24.2 Transferring and Seizing FSMO Roles

The domain controller playing the role of PDC emulator hold the writable copy of SYSVOL while all other domain controllers host a read-only copy of SYSVOL. So for any updates to the group policies, the domain controller has to contact the PDC Emulator.

In event of a hardware or software failure on the domain, it is important to transfer or seize the PDC emulator role to ensure that the DSfW services are fully functional.

Transfer or Seizure of the PDC Emulator role can be done in the following methods:

IMPORTANT:If during installation of the additional domain controller, you haven't selected the Replicate schema and configuration Partitions option, the configuration and schema partition will not be available on the newly designated first domain controller. We strongly recommend that you replicate the schema and configuration partition to the new first domain controller using iManager. For more information, see Administering Replicas in the NetIQ eDirectory Administration Guide.

24.2.1 To Transfer the PDC Emulator Role from the First Domain Controller to an additional domain controller

In this scenario, the machine functioning as the first domain controller is functional. But you want to transfer the PDC Emulator role from the first domain controller to an another domain controller for load-balancing purposes.

From the machine that will serve the new PDC Emulator role, execute the following steps:

  1. Transfer all the FSMO roles using the MMC utility. For details, see How to View and Transfer FSMO Roles.

  2. Get the domain administrator's kerberos ticket by executing following command:

    /opt/novell/xad/bin/kinit Administrator@_DOMAIN NAME_

  3. Update the samba configuration, msdfs links and the DNS SRV record for the first domain controller by running the following script:

    /opt/novell/xad/share/dcinit/UpdatePDCMaster.pl

24.2.2 To Seize PDC Emulator Role from First Domain Controller to an Another Domain Controller (DNS is Functional)

In this scenario, the directory services on the first domain controller has gone down but the DNS service is up. As the directory services are not functional, the FSMO roles have to be forcibly seized and transferred to an another domain controller using the following procedure:

  1. From the Windows workstation joined to the domain, seize all the FSMO roles using the ntdsutil utility. For more information on how to seize FSMO roles using ntdsutil, see Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

  2. From the machine that will serve as the new domain controller, get the domain administrator's kerberos ticket by executing following command:

    /opt/novell/xad/bin/kinit Administrator@_DOMAIN NAME_

  3. Update the samba configuration, msdfs links and the DNS SRV record for first domain controller by running the following script:

    /opt/novell/xad/share/dcinit/UpdatePDCMaster.pl

24.2.3 To Seize PDC Emulator Role from First Domain Controller to an Another Domain Controller (DNS is Not Functional)

In this scenario, the directory service and the DNS service is not functional. To resolve this, the DNS service has to be migrated to the new domain controller and the FSMO roles also have to be forcibly seized and transferred to an another domain controller using the following procedure:

  1. From the Windows workstation joined to the domain, seize all the FSMO roles using the ntdsutil utility. For more information on how to seize FSMO roles using ntdsutil, see Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

  2. Migrate DNS from the first Domain Controller to another domain controller by using the procedure in Migrating DNS to Another Domain Controller. If the machine that will serve as the new domain controller is already configured as a DNS server, then you need not migrate DNS to the new domain controller. However, if you do not migrate DNS to the new domain controller, you must ensure that the new domain controller has been configured as a designated primary DNS server.

  3. Get the domain administrator's kerberos ticket by executing following command:

    /opt/novell/xad/bin/kinit Administrator@_DOMAIN NAME_

  4. Update the samba configuration, msdfs links and the DNS SRV record for first domain controller by running the following script:

    /opt/novell/xad/share/dcinit/UpdatePDCMaster.pl

24.2.4 Transferring the ADPH Master Role to Other Domain Controllers

You can transfer the RID master role by using the following methods:

Using MMC

  1. Open Active Directory Users and Computers.

  2. Right click Active Directory Users and Computers, then click Connect to Domain Controller.

  3. In the Enter the name of another domain controller text field, specify the name of the domain controller that you want to assign the RID master role.

    or

    Select the domain controller from the Domain Controllers drop down list.

  4. Right click Active Directory Users and Computers, then click Operations Masters.

  5. Click the RID tab, then select Change. This transfers the RID master role to other domain controllers.

Using LDIF File

The FSMO roles are located on the RootDSE and the becomeRidMaster operational attribute is used to transfer them. The appropriate operational attribute is written on the new domain controller to receive the FSMO role operation, then the old domain controller is demoted and the new domain controller is automatically promoted.

The LDIF file looks like this,

dn:
changetype: Modify
becomeridmaster: 1