MCITP 70-640: Seizing roles

Author: itfreetraining
60342 View
16m 36s Lenght
219 Rating

Active Directory has five operational master roles that can be transferred from domain controller to domain controller as required. Check out http://itfreetraining.com or http://youtube.com/ITFreeTraining for more of our always free training videos. In some cases the role may not be able to be transferred; for example, if the hardware on the domain controller was to fail, a transfer cannot be made. When this occurs, the operational master role must be seized. This video looks at how to seize an operational master role, clean up the Active Directory database afterwards, and recover a server that has had an operational master role seized. Demo seizing the role 04:40 Demo cleaning up the Active Directory database 08:55 Demo removing Active Directory from a recovered server 14:04 What is an operational master role? See our operational master role video for more information. http://itfreetraining.com/70-640/oper... Impact of missing operational master role Seizing an operational master role from a failed server is a drastic step. Once complete, the domain controller can not be started back up on the network. Before seizing the operational master role, first consider the effect the missing operational master role will have as listed below. Schema master: If this role is missing then changes will not be able to be made to the Active Directory schema. The schema defines the design of the Active Directory database. If you are not planning on making changes to the structure of the Active Directory database this role could be off line indefinitely. Domain Naming Master: This is required when adding/removing domains. If you are not adding or removing domains the Domain Naming Operational Master Role could be offline indefinitely. Relative ID Master: Otherwise known as RID master, it allocates RID's to Domain Controllers. These are used to create Active Directory objects. Without RID's Domain Controllers cannot create new objects. RID's are allocated in pools so a domain controller will not run out quickly unless a lot of Active Directory objects are created at once. PDC Emulator: A PDC emulator is considered the final authority on password authentication. If the PDC emulator is down, a user may experience problems logging in just after a password change. Short outage should not be problem but it is recommended to try to recover the domain controller holding the PDC emulator quickly if it fails. Infrastructure master: In a single domain/forest environment, a missing infrastructure master will not cause any problems. In a multiple domain environment, this will only cause problems if none of your domain controllers are global catalog servers. If this is the case, cross domain objects may not be updated correctly when changed. Seizing a role Seizing a role is considered a last resort and once completed the domain controller that was holding that operational master role will not be able to be started back up on the network again. A domain controller that can have an operational master role transferred or seized is often referred to as a standby operational master. In order to seize an operational master role, you need to run the command NTDSUtil from the command prompt. Once inside the tool, run the following commands. roles connections connect to server (Domain controller role will be seized by) quit Seize PDC|RID master|schema master|infrastructure master|naming master Removing Domain Controller Configuration Once you seize the operational master role, the configure data for that domain controller will still exist in Active Directory. This can be removed by performing the following steps. Run NTDSUtil from the command prompt metadata cleanup connect to server (any domain controller) quit select operational target list domain select domain (your domain number shown in list domain) list sites select site (your site number shown in list sites) list servers in site select server (your server number shown in list servers in site) quit Remove selected server Quit NTDSUtil Run Active Directory Sites and Services from administrative tools Find the record for your failed domain controller. It should not have domain listed next to its name. Press delete to delete the record. Reusing a failed server If you have seized an operational master role from a domain controller and later recover the domain controller, Active Directory will need to be removed from the domain controller before it can be added and reused on the domain. This can be done with the following step. Make sure the server is not connected to the network. From the command line run DCPromo /ForceRemoval

Comments

  1. Excellent VDO, Thanks. Got a new Sub :)
  2. Excelent! Thanks Bro! Muchas Gracias!
  3. Really Appreciated Sir ..
  4. @itfreetraining, i have dc1 is a PDC and dc2 is a additional DC
    my issue is dc1 was fail and cannot to start, so, can i use this tut to seize role and make dc2 to be a primary dc?
    thanks for your help
  5. Thank you very much you return my server to life
  6. this video saved the day, thanks!
  7. The thing I don't understand is; in the case a DC with a Role goes down for good, wouldn't it be easier to just have Windows Server make a new copy of the role instead of going through all this trouble?
  8. DC3 is down and RID master is seized on DC1...and DC3 Is removed from domain...then I have one doubt, where the rid master has been transfered???
  9. philip, liam, this another great video!!!!!!!!!!!!!!!!!!!!!!1
  10. Thanks Bro! for making clear understanding about fsmo roles and transfer/seizure procedure..
  11. REALLY INFORMATIVE
  12. Thank you a lot for your good jobs to help us.
    I have one question please:
    How can I make the trouble to my server system to be offline? till fix it by myself as you showed us from the above video "only for test i like do it" thanks.
  13. @itfreetraining, thank you!
  14. by far the BEST tutorial ever.. extremely clear, thorough and accurate!  Keep up the good work!
  15. Simply Awesome
  16. #itfreetraining   What happen if MDC down when we a have Secondary DC in Place ?
    Will Secondary DC take the responsibility ? in a environment haven't move any roles to SDC. can you explain windows 2008 and 2012 R2 Thank you
  17. I am Preparing for MCSA 70-410. But its contains few topic in AD but they ask so many things. then i found this it helping me lot to understand the concepts of AD DS. Thank you for Nice work you have done for Community.
  18. better than cbt nuggets!!!
  19. Thank you for providing the training it helped me very much. May Allah bless you.
  20. It's great