Tag Archives: FSMO

Step-by-Step guide to migrate active directory FSMO roles from windows server 2012 R2 to windows server 2016

Windows server 2016 was released for public (GA) on mid oct 2016. Its exciting time as businesses are already working on migrating their services in to new windows server 2016 infrastructures. In this post, I am going to explain how you can migrate from active directory running on windows server 2012 R2 to windows server 2016 active directory. The same steps are valid for migrating from windows server 2012, windows server 2008 R2 and windows server 2008.

In my demo setup, I have a windows server 2012 R2 domain controller as PDC. I setup windows server 2016 and already added to the existing domain.

updc1

Current domain and forest functional level of the domain is windows server 2012 R2.

updc2

So, let’s start with the migrate process. 

Install Active Directory on windows server 2016
 
1. Log in to windows server 2016 as domain administrator or enterprise administrator
2. Check the IP address details and put the local host IP address as the primary DNS and another AD server as secondary DNS. This is because after AD install, server itself will act as DNS server
3. Run servermanager.exe form PowerShell to open server manager (there is many ways to open it) 
updc3
 
4. Then click on Add Roles and Features
updc4
 
5. It will open up the wizard, click next to continue
updc5
 
6. In next window keep the default and click next
updc6
 
7. Roles will be installed on same server, so leave the default selection and click next to continue
updc7
 
8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed
updc8
updc9
updc10
 
9. On the features windows keep the default and click next
updc11
 
10. In next window, it will give brief description about AD DS, click next to proceed 
updc12
 
11. Then in next window it will give brief description about configuration and click on install to start the role installation process. 
updc13
updc14
 
12. Once installation completed, click on promote this server to a domain controller option
updc15
 
13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.
updc16
 
14. In next window define a DSRM password and click next
updc17
 
15. In next window click on next to proceed
updc18
 
16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed. 
updc19
 
17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I will keep default and click next to continue
updc20
 
18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.
updc21
 
19. In next window, it will list down the options we selected. Click next to proceed. 
updc22
 
20. Then it will run prerequisite check, if all good click on install to start the configuration process.
updc23
 
21. Once the installation completes it will restart the server. 
updc24
 
Migrate FSMO Roles to windows server 2016 AD
 
I assume by now you have idea what is FSMO roles. If not search my blog and you will find article explaining those roles. 
There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I had already written articles about GUI method before so I am going to use PowerShell this time to move FSMO roles. If you like to use GUI mode search my blog and you will find articles on it. 
 
1) Log in to windows server 2016 AD as enterprise administrator
2) Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner. 
updc25
 
3) In my demo, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles over, type Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press enter
 
In here REBELTEST-PDC01 is the windows server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers. 
updc26
 
4) Once its completed, type netdom query fsmo again and you can see now its windows server 2016 DC is the new FSMO roles owner. 
updc27

 
Uninstall AD role from windows server 2012 R2
 
Now we moved FSMO roles but we still running system on windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers. 
 
1) Log in to windows 2012 R2 domain server as enterprise administrator
2) Open the PowerShell as administrator
3) Then type Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter. It will ask for local administrator password. provide new password for local administrator and press enter.
updc28
updc29
updc30
 
4) Once its completed it will restart the server.
 
Upgrade the forest and domain functional levels to windows server 2016
 
Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels. 
 
1) Log in to windows server 2016 DC as enterprise administrator 
2) Open PowerShell as administrator
3) Then type Set-ADDomainMode –identity rebeladmin.net -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.  In here rebeladmin.net is the domain name. 
updc31
 
4) Then type Set-ADForestMode -Identity rebeladmin.net -ForestMode Windows2016Forest to upgrade forest functional level.
updc32
 
5) Once done you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level 
updc33
 
Hope this post was useful and if you got any questions feel free to contact me on rebeladm@live.com


How to seize operation masters role?

If a proper DR (Disaster Recovery) plan is in place, an engineer will not needs to consider about this option at all. But it’s not a perfect IT world we living on, some business can’t afford to invest on DR. anyway, as we know AD runs with FSMO roles. Depend on the design these roles may be located on different servers and sometime all runs from one DC (which is not recommended). If this role holder servers get crashed we can’t migrate these roles over. If there is no DR plan, the only way to get this work is by seizing the operation master roles.

The utility we will use for this is ntdsutil.exe. This is very handy tool for manage and maintains active directory infrastructure.

1)    Log in to the server as domain administrator or enterprise administrator
2)    Right click on start button and select “command prompt (admin)

seize1

3)    Type ntdsutil and press enter

seize2

4)    Then type roles and press enter

seize3

5)    Type connections and press enter

seize4

6)    Then type connect to server <FQDN of role holder>

seize5

7)    Then type quit and enter

seize6

8)    In my demo I used a server which holds all the roles. To seize the roles execute following one at a time
seize schema master

seize7


seize naming master

seize8


seize RID master

seize9


seize PDC

seize10


seize infrastructure master

seize11

in each command it gives pop up to confirm if you need to do this. Confirm as yes to proceed.

9)    Type quit to exit from ntdsutil.
 
 seize12

This completes the task successfully. If you have any question about this feel free to contact me on rebeladm@live.com

Active Directory Topology

In an infrastructure when you place domain controllers and related services it is important to identify exactly where it should logically locate. It will directly make impact on performances and security.
There are mainly four types of servers and roles when consider about AD topology design.

1)    Forest root domain controller
2)    Regional domain controller
3)    Global catalog server
4)    Operation master role


Forest root domain controller

This is usually used in multi domain network setup. This is the domain controller which will use to create trust paths between domains. In a network some time connections are made from unreliable connections from domain to domain, in such scenario it’s recommended to place forest root domain controller in the location or create shortcut trust.


Regional domain controller

As the name explain these domain controllers are placed in hub locations. This reduce the bandwidth usage between hub locations and main office, improve reliability, reduce support cost etc. writable regional domain controllers can place in hub location only if physical security guarantee. Otherwise it’s recommended to keep them as read only domain controllers (RODC).


Global Catalog Server

Global catalog server holds all the objects in forest. It keeps full copy of the objects in its own domain and read-only copy of objects for all other domains in same forest. The placement of global catalog server is crucial for multi forest environment. In such environment global catalog server should place at following locations,

1)    A location with more the 100 users
2)    A place that hosting applications which required global catalog server.
3)    A place with unreliable connection
4)    A place with Roaming users
5)    A place with slow log on performance

If it’s not one of above you can place domain controller with universal group membership caching.


Operation master role

In an active directory some of the data only can be written by operation master role servers. As we know there is 5 roles (FSMO). 3 of them remain in domain level and those are call as flexible single master operations (FSMO) roles.
1.    Primary Domain Controller (PDC) Emulator – This role responsible for password updates
2.    Relative ID (RID) Operation Master – this role maintains the global RID pool and allocates local RID to other DC
3.    Infrastructure Operation Master – It is responsible for maintain list of security principles from other domains that have membership of local domain


Forest level roles

1.    Schema Operations Master – This is responsible for schema changes
2.    Domain naming operation master – This responsible for changes in directory partition such as adding and removing domains from the forest

When you place operation master roles need to consider following,
•    PDC and RID responsibilities should place in sites with reliable network connectivity
•    Operation master role automatically will assign to first domain controller, but if need we can change it
•    PDC should place nearest the largest number of users.
•    Infrastructure master role should not place in same server as global catalog server. This role is important only in multi-domain forest.

If you have any question about post feel free to contact me on rebeladm@live.com

Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

For the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.

In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.

You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this

1)    Log in to domain controller as Domain admin or Enterprise Admin
2)    Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.

dfrs1

Before move in to the configurations we need to look into stages of the migration.

There are four stable states going along with the four migration phases.

1)    State 0 – Start
2)    State 1 – Prepared
3)    State 2 – Redirected
4)    State 3 – Eliminated

State 0 – Start

With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.

State 1 – Prepared

In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.

State 2 – Redirected

In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.

State 3 – Eliminated

In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.

In order to migrate from FRS to DFSR its must to go from State 1 to State 3.

Let’s look in to the migration steps.

Prepared State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 1 and press enter

dfrs2

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

dfrs3

Redirected State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 2 and press enter

dfrs4

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state

dfrs5

Eliminated State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 3 and press enter

dfrs6

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state

dfrs7

This completes the migration process and to confirm the SYSVOL share, type net share command and enter.

dfrs8

Also make sure in each domain controller FRS service is stopped and disabled.

dfrs9

If you have any question regarding the post feel free to email me at rebeladm@live.com

Step-by-Step Guide to migrate FSMO roles from windows 2003 server to windows 2012 R2 server

Even its been over decade after windows server 2003 release , It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 as their domain controllers. Microsoft has announced that windows server 2003 / windows server 2003 R2 supports ends on 2015, July 14th (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). So the day has come to plan out for the upgrades if you still running those versions in infrastructure.

