We now have two domain controllers inside a single domain: DC01 and DC1A in guinea.pig. Recall that in our earlier discussion of the domain wide Operations Master roles (PDC emulator, RID master, and the infrastructure master), we stated that the infrastructure master and the Global Catalog should not reside on the same domain controller unless a domain contains only one domain controller.
Our current breakdown of Operations Masters in guinea.pig is as follows :
RID Master hosted by DC01
PDC Emulator hosted by DC01
Infrastructure Master hosted by DC01
Recall that DC01 is also hosting the Global Catalog. Since we have two domain controllers in guinea.pig, we need to either move the Global Catalog or the infrastructure master over to DC1A. We have already covered the process of assigning additional Global Catalogs to the forest in previous tutorials. So instead of moving the Global Catalog, we will move the infrastructure master from DC01 to DC1A.
All domain-wide Operations Master role reassignments are made from Active Directory Users and Computers . Open it on DC01.
Active Directory Users and Computers' default setting is to connect to the domain controller from which it was run. In order to transfer the infrastructure master role from DC01 to DC1A, we need to connect to DC1A. On the left column, right-click the guinea.pig icon and choose Connect to Domain Controller .
The Connect to Domain Controller window appears. In the bottom pane of the window is a list of all domain controllers within the current domain, guinea.pig. Since we are already connected to DC01, we need to connect to DC1A. Click dc1a.guinea.pig once and click OK .
Right-click guinea.pig once again, and this time choose Operations Masters . Click the Infrastructure tab.
The top field represents the current domain controller hosting the Operations Master. The bottom field represents the domain controller that you wish to transfer the role to:
Click the Change button to move the infrastructure role from DC01 to DC1A. Click Yes on the confirmation screen that follows. Notice that both fields now read DC1A .
All domain Operations Master roles are transferred in this manner. To transfer the other two roles, simply click either PDC or RID at the top of the Operations Masters window.
|Get Info|| |
Notice that we did not reassign any Operations Master roles in either denver.guinea.pig or austin.guinea.pig. The reason for this is that there is currently one domain controller in each of those domains. And when only one domain controller exists in a domain, it serves all three Operations Master roles for the domain.
Thus far in dealing with the reassignment of Operations Master roles, we have accounted for three out of the five roles: infrastructure master, RID master, and PDC emulator. Recall that these are all domain-wide roles, and are required for a domain to function properly.
But we have a forest containing three separate domains, and forests require the presence of the other two Operations Masters: the domain naming master and the schema master. These roles are automatically assigned to the first domain controller created in a new forest. In our case, this is DC01. But for redundancy and fault-tolerance, it might be a good idea to move these roles onto separate domain controllers in the forest. Imagine if DC01 goes down for some reason. The two Operations Master roles vital to a healthy , functioning forest are now gone. If we spread our resources out a bit and not "put all our eggs into one basket ," we have a better chance of surviving Operations Master failures.
Unlike the domain Operations Master roles, reassignment of forest wide roles is handled by two different applications. The domain naming master is reassigned via Active Directory Domains and Trusts , while the schema master reassignment is handled via the Active Directory Schema plugin to the Microsoft Management Console (MMC).
In this tutorial, we transfer the domain naming master role from DC01 in the guinea.pig domain to DC02 in denver.guinea.pig.
On DC01, open Active Directory Domains and Trusts . In the left window pane, right-click the item labeled Active Directory Domains and Trusts and choose Connect to domain controller .
A window very similar to the one seen in the previous tutorial appears. Notice, however, that only domain controllers within the current domain guinea.pig are available in the list of domain controllers. We must connect to the DC02 domain controller in the denver domain. Clear the field containing the text "Any writable domain controller " and enter the DNS name of DC02: dc02.denver.guinea.pig . Click OK . This provides us with a link to DC02:
Once again, right-click the item labeled Active Directory Domains and Trusts in the upper left window, this time choosing Operations Master .
The Change Operations Master dialog box appears. The top field represents the current domain naming master, and the bottom field represents the domain controller that we wish to transfer this role to: dc02.denver.guinea.pig. Click the Change button and click Yes to confirm. After a second or two, the transfer is complete, and we have a new domain naming master.
The three Active Directory tools (Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services) that we've been using throughout this book all have one thing in common: they all use the Microsoft Management Console , or MMC . Because all three use the same underlying architecture, the overall look and feel of all three of these editing tools is practically identical. The MMC is modular in design, making it extremely easy to expand with what Microsoft calls snap-ins .
Why is this important? Because by default, the MMC is unable to edit the Active Directory schema, a process necessary if we are to reassign the schema master role to another domain controller. In order to do this, we must install a snap-in to the MMC known as the Active Directory Schema Snap-In .
On DC01, bring up a command prompt and enter the following, hitting Enter when finished:
Windows informs you that the schmmgmt.dll file has been registered successfully. Click OK to dismiss the dialog box.
Back in the command prompt, enter the following, hitting Enter when finished:
The bare-bones MMC console appears, called the console root .
Under the File menu, choose Add/Remove Snap-In . A new window appears. Click the Add button in the bottom left of the window.
The Add standalone Snap-In dialog box appears. Select the item labeled Active Directory Schema , click Add , and then click Close . Click OK .
|Get Info|| |
When adding a new snap-in to the MMC, you might notice a few friendly faces in the list of available snap-ins such as Active Directory Users and Computers, Sites and Services, and Domains and Trusts. You guessed it: all these editing tools that we've been using for most of this book are actually snap-ins to the MMC.
We have just created a custom MMC configuration, and as such, we must save it.
Click File and choose Save As .You may save this configuration anywhere you wish. We recommend the desktop, as this is a convenient spot in which to launch the new MMC configuration. Save our new configuration with a name of Schema Management.msc .
We are now ready to transfer the schema master role. For the following tutorial, we transfer this role to dc03.austin.guinea.pig .