Shulou(Shulou.com)06/02 Report--

This blog post describes how to transfer roles between Windows Server 2012 domain controllers and remove domain controllers. According to different application scenarios, the operation methods are summarized and summarized.

Scenario 1: The primary domