Managing Domain Controllers, Roles, and Catalogs

Previous page
Table of content
Next page

Domain controllers perform many important tasks in Active Directory domains. Many of these tasks were discussed in Chapter 6.

Installing and Demoting Domain Controllers

You install a domain controller by configuring Active Directory on a member server. Later, if you don't want the server to handle controller tasks, you can demote the server. It will then act as a member server again. You install or demote servers following a similar procedure, but before you do you should consider the impact on the network and read the section of Chapter 6 entitled "Understanding the Directory Structure."

As that section explains, when you install a domain controller you might need to transfer operations master roles and reconfigure the global catalog structure. Also, before you can install Active Directory, DNS must be working on the network and you must convert the Active Directory data drive to NTFS file system 5.0 or later. Converting drive formats is covered in the section entitled "Converting a Volume to NTFS" in Chapter 11 , "Managing File Systems and Drives." Similarly, before you demote a domain controller, you should shift any key responsibilities to other domain controllers. This means moving the global catalog off the server and transferring any operations master roles, if necessary. You must also remove any application directory partitions that are on the server.

Real World

It's important to point out that in Windows Server 2003, it's no longer necessary to demote a domain controller to rename it. You can rename a domain controller at any time. The only problem is that during the renaming process the server is unavailable to users and you might need to force a directory refresh to reestablish proper communications with the server. You can't, however, move a domain controller to a different domain. You must demote the domain controller, update the domain settings for the server and its computer account, and then promote the server to be a domain controller once more.

To install or demote a domain controller, complete the following steps:

  1. Log on to the server you want to reconfigure.

  2. Click Start and then click Run.

  3. Type dcpromo and then click OK. This starts the Active Directory Installation Wizard.

  4. If the computer is currently a member server, the wizard takes you through the steps needed to install Active Directory. You'll need to specify whether this is a domain controller for a new domain or an additional domain controller for an existing domain.

  5. If the computer is currently a domain controller, the Active Directory Installation Wizard takes you through the process of demoting the domain controller. Once it's demoted, the computer acts as a member server.

Real World

An alternative technique for installing domain controllers is to do so from backup media. This option is new for Windows Server 2003. To install a domain controller from backup media, you create a backup of the System State of a domain controller and restore it on a different server running Windows Server 2003. When you create a domain controller from backup media, you eliminate the need to replicate the entire directory database over the network to the new domain controller. This can really save the day when you have bandwidth limitations or the directory database has thousands of entries.

Viewing and Transferring Domain-Wide Roles

You can use Active Directory Users And Computers to view or change the location of domain-wide operations master roles. At the domain level, you can work with roles for relative ID (RID) masters, Primary Domain Controller (PDC) emulator masters, and infrastructure masters.

Note

Operations master roles are discussed in Chapter 6 in the section entitled "Understanding Operations Master Roles." You use Active Directory Domains And Trusts to set the domain naming master role and Active Directory Schema to change the schema master role.


You transfer operations master roles by following these steps:

  1. In the console tree, right-click Active Directory Users And Computers. Then select Operations Masters. This opens the Operations Masters dialog box shown in Figure 7-8.

  2. The RID tab shows the location of the current relative ID master. Click Change, and then select a new domain controller to transfer the role to a new location.

  3. The PDC tab shows the location of the current PDC emulator master. Click Change, and then select a new domain controller to transfer the role to a new location.

  4. The Infrastructure tab shows the location of the current infrastructure master. Click Change, and then select a new domain controller to transfer the role to a new location. Click OK.

    Figure 7-8. Use the Operations Masters dialog box to transfer operations masters to new locations or simply view their current location.

    graphics/f07ap08.jpg

Viewing and Transferring the Domain Naming Master Role

You can use Active Directory Domains And Trusts to view or change the location of the domain-naming master in the domain forest. In Active Directory Domains And Trusts, the root level of the control tree shows the currently selected domain.

Tip

If you need to connect to a different domain, connect to a domain controller following steps similar to those described in the section of this chapter entitled "Connecting to a Domain Controller." The only difference is that you right-click Active Directory Domains And Trusts in the console tree.


You transfer the domain naming master role by following these steps:

  1. Start Active Directory Domains And Trusts.

  2. In the console tree, right-click Active Directory Domains And Trusts. Then select Operations Master. This opens the Change Operations Master dialog box.

  3. The Domain Naming Operations Master field displays the current domain-naming master.

  4. Click Change and then select a new domain controller. The role is then transferred to this controller.

  5. Click Close.

Viewing and Transferring Schema Master Roles

You use Active Directory Schema to view or change the schema master's location. This utility is provided in the Windows Server 2003 Adminpak. After you install the Adminpak from the I386 directory of the Windows Server 2003 CD-ROM, type regsvr32 schmmgmt.dll at a command prompt to register Active Directory Schema. You can then transfer the schema master role by completing the following steps:

  1. Add the Active Directory Schema snap-in to an MMC.

  2. In the console tree, right-click Active Directory Schema. Then select Change Domain Controller.

  3. Select Any Domain Controller to let Active Directory select the new schema master. Or select Specify Name and type the name of the new schema master, such as zeta.seattle.domain.com .

