4.5 Moving Operation Master Roles
Active
Directory sports a multimaster replication model, in which any one
server can take over directory functionality, and each domain
controller contains a read/write copy of directory objects. There are,
however, a few key exceptions to this, in which certain forestwide
functionality must be held by a single domain controller. These
exceptions are known as Operation Master (OM) roles, also known as
Flexible Single Master Operations (FSMO) roles. There are five OM
roles, as follows:
Schema Master
Domain Naming Master
RID Master
PDC Emulator
Infrastructure Master
If
the server or servers that hold the OM roles are not directly upgraded
to Windows Server 2003 but will instead be retired, these OM roles will
need to be moved to another server. The best tool for this type of move
is the ntdsutil command-line utility. Follow these steps using ntdsutil to move all OM roles to a single Windows Server 2003 domain controller:
1. | Open a command prompt (choose Start, Run, type cmd, and press Enter).
|
2. | Type ntdsutil and press Enter.
|
3. | Type roles and press Enter.
|
4. | Type connections and press Enter.
|
5. | Type connect to server <Servername>, where <Servername> is the name of the target Windows Server 2003 domain controller that will hold the OM roles, and press Enter.
|
6. | Type quit and press Enter.
|
7. | Type transfer schema master, as shown in Figure 5, and press Enter.
|
8. | Click Yes at the prompt asking to confirm the OM change.
|
9. | Type transfer domain naming master, and press Enter.
|
10. | Click Yes at the prompt asking to confirm the OM change.
|
11. | Type transfer pdc and press Enter.
|
12. | Click OK at the prompt asking to confirm the OM change.
|
13. | Type transfer rid master, and press Enter.
|
14. | Click OK at the prompt asking to confirm the OM change.
|
15. | Type transfer infrastructure master, and press Enter.
|
16. | Click OK at the prompt asking to confirm the OM change. |
17. | Type exit to close the command prompt window.
|
4.6 Retiring Existing Windows 2000 Domain Controllers
After
the entire Windows 2000 domain controller infrastructure is replaced by
Windows Server 2003 equivalents and the OM roles are migrated, the
process of demoting and removing all down-level domain controllers can
begin. The most straightforward and thorough way of removing a domain
controller is by demoting them using the dcpromo utility, per the standard Windows 2000 demotion process. After you run the dcpromo command, the domain controller becomes a member server in the domain and can safely be disconnected from the network.
4.7 Retiring “Ghost” Windows 2000 Domain Controllers
As
is often the case in Active Directory, domain controllers might have
been removed from the forest without first being demoted. This can
happen because of server failure or problems in the administrative
process, but you must remove those servers from the directory before
completing an upgrade to Windows Server 2003. Simply deleting the
object from Active Directory Sites and Services does not work. Instead,
you need to use a low-level directory tool, ADSIEdit, to remove these
servers. The following steps outline how to use ADSIEdit to remove
these “ghost” domain controllers:
1. | Install ADSIEdit from the support tools on the Windows Server 2003 CD and open it.
|
2. | Navigate to Configuration\CN=Configuration\CN=Sites\CN=<Sitename>\CN=Servers\CN=<Servername>, where <Sitename> and <Servername> correspond to the location of the ghost domain controller.
|
3. | Right-click CN=NTDS Settings, and click Delete, as shown in Figure 6.
|
4. | At the prompt, click Yes to delete the object.
|
5. | Close ADSIEdit.
|
At
this point, after the NTDS settings are deleted, the server can be
normally deleted from the Active Directory Sites and Services snap-in.
