Forcing the capture of the roles of the deceased operations wizard
It is no secret that in AD there are operations that are assigned only to one domain controller in the forest, called the operation master. For example, in AD only one controller is assigned as the primary keeper of the directory schema.
In the case of dying of such a server for any of the technical or non-technical reasons, a situation arises when the second DC together does not allow you to fully manage the domain. In such cases, the following recipe will help, which will allow transferring the existing roles of the operations wizard to the surviving controller. The recipe is quite famous, however, I found it useful to put detailed instructions on Habr, since my first reaction was panic.
A domain configuration with two controllers is considered. One of them is assigned the role of the operations wizard and the global catalog, and in our scenario he dies. To reassign all roles, the administrator must be a member of the Enterprise Admins group. The procedure consists of two stages: capturing roles and assigning a global catalog.
Those who want to learn the theory by the masters of operations read this informative post , well, we proceed.
')
Click the Start button, select Run , type ntdsutil , and press ENTER.
1. Connection
1.1. At the ntdsutil: prompt, type roles and press ENTER.
1.2. At the fsmo maintenance: prompt, type connections and press ENTER.
1.3. At the server connections: prompt, type connect to server servername (where servername is the name of the domain controller that will assume the operations master role), and press ENTER.
1.4. After you confirm the connection, type quit and press ENTER.
2. Depending on the role you want to take in the fsmo maintenance prompt : type the appropriate command from the table below and press ENTER.
3. Enter quit and press ENTER. Repeat again to exit ntdsutil.
The system asks for confirmation. Then she tries to transfer the specified roles. During this, several error messages may be displayed, but the capture will continue. Upon completion, the list of roles and LDAP nodes of the responsible servers will be displayed. During the master RID capture, the current master should try to synchronize with the replication partner, but the partner is dead, so a warning will be displayed and you will need to confirm the operation.
Commands to capture
1. Opening the snap-in Active Directory Sites and Services.
2. In the console tree, select the domain controller where you want to enable or disable the global catalog. Search here Active Directory Sites and Services / Sites / site_name / Servers / controller_name
3. Right-click on NTDS Settings, select Properties. Select the Global Catalog check box to enable the global catalog, or uncheck the box to disable the global catalog.
I hope the article will save someone a good ton of nerves.
UPD:
In Win2k8R2, the commands are slightly different:
fsmo maintenance:?
? - Display this reference information
Connections - Connect to a specific DC / LDS instance of AD
Help - Displays this help information.
Quit - Return to the previous menu.
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize naming master - Overwrite the role of the naming master on the connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite the RID role on the connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles, naming contexts
Transfer infrastructure master - Make the connected server the master of infrastructure
Transfer naming master - Make the connected server the naming master
Transfer PDC - Make a connected PDC server
Transfer RID master - Make the connected server the master RID
Transfer schema master - Make the connected server the schema master
Useful source
In the case of dying of such a server for any of the technical or non-technical reasons, a situation arises when the second DC together does not allow you to fully manage the domain. In such cases, the following recipe will help, which will allow transferring the existing roles of the operations wizard to the surviving controller. The recipe is quite famous, however, I found it useful to put detailed instructions on Habr, since my first reaction was panic.
A domain configuration with two controllers is considered. One of them is assigned the role of the operations wizard and the global catalog, and in our scenario he dies. To reassign all roles, the administrator must be a member of the Enterprise Admins group. The procedure consists of two stages: capturing roles and assigning a global catalog.
Those who want to learn the theory by the masters of operations read this informative post , well, we proceed.
')
Capture Roles
Click the Start button, select Run , type ntdsutil , and press ENTER.
1. Connection
1.1. At the ntdsutil: prompt, type roles and press ENTER.
1.2. At the fsmo maintenance: prompt, type connections and press ENTER.
1.3. At the server connections: prompt, type connect to server servername (where servername is the name of the domain controller that will assume the operations master role), and press ENTER.
1.4. After you confirm the connection, type quit and press ENTER.
2. Depending on the role you want to take in the fsmo maintenance prompt : type the appropriate command from the table below and press ENTER.
3. Enter quit and press ENTER. Repeat again to exit ntdsutil.
The system asks for confirmation. Then she tries to transfer the specified roles. During this, several error messages may be displayed, but the capture will continue. Upon completion, the list of roles and LDAP nodes of the responsible servers will be displayed. During the master RID capture, the current master should try to synchronize with the replication partner, but the partner is dead, so a warning will be displayed and you will need to confirm the operation.
Commands to capture
| Role | Necessary privileges | Team |
|---|---|---|
| Domain naming master | Enterprise admins | seize domain naming master |
| Schema master | Enterprise admins | seize schema master |
| Infrastructure master | Domain Admins | seize infrastructure master |
| PDC emulator | Domain Admins | seize pdc |
| RID master | Domain Admins | seize rid master |
Assigning a global catalog
1. Opening the snap-in Active Directory Sites and Services.
2. In the console tree, select the domain controller where you want to enable or disable the global catalog. Search here Active Directory Sites and Services / Sites / site_name / Servers / controller_name
3. Right-click on NTDS Settings, select Properties. Select the Global Catalog check box to enable the global catalog, or uncheck the box to disable the global catalog.
I hope the article will save someone a good ton of nerves.
UPD:
In Win2k8R2, the commands are slightly different:
fsmo maintenance:?
? - Display this reference information
Connections - Connect to a specific DC / LDS instance of AD
Help - Displays this help information.
Quit - Return to the previous menu.
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize naming master - Overwrite the role of the naming master on the connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite the RID role on the connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles, naming contexts
Transfer infrastructure master - Make the connected server the master of infrastructure
Transfer naming master - Make the connected server the naming master
Transfer PDC - Make a connected PDC server
Transfer RID master - Make the connected server the master RID
Transfer schema master - Make the connected server the schema master
Useful source
Source: https://habr.com/ru/post/145221/
All Articles