  4. Click Change and then click Close.

  5. Right-click Active Directory Schema and then select Operations Master.

  6. Click Change in the Change Schema Master dialog box.

  7. Click OK. Click Close.

Transferring Roles Using the Command Line

Another way to transfer roles is to use Ntdsutil.exe, which is a command-line tool for managing Active Directory. Follow these steps to transfer roles at the command line:

  1. Log on to the console of the server you want to assign as the new operations master. You can log on to the console locally or use Remote Desktop.

  2. Click Start, click Run, type cmd in the Open field, and then click OK.

  3. At the command prompt, type ntdsutil . This starts the Directory Services Management Tool.

  4. At the ntdsutil prompt, type roles . This puts the utility in Operations Master Maintenance mode.

  5. At the fsmo maintenance prompt, type connections and then at the server connections prompt, type connect to server followed by the fully qualified domain name of the current schema master for the role, such as: 

     connect to server engdc01.technology.adatum.com

  6. Once a successful connection is established, type quit to exit the server connections prompt, and then at the fsmo maintenance prompt, type transfer and then type the identifier for the role to transfer. The identifiers are:

    • pdc For the PDC emulator role

    • rid master For the relative ID master role

    • infrastructure master For the infrastructure master role

    • schema master For the schema master role

    • domain naming master For the domain naming master role

  7. Type quit at the fsmo maintenance prompt and type quit at the ntdsutil prompt.

Seizing Roles Using the Command Line

Occasionally, you might find yourself in a situation where you can't gracefully transfer server roles. For example, a domain controller acting as the RID master might have a drive failure that takes down the entire server. If you're unable to get the server back online, you might need to seize the RID master role and assign this role to another domain controller.

Caution

Seizing a server role is a drastic procedure that you should perform only as a last resort. Seize a server role only if the domain controller managing the current role is permanently out of service. The only way to bring the original server master back online is to format the boot disk and reinstall Windows Server 2003.


Follow these steps to seize a server role:

  1. Ensure that the current domain controller with the role you want to seize is permanently offline. If the server can be brought back online, don't perform this procedure unless you intend to completely reinstall this server.

  2. Log on to the console of the server you want to assign as the new operations master. You can log on to the console locally or use Remote Desktop.

  3. Click Start, click Run, type cmd in the Open field, and then click OK.

  4. At the command prompt, type ntdsutil . This starts the Directory Services Management Tool.

  5. At the ntdsutil prompt, type roles . This puts the utility in Operations Master Maintenance mode.

  6. At the fsmo maintenance prompt, type connections and then, at the server connections prompt, type connect to server followed by the fully qualified domain name of the current schema master for the role, such as: 

     connect to server engdc01.technology.adatum.com

  7. Once a successful connection is established, type quit to exit the server connections prompt and then, at the fsmo maintenance prompt, type seize and then type the identifier for the role to seize. The identifiers are:

    • pdc For the PDC emulator role

    • rid master For the RID master role

    • infrastructure master For the infrastructure master role

    • schema master For the schema master role

    • domain naming master For the domain naming master role

  8. Type quit at the fsmo maintenance prompt and type quit at the ntdsutil prompt.

Configuring Global Catalogs

Global catalogs have an important role on the network. This role is discussed in the section of Chapter 6 entitled "Understanding the Directory Structure." You configure additional global catalogs by enabling domain controllers to host the global catalog. Additionally, if you have two or more global catalogs within a site, you might want a domain controller to stop hosting the global catalog. You do this by disabling the global catalog on the domain controller.

You enable or disable a global catalog by completing the following steps:

  1. Start Active Directory Sites And Services.

  2. In the console tree, expand the tree view for the site you want to work with by clicking the plus sign (+) next to the site name.

  3. Expand the Servers folder for the site, and then click the server you want to configure to host the global catalog.

  4. In the View pane, right-click NTDS Settings and then select Properties.

  5. To enable the global catalog, select Global Catalog in the General tab. An example is shown in Figure 7-9.

  6. To disable the global catalog, clear Global Catalog in the General tab.

    Figure 7-9. Enable and disable global catalogs through a server's NTDS settings.

    graphics/f07ap09.jpg

Configuring Universal Group Membership Caching

Universal membership caching eliminates the dependency on the availability of a global catalog server during logons . When this feature is enabled on a domain operating in Windows Server 2003 operations mode, any domain controller can resolve logon requests locally without having to go through the global catalog server. As discussed in the section of Chapter 6 entitled "Universal Group Membership Caching," this has advantages and disadvantages.

On a Windows Server 2003 that isn't currently acting as a global catalog server, you can enable or disable universal group membership caching by completing the following steps:

  1. Start Active Directory Sites And Services.

  2. In the console tree, expand the tree view for the site you want to work with by clicking the plus sign (+) next to the site name.

  3. Expand the Servers folder for the site, and then click the server you want to configure to host the global catalog.

  4. In the View pane, right-click NTDS Settings and then select Properties.

  5. To enable universal group membership caching, select Enable Universal Group Membership Caching in the General tab.

  6. To disable universal group membership caching, clear Enable Universal Group Membership Caching in the General tab.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Developing Tablet PC Applications (Charles River Media Programming)
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Microsoft VBScript Professional Projects
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy