify this operation. Click OK. (If the current role master is on the network, Ntdsutil will fall back and do a standard transfer.)

    8. If the seizure fails, you get an error message and the role remains with its original master. If the transfer operation proceeds without error, Ntdsutil responds with a list of the current role masters.

      Previous Section Next Section