Recipe 3.26 Transferring a FSMO Role

Previous page
Table of content
Next page

3.26.1 Problem

You want to transfer a FSMO role to a different domain controller. This may be necessary if you need to take a current FSMO role holder down for maintenance.

3.26.2 Solution

3.26.2.1 Using a graphical user interface

  1. Use the same directions as described in Recipe 3.25 for viewing a specific FSMO, except target (i.e., right-click and select Connect to Domain Controller) the domain controller you want to transfer the FSMO to before selecting Operations Master.

  2. Click the Change button.

  3. Click OK twice.

  4. You should then see a message stating whether the transfer was successful.
3.26.2.2 Using a command-line interface

The following would transfer the PDC Emulator role to <NewRoleOwner>. See the discussion to see about transferring the other roles.

> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer PDC" q q
3.26.2.3 Using VBScript
' This code transfers the PDC Emulator role to the specified owner.  ' See the discussion to see about transferring the other roles. ' ------ SCRIPT CONFIGURATION ------ strNewOwner = "<NewRoleOwner>"  ' e.g. dc2.rallencorp.com ' ------ END CONFIGURATION --------- Set objRootDSE = GetObject("LDAP://" & strNewOwner & "/RootDSE") objRootDSE.Put "becomePDC", 1 objRootDSE.SetInfo

3.26.3 Discussion

The first domain controller in a new forest is assigned the two forest-wide FSMO roles (schema and domain naming). The first domain controller in a new domain gets the other three domain-wide roles. It is very likely you'll need to move the roles around to different domain controllers at some point. Also, when you need to take down a domain controller that is currently a FSMO role owner, you'll want to transfer the role beforehand. If you plan to install a hotfix or do some other type of maintenance that only necessitates a quick reboot, you may not want to go to the trouble of transferring the FSMO role.

Some FSMO roles are more time critical than others. For example, the PDC Emulator role is used extensively, but the Schema Master is needed only when extending the schema. If a FSMO role owner becomes unavailable before you can transfer it, you'll need to seize the role (see Recipe 3.27).

3.26.3.1 Using a command-line interface

Any role can be transferred using ntdsutil by replacing "transfer PDC" in the solution with one of the following:

  • "transfer domain naming master"

  • "transfer infrastructure master"

  • "transfer RID master"

  • "transfer schema master"

3.26.3.2 Using VBScript

FSMO roles can be transferred programmatically by setting the become<FSMORole> operational attribute on the RootDSE of the domain controller to transfer the role to. The following are the available attributes that can be set that correspond to each FSMO role:

  • becomeDomainMaster

  • becomeInfrastructureMaster

  • becomePDC

  • becomeRidMaster

  • becomeSchemaMaster

3.26.4 See Also

Recipe 3.25 for finding FSMO role holders, Recipe 3.27 for seizing a FSMO role, MS KB 223787 (Flexible Single Master Operation Transfer and Seizure Process), MS KB 255504 (Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller), and MS KB 324801 (HOW TO: View and Transfer FSMO Roles in Windows Server 2003)


Previous page
Table of content
Next page
Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456
Authors: Laura E. Hunter, Robbie Allen
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Comparing, Designing, and Deploying VPNs
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy