MCITP 70-640: Seizing roles

Uploaded by itfreetraining on 27.12.2011

Welcome to anther free Active Directory training video from ITFreeTraining. In this free video,
just one video of the completely free active directory course, I will look at seizing operational
master roles. Transferring the role is the safest way to move the operational master
role, however if your server becomes permanently offline for any reason this will not be possible.
When this occurs you need to seize the role to make it available on anther domain controller.
Before making the decision to seize an operational master role you should understand the impact
not having that operational master role will have. If there is no impact on your organization
it may be worth your time trying to recover the failed domain controller so you can transfer
the role to anther domain controller safety. Let’s review the five operational master
roles and the impact of not having these roles will have on your organization. First you
have the schema master. If you are not planning on making any changes to the schema this role
can be offline indefinitely. The next operational master role, domain name
master is only required if adding or removing domains. If you are not adding or removing
domains this operational master role can be offline indefinitely.
The RID master can be down for a period of time and should not be missed. If you are
not creating lots of objects in Active Directory it’s could be down for an extent period
of time without impacting the operation of your organization.
Out of all the operational master roles the PDC emulator is the most likely to cause an
impact on your organization. Microsoft recommend that this role be available 24 7. The PDC
emulator is considered the final say on authentication. Having this operational master role not available
may mean that an end user may have trouble login after a password change.
The PDC emulator is also the root of the time sync hierarchy in a domain. While the operational
master role is down, time sync services will not occur to the other domain controllers.
During this time it is possible for the times on your domain controllers to drift and this
drift passed onto the clients. Lastly you have the infrastructure master.
In a single domain environment this operation master role will not be missed during an extended
outage. In a multi domain environment, a missing infrastructure mater can have an effect on
group membership changes across domains. Once you understand the impact the missing
operational master role will have on your organization you can decide how much time
you should wait before seizing the role. Before seizing the role you should first make sure
the domain controller is offline. Seizing a role should not be performed if you have
a network outage and your network is divided in half. Seizing an operational master role
is considered a last resort when the domain controller is offline and won’t be brought
back online ever again. Once you make the decision to seize the operational
master role you need to understand that the domain controller cannot be used on the network
again. Seizing a role is distract step and should not be taken lightly. If you later
recover the domain controller that was holding an operation master role that was seized you
will need to re-install the domain controller. On a large network with multiple domain
controllers you may have another domain controller allocated to transfer operational master roles
to when need. This is referred to as a standby operation master. A standby can be used when
the operational master role needs to be seized or simply just transferred.
Once you have seized the operational master role from the failed domain controller the
configuration for that domain controller will still exist in the Active Directory database.
Since the domain controller will not be used on the network again, to complete the process
you should also remove the configuration information from the domain controller from Active Directory.
I will now change to my Windows Server 2008 domain controller to demonstrate how to siege
an operation master role from a domain controller and also how to clean up the Active Directory
database after the operation master role has been seized.
If you have watched are previous video on transferring operational master roles, you
will remember my opening Active Directory users and computers from the start menu and
selecting the option operations masters. This will allow you to transfer the domain operation
master roles. Notice that the RID master has come up as error. The domain controller that
is holding this operational master role is not available and thus this will be displayed
as error. This tool and the other Active Directory gui
based tools will only allow you to transfer roles. In order to seize a role I need to
use a command line tool. To do this open a command line prompt and run the program NTDSUtil.
NTDSUtil is the Active Directory diagnostic tool. The file name may seem a little strange
but if you remember that originally active directory was called NT directory services
the name of the file name makes sense. When you launch NTDSUtil you will get an NTDSUtil
prompt. The NTDSUtil has a lot of sub components will allow you to run different functions
and configure different settings. You can always tell which part you are in by looking
at the prompt. For example, in this case I want to seize an operation master role. To
do this, I will enter in roles and press enter. Notice that the prompt has changed to fsmo
maintenance to let me know I am now in a different part of the utility.
Before I can make changes on any of the operation master roles I need to enter in the command
connections. In order for the fsmo maintenance to run any functions it needs to be connected
to a domain controller. The command prompt has now changed to server connections. Think
of server connection as a sub menu of fsmo maintenance.
The next command that I will run is connect to server DC1. This will establish a connection
back to one of my domain controllers. Now that I have a connection to a domain controller
I can enter in quit to return back to the fsmo maintenance section.
If I enter is questions mark, I can get a list of all the commands that can be run from
fsmo maintenance. Notice that you could also transfer roles from here as well. This is
a handy thing to know if you ever need to transfer an operational master role using
server core. To seize the RID master role, enter in seize
RID master role. Before continuing, Windows will first confirm that you want to seize
the role. On I confirm this is what I want to do, notice that Windows will attempt to
transfer the operational master role first before seizing it. Remember that seizing an
operational master role should be taken very seriously. Once the operational master role
has been seized the domain controller holding that role can’t be brought back online again.
If possible, always transfer the role rather than seizing it.
It does take a minute or so for Windows to attempt to transfer the role and fail. I will
fast forward the video to where the role gets seized. Here you will notice the RID master
is now on domain controller1 or dc1. The format shown here is in LDAP format which
is not the easiest to read. If I exit out to the command prompt I can run the NetDom
query fsmo. This will show you which domain controllers hold the five operation master
roles. Here you can once again see that DC1 holds the RID operational master role.
The role has been seized by DC1 but configuration information about DC3 still remains in the
Active Directory database. DC3 was the domain controller that held the RID operational master
role before I seized the role. It is best to remove DC3 information data from active
directory. To do this, once again run NTDSUtil. To remove
DC3 I need to enter in MetaData CleanUp. From inside MetaData CleanUp, once again
I need to connect to a domain controller. I can do this the same way as before by running
connections and then enter in connect to server DC1.
Once connected to DC1 I will enter in quit to return back to MetaData CleanUp. MetaData
CleanUp will essentially remove the records for DC3 from Active Directory. To
do this, I must first select DC3. This can be done by running select operation target.
There are a number of settings that need to set so the correct records can be selected
and removed. First I need to select the domain. To find out which domains are available run
the command list domains. There is only one domain so I can select this with the command
select domain 0. If you had more than one domain you would need to run list domains
to find out the number for the domain. If you only have 1 domain, you can simply just
running select domain 0 knowing the correct and only domain will be selected.
Next I need to select the site that DC3 was assigned to. I have not covered sites yet.
This will be covered in a later video. For the present know that sites allow you to model
Active Directory around your physical network infrastructure. If you have two locations
separated by a wide area network you would create two sites.
So far there are no additional sites that have been configured so when I run lists sites
I will only see the default site that Windows created when I installed Active Directory.
To select the site, run the command select site and the number of the site which in this
case is 0. Lastly I need to select the server that I
want to remove. To do this, run the command list servers in site. DC3 is listed as server
number 2 so I can select it with the command select server 2.
Now that DC3 is selected I can enter in quit and return back to MetaData CleanUp prompt.
To remove the domain controller from active directory run the command remove selected
server. Windows will prompt you asking if you want to proceed. Once I select yes the
command controller DC3 will be removed from Active Directory.
There is one last record that needs to be removed to complete the process. To remove
this record, run Active Directory Sites and Services. I will cover the sites and services
tool in a lot more detail in a later video so don’t worry if you don’t understand
it yet. To complete the removing of the domain controller expand down till you see the server.
Notice that DC1 and DC2 are stilled listed as being in the domain and as domain controllers.
DC3 is not listed as being part of the domain so the meta data clean up has worked. To complete
the process, simply press delete and delete the record.
This covers how to seize an operational master role and how to remove the Active Directory
configuration for that domain controller after the operational master role has been sized.
But what happens if after you seize the role you manage to recover the server?
The important thing to remember is not to put the server back on the network. If you
start the domain controller back up you will essentially have two domain controllers on
the network with the same operational master role. This can potentially cause all kinds
of problems. The best option is to reformat and start again
but you may have data on the server that you want or software that is difficult or time
consuming to reinstall. To recover the server, first pull out the network cable from the
server. This will stop it communicating to clients and other domain controllers and potentially
causing problems. Next start the server up with the network cable not plugged in and
remove Active Directory from the server. Once Active Directory is removed you can reinstall
Active Directory using DCPromo. Let’s have a look at how to remove Active Directory from
a server. To remove Active Directory from a server you
can demoted the server using DCPromo. If I were to run DCPromo on this server it would
fail. DCPromo would attempt to contact anther domain controllers which is not possible since
I unplugged the network. To remove Active Directory with the network
cable unplugged, run the command DCPromo with the switch ForceRemoval. This will force
Active Directory to be removed from the server even if other domain controllers can’t be
contacted. I will get a warning message telling me that
an operational master role is held by this server and should be transferred before removing
Active Directory. Since I seized the role already I can safely ignore this message and
move on. Next I will get a message reminding me that
this domain controller is also a global catalog server. Removing the last global catalog server
would be a problem but one of my other domain controllers is a global catalog server so
I can ignore this. Once I next my way past the welcome and information
screen I will be asked to choose a local administrator password. Once complete, this server will
be put into a work group and thus you will need an administrator username and password
to access the server. Now all I need to do is finish the wizard
and Active Directory will now be removed from the server. Once complete and the server has
been rebooted, the server will be put in a work group. If you want the server to be part
of Active Directory you can add it to the domain and even run DCPromo again and make
it a domain controller. That’s it for seizing operational master
roles. You can see that there are a lot of steps to seizing an operational master role
and risks involved so always try and transfer the role first where possible.
In the next video I will look at configuring an external time source. Configuring and external
time source will allow you to ensure that your domain controllers and clients times
are correct. A lot of modern security requires the time on the computer being set correctly.
Thanks for watching yet another free video from ITFreeTraining. Remember the rest of
this course and others are available on are you tube channel and web site.