According to part 1, we know that there are some situations that FSMO moving is necessary.
Specifically, in our virtual lab, the additional DC has better hardware, edge place to operate; so, we move PDC and Infrastructure OMs to this DC.
"Manage Sites and Active Directory Replication"
Before we go ahead, I have some good news for you.
We should feel fortunately to live in the era of virtualization.
As I mentioned, this FSMO model uses the single-master model to achieve specific purposes, and loses advantages of "multi-master."
However, with the virtual platform like VMware and Hyper-V, you can sleep well:
– Availability, hardware barriers: failure, maintenance, outages were yesterday.
– Scaling, single point overheads can be solved permanently/temporary with some click through the virtual manager.
So, I just need to do a Restore through Snapshot Manager, and this machine will act as an ADC as it should be.
And last but not least, I used this Windows Server 2012 to do the decommission demonstration in the previous episodes, so this is currently a standalone machine.
Fortunately, I take advanced of the virtual infrastructure VMware to make a snapshot when this server is still remaining as an ADC of the domain SnoOpy.com
Furthermore, VMware gives us a bunch of extra features about Snapshot: create a Clone machine, nested snapshots, freely back up snapshots, etc. so that you can have machine to use with dozens of different scenarios.
"VMware snapshot" – searchvmware.techtarget.com
"Should I still have a physical DC, even post-Server 2012?" – serverfault.com
"10 things you shouldn’t virtualize" – techrepublic.com
[01:40] You see, this ADC comes back from a bare machine!
"Cloning and Snapshots in VMware Workstation" – packtpub.com
There are 3 GUI consoles to invest whole of FSMO, however, with a single CLI tool: netdom, you can have them all in one shot!
) netdom query fsmo
To migrate the Infrastructure operation master, a domain OM, you can open up the Active Directory Users and Computers console from this ADC, so that we can process the Change procedure from Operations Masters dialog.
We can do the same with the PDC role; however, there are some situations that you must you CLI tool ntdsutil (Server Core, for example), that we used in another episode to create an AD DS snapshot.
[02:42] ) ntdsutil
)) connect to server SnoOpy-Server-2
)) transfer PDC
Confirm about "Are you sure you want the domain role of Primary Domain Controller transferred to the server "SnoOpy-Server-2"? of Role Transfer Confirmation Dialog.
And the result is returned from the command will be role ownerships of the domain, they are in a form of the LDAP namespace structure.
"LDAP Namespace Structure" – informit.com
[03:14] You can verify this transfer through the ADUC console.
Actually, there are 2 ways to move OMs: transfer and seize.
I don’t use the 2nd one, due to having an online master DC (which owns these desire roles).
In the real scenario, may be this master faced a catastrophic problem and can’t be turned on, so that we need to use the seize procedure.
The point is, it is recommended that admins should do they best to recover that master, then do the transfer.
"Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller" – support.microsoft.com
However, if in case the situation is out of hands.
Admins can continue to execute seize, and they must take care on risks: domain destroy, objects conflict, etc.
"Seizing FSMO roles from dead Windows Domain Controller" – serverfault.com
By implementing FSMO single-master model, you prepared yourself capacities on dealing with single point failures.
Make sure you are familiar with GUI consoles, ntdsutil, netdom tools to diagnose problems quickly, though the whole of your domain infrastructure depends on these mission-critical factors.
"How to Seize a FSMO Role with NTDSUtil" – briandesmond.com
Of course, do not forget to backup domain stuffs with handful tools like: Windows Server Backup, Acronis Backup Advanced for Active Directory
And, as mentioned, virtual environment’s snapshots are other kinds of convenient.
Azure Active Directory is armed from head-to-toes.
"Seizing FSMO Roles" – petri.com
Through to parts about FSMO, and in general, the series about: Active Directory Domain Services Domain Controllers, you see that you can fortify the domain/forest network by simply, implement an efficient model to eliminate administrative overheads, maximize network profits, etc.
In beginning of this series, we start with the building, now we end up with divisions, but the results still remain good 🙂
"Initial Synchronizations of Domain Controllers" – standalonelabs.wordpress.com
And believe me, these stuffs are not hard.
Do follow best practices, recommends, etc. and you could see how smooth degrees your network can run with.
"Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines" – msdn.microsoft.com
"Active Directory FSMO Placement Guidance"
Of course, my YOUTUBE channel is always there, with plenty of helpful resources to help you drive in the heart of the sea :3
- active directory | active directory users | ad ds snapshot | adc | azure virtual machines | backup domain stuffs | change procedure | cli tool | cli tool ntdsutil | deploying windows server | domain controllers | domain om | fsmo roles | fsmo single-master model | infrastructure operation master | ldap namespace structure | network profits | operations masters dialog | pdc role | primary domain controller | Server Core | transfer | use | vmware snapshot | vmware workstation | windows domain controller | Youtube channel
- August 29, 2016Transfer Flexible Single-Master Operation Master Roles - Seize FSMO WS 2012 ADUC ntdsutil(0) Comments
- August 29, 2016Authoritative Restore Active Directory OU with wbadmin - Windows Server 2012 CMD system state DSRM(0) Comments
- August 29, 2016Issue-Install-Verify the CA certificate through a Subordinate Certificate Authority certsrv console(0) Comments
- August 28, 2016Understanding the Certificate Revocation List CDP HTTP LDAP CertEnroll Schedule Delta CA Windows Ser(0) Comments
- August 28, 2016Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA(0) Comments
- August 28, 2016Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7(0) Comments
- August 28, 2016Backup Active Directory OU with WSB snap-in Windows Server 2012 system state(0) Comments
- August 28, 2016Identify Flexible Single-Master Operation Master Roles FSMO - WS 2012 ADUC ADDT MMC ADS(0) Comments
- August 28, 2016Configure an Issuing Enterprise Subordinate Certification Authority CA 2-Tier IIS Web Enrollment(0) Comments
- August 28, 2016Build a Standalone Root CA by installing the AD CS server Role in a DC - WS2008 RSA(0) Comments