My status

My backup memory

Thứ Ba, ngày 07 tháng 6 năm 2011

Managing Active Directory FSMO Roles


+ Managing Active Directory FSMO Roles

+ FSMO placement and optimization on Active Directory domain controllers

Khi Active Directory Installation Wizard (Dcpromo.exe) tạo DC đầu tiên, nó sẽ add 5 FSMO roles (2 Enterprise role, 3 domain role)
Các DC tiếp theo sẽ có 3 domain roles -> khi chuyển đổi PDC sang DC khác -> thực hiện đổi FSMO role bằng lệnh Operations Master... (right click vào domain, chọn Operations Masters)

To summarize then, the Schema Master and Domain Naming Master roles are found only in the forest root domain, while the remaining roles are found in each domain of your forest. Now let's look at best practices for assigning these roles to different domain controllers in your forest or domain.
Proper placement of FSMO Roles boils down to three simple rules:
  • Rule One: In your forest root domain, keep your Schema Master and Domain Naming Master on the same domain controller to simplify administration of these roles, and make sure this domain controller contains a copy of the Global Catalog. This is not a hard-and-fast rule as you can move these roles to different domain controllers if you prefer, but there's no real gain in doing so and it only complicates FSMO role management to do so. If for reasons of security policy however your company decides that the Schema Master role must be fully segregated from all other roles, then go ahead and move the Domain Naming Master to a different domain controller that hosts the Global Catalog. Note though that if you've raised your forest functional level to Windows Server 2003, your Domain Naming Master role can be on a domain controller that doesn't have the Global Catalog, but in this case be sure at least to make sure this domain controller is a direct replication partner with the Schema Master machine.
  • Rule Two: In each domain, place the PDC Emulator and RID Master roles on the same domain controller and make sure the hardware for this machine can handle the load of these roles and any other duties it has to perform. This domain controller doesn't have to have the Global Catalog on it, and in general it's best to move these two roles to a machine that doesn't host the Global Catalog because this will help balance the load (the Global Catalog is usually heavily used).
  • Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a domain controller that also hosts the Global Catalog, but do make sure that the Infrastructure Master is a direct replication partner of a domain controller hosting the Global Catalog that resides in the same site as the Infrastructure Master. Note however that this rule does have some exceptions, namely that the Infrastructure Master role can be held by a domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest or when every single domain controller in the domain also hosts the Global Catalog.
To summarize these three rules then and make them easy to remember:
  • Forest root domain - Schema Master and Domain Naming Master on the same machine, which should also host the Global Catalog.
  • Every domain - PDC Emulator and RID Master on the same machine, which should have beefy hardware to handle the load.
  • Every domain - Never place the Infrastructure Master on a machine that hosts the Global Catalog, unless your forest has only one domain or unless every domain controller in your forest hosts the Global Catalog.
 Để chuyển 2 enterprise role Schema Master và Domain Naming Master sử dụng lệnh Ntdsutil như trong hướng dẫn dưới đây (đối với Windows Server 2008)

+ Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

+ Đối với Windows Server 2003, để transfer FSMO role, sử dụng Active Directory Schema MMC theo hướng dẫn dưới đây:
How to view and transfer FSMO roles in Windows Server 2003. Phải thực hiện trước khi xóa Server cũ:

Lưu ý: sau khi đã seize role với ntdsutil, tuyệt đối không bật DC cũ lên nữa, xem cảnh báo dưới đây:
A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.
Khi triển khai thực tế, sau khi seize role, do không demote DC cũ, cả 2 server đều là Global Catalog Server (kiểm tra bằng cách  Active Directory Sites and Services. -> Sites -> Default-first-site-name -> Servers folder -> Chọn DC -> NTDS Settings -> trong General tab, view the Global Catalog check box  -> nên khi tắt DC cũ, Server mới gặp lỗi. Mô tả lỗi được giải thích ở đây Nếu bật cả 2 DC lên thì chạy bình thường.

Ngoài ra, 2 DC vẫn tiếp tục replication với nhau do vậy khi tắt 1 DC sẽ báo lỗi replication. Để disable replication có thể tham khảo:
Disabling AD Replication
To disable outbound replication from a particular DC, use this command:
repadmin /options  +DISABLE_OUTBOUND_REPL
Likewise, to disable inbound replication for a particular DC, use this command:
repadmin /options  +DISABLE_INBOUND_REPL
In these commands, we are adding the “DISABLE_OUTBOUND_REPL” or “DISABLE_INBOUND_REPL” flag to the DC, so that running “repadmin /options” will show that flag as an option on the selected DC. To re-enable replication, then, we need to remove the flag using one of the two commands:
repadmin /options  -DISABLE_OUTBOUND_REPL
repadmin /options  -DISABLE_INBOUND_REPL
When replication is disabled, warning events 1115 (for disabled outbound replication) or 1113 (for disabled inbound replication) from source NTDS General will be logged in the Directory Service event log during system startup. As far as I am aware, no events are regularly logged during normal operation to indicate that replication is disabled. When replication is re-enabled, informational events 1116 (for outbound replication) and 1114 (for inbound replication) are logged.
When replication is disabled, NTDS KCC warning events (typically with event ID 1265) will be logged; the text of the message will provide information on the specific DCs and naming contexts involved, but the useful information is near the end of the event, where the message states that “The destination/source server is currently rejecting replication requests.” If you see this, make sure that replication is enabled by searching the Directory Service event log for messages indicating that replication has been disabled.
Cách tốt nhất là demote DC (run dcpromo.exe /forceRemoval -> restart rồi remove AD DS role trên DC cũ rồi cleanup metadata với lệnh ntdsutil /metadata cleanup). Chỉ sau khi demote DC cũ thì 2 server với stop replication cho nhau (áp dụng cho server 2003).
Cleanup metadata đối với Server 2008 theo hướng dẫn sau:
Trong trường hợp lỡ xóa DC cũ mà chưa demote, tham khảo hướng dẫn sau:

+ Flexible Single Master Operation Transfer and Seizure Process
+ How to remove completely orphaned Domain Controller
Lưu ý configure a new authoritative timerver cho DC mới

Trong một số trường hợp khi demote không thành công (kể cả khi demote thành công nhưng vẫn báo lỗi trong Event log), thực hiện manual removal theo hướng dẫn tại đây (đối với Win 2003):
Đối với Win 2K8 thì chỉ cần delete DC trong AD UC và AD Sites & Services + xóa các record liên quan đến DC cũ trong DNS Manager là được.
Dưới đây là event ID trong trường hợp demote báo thành công nhưng metadata của old DC không được xóa hết trên new DC (do vẫn bật old DC sao khi đã seize FSMO role mà không ý thức được các DC vẫn replication với nhau)
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/12/2011 4:48:09 AM
Event ID:      2088
Task Category: DS RPC Client
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

Alternate server name:
Failing DNS host name:

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\DC name" or "ping ".
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on

  dcdiag /test:dns

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

  dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
Câp nhật 1-4-2012
Sau khi transfer FSMO role, có thể cần transfer DHCP DB sang server mới. Thực hiện theo hướng dẫn sau (chú ý: tốt nhất nên thực hiện trước khi add AD role service

Tham khảo:

Không có nhận xét nào:

Đăng nhận xét