This guide will explain how we can transfer DC FSMO roles from windows server 2003 to windows server 2012 R2 which is latest. In Windows DC environment FSMO roles holds all the information about DC and its necessary to have all this 5 roles working correctly to maintain proper DC environment. The 5 FSMO roles as following,

•    Schema master
•    Domain naming master
•    RID master
•    PDC emulator
•    Infrastructure master

You can find more information about this roles from http://support.microsoft.com/kb/197132

For the demonstration I am using the following setup

Server Name

Operating System

Server Roles

canitpro-dc2k3.canitpro.local

Windows server 2003 SP2 x86

Active Directory FSMO roles, DNS

CANITPRO-DC2K12.canitpro.local

Windows server 2012 R2 x64

Additional Domain Controller, DNS

So in here I already added windows 2012 r2 server to domain and make it additional domain controller. Currently it do not hold any FSMO roles. My plan is to migrate all the FSMO roles in to windows 2012 r2 server.

role1

Note : In before if we adding windows 2008 server to windows 2003 environment, first we need to prepare the forest and domain schema by running adprep \forestprep and adprep \domainprep  from windows 2008 source files \ support \ adprep. But in windows 2012 you do not need to worry about it when adding 2012 as additional domain controller. When you run the dcpromo it will automatically update it in windows 2003 remotely.

Transfer RID master, PDC emulator, Infrastructure master Roles

As the first step let’s look how we can transfer these 3 roles over to new server.

•    Log in to the windows 2012 R2 server as domain administrator
•    Click on Server Manager > Tools > Active Directory Users and Computers

role2

•    In MMC, right click on the domain name > click on “Operation Masters”

role3

•    In next window it will show the 3 FSMO roles. The default is “PDC”. In there it shows the current PDC holder. Then it is asking if need to change it to new windows 2012 r2 server click on change. There for lets go ahead and click on “Change”

role4

•    Then it’s asking for confirmation. Click yes to continue.

role5

•    Once its confirm as operation completed we can see the window shows the current PDC role holder as new windows 2012 r2 server.

role6

•    Please repeat the same steps to transfer the RID master and Infrastructure master Roles

Transfer domain naming master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Click on Server Manager > Tools > Active Directory Domains and Trusts.

role8

•    In MMC right click on Active Directory Domains and Trusts > click on Operation Master.

role9

•    In here it shows the current domain naming master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role10

•    Then it’s asking for confirmation and click yes to continue.

role11

•    Once its confirm about task completion we can see current domain naming master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role12

Transfer schema master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Open “Run” window in server (Windows key + R) and type regsvr32 schmmgmt.dll and press enter.

role13

•    It will give the confirmation message and click on ok to continue.

role14

•    Then again open “Run” window and type mmc and click ok

role15

•    Then in mmc window click on File > Add-Remove snap-in

role16

•    Then from snap in select “Active Directory Schema” and click on “Add” button

role17

•    Then click on Ok button to continue

role18

•    Then right click on “Active Directory Schema” and click on “Change Active Directory Domain Controller”

role19

•    In Next window select the windows server 2012 R2 DC (CANITPRO-DC2K12.canitpro.local) and click ok.

role20

•    It will give information message and click ok to continue. 

role21

•    Then right click on “Active Directory Schema” and click on “Operation Master”

role22

•    In here it shows the current schema master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role23

•    Then it’s asking for confirmation and click yes to continue.

role24

•    Once it’s confirm about task completion we can see current schema master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role25

Now we successfully move all 5 fsmo roles over to new windows server 2012 R2. To confirm it open command prompt in new server and type command netdom query fsmo and press enter.

role26

Yipeeee!!! Its shows as all fsmo roles moved successfully.

It will take some time to move all the data over. After that it’s safe to demote the DC role from the windows 2003 server.
Once its demote 2003 DC make sure you raise the forest functional level and domain functional level in to windows server 2012 R2 to experience new changes.
If you have any questions regarding the post feel free to contact me on rebeladm@live.com