Transferring FSMO Roles - Any Important prerequisites
-
Friday, April 06, 2012 4:24 AM
Hello,
I'm planning to transfer all FSMO roles from a Windows 2008 32-Bit Server Domain Controller to another Windows 2008 32-Bit Domain controller. The reason for this transfer is the 1st DC has many roles, VPN, DHCP, DNS, File Server, Print Server. Is there anything I should be aware of or will the transfer be straight forward with no issues. I just want to make sure I don't have to do something first.
Thanks,
All Replies
-
Friday, April 06, 2012 4:45 AM
You can go ahead and transfer the FSMO roles.
Make sure the DC where you are transferring has got a good connectivity .
Also refer below links which explains the Best practices of FSMO role placement.
http://erichagstrom.com/node/50
Read Proper Placement of FSMO roles section from below link,.
http://www.windowsnetworking.com/articles_tutorials/managing-active-directory-fsmo-roles.html
Above links will give you fair idea about things needs to be considered while placing the FSMO roles.
You can use NTDSUTIL command line to transfer the FSMO roles
Refer below link which explains the procedure.
http://support.microsoft.com/kb/255504
Once you have transferred the role you will have to configure Time service on PDC emulator holding Domain contorller and make your old domain controlle to follow your new PDC time service.
Here is the link which explains how to configure time service on New domain controller
Global Catalog VS IM
Short and sweet rule of thumb:
No matter what forest structure is, the following rules apply for EACH domain in the forest
(1) If all DCs in a domain are GC, there is no other choice where to put the Infrastructure Master FSMO. So no issue here!
(2) If at least one or more other DCs in a domain (besides the Infrastructure Master FSMO itself) are not a GC, then the Infrastructure Master FSMO should NOT be on a GC. (If the Infrastructure Master FSMO is the ONLY DC within the domain that is not a GC, make it a GC as there is no other DC that is not a GC!)Hope this helps.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Proposed As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Tuesday, April 10, 2012 1:08 AM
- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:04 AM
-
Friday, April 06, 2012 4:48 AMModerator
The thing needs to be taken care is while transferring FSMO role, dc holding that role should be online. Also, once you transfer PDC role you need to transfer time server role too. The DC holding the PDC role should also be time server for the domain.The port required for time is UDP 123 and make sure its allowed on the firewall.
Transfer FSMO role http://www.petri.co.il/transferring_fsmo_roles.htm
Windows Time Server Role in AD Forest/Domain http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:04 AM
-
Friday, April 06, 2012 5:01 AM
Hi,
Check the health of ACtive Directory using DCDDIAG and if everything is fine you can transfer the roles to another domain controller: http://support.microsoft.com/kb/255504
Also you need to configure the new PDC role owner as an Authorative time server: http://abhijitw.wordpress.com/2011/10/08/time-server-configuration-to-sync-pdc-emulator-to-an-external-time-source/
One suggesion, MULTIHOMED domain controller is not recommended, it always results in multiple problems.- Being a VPN Server and even simply running RRAS makes it multi-homed.
- Domain Controllers with the PDC Role are automatically Domain Master Browser and Master Browsers should not be multi-homed
Active Directory Communication Fails on Multihomed Domain Controllers: http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
Symptoms of Multihomed Browsers : http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Abhijit WaikarMicrosoft Community Contributor Friday, April 06, 2012 5:01 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Friday, April 06, 2012 5:02 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Friday, April 06, 2012 5:31 AM
- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:04 AM
-
Friday, April 06, 2012 7:17 AM
Hello,
I would not recommend installing roles other than DNS and DHCP on a DC for performance and security reasons.
For FSMO roles, you can transfer FSMO roles to the other DC with no problems: http://support.microsoft.com/kb/324801
I would recommend that the FSMO holder will be the one with higher OS for performance reasons.
See this article about the best practices for assigning FSMO roles: http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:04 AM
-
Friday, April 06, 2012 9:58 AM You have configured VPN role on the Domain Controller it is not recommended.I would recommend to move the VPN,File server,DHCP Print server role from DC to member server.
-->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
------------------------------------
1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
Regarding the fsmo role placement you can transfer the role to other dc as long as there is no replication issue between the dc.You can split the roles on two DC as well.However ensure that PDC role holder server is configured as authorative time server.
http://support.microsoft.com/kb/816042To configure an NTP client: http://www.ehow.com/how_5981545_configure-windows-ntp-client.html
Please also make sure that udp port 123 which as direction the chosen NTP server is not blocked.
For other domain computers / servers, make sure that they are using NT5DS for time sync. More here:http://support.microsoft.com/kb/223184
Best Practices for Assigning FSMO Roles
http://support.microsoft.com/kb/223346
http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.htmlDC (2008/2003) capacity and placement of FSMO roles
http://int.social.technet.microsoft.com/Forums/da-DK/winserverDS/thread/f6012478-5d0a-4747-ab26-ffdcff0b9e17Transfer FSMO Roles
http://www.petri.co.il/transferring_fsmo_roles.htmHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:05 AM
-
Friday, April 06, 2012 10:41 AM
Hello,
there is no problem with transferring the FSMO roles, ONLY the time service must be reconfigured for this on the old/new PDCEmulator:
http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx
Please be aware that DC should NOT be used as RRAS server, this result in multihoming and problems in the domain if NOT configured correct. Details in http://support.microsoft.com/kb/157025 and http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
If possible change the DHCP and File/Print server role to a member server in the domain. With lots of printer queues on a DC you may degrade performance on this and logons may be slower as expected.
For DHCP additional configuration has to be done when configured on a DC, also described in http://technet.microsoft.com/en-us/library/cc753014.aspx and http://technet.microsoft.com/en-us/library/cc771732.aspx
Also discussed in: http://social.technet.microsoft.com/Forums/eu/winserverNIS/thread/2057eeed-7fe4-46c0-bff8-3f62ea68b56d
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Edited by Meinolf WeberMVP Friday, April 06, 2012 10:42 AM
- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 2:04 AM
-
Friday, April 06, 2012 1:39 PMdoes transferring the roles require or reboot, and will any users in the domain notice anything?
-
Friday, April 06, 2012 1:41 PMModerator
does transferring the roles require or reboot, and will any users in the domain notice anything?
Nope, but yes you should be doing it in non business hours.
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Friday, April 06, 2012 2:34 PM
You don’t need to restart DC after you transfer FSMO roles.The user will not experience any issue.If possible try in non business hour. After the transfer, you can verify the FSMO roles using the following command:
Netdom Query FSMO
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Friday, April 06, 2012 5:26 PM
does transferring the roles require or reboot, and will any users in the domain notice anything?
Hello,
no, this is without any user effect.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Saturday, April 07, 2012 2:45 PM
Take more care of dc, s while transfrerring the FSMO roles.
1) your server should not be offline at the time transfrerring .
2) Networwork connectivity is required.
Refer the below given link.
Ajay sharma
.png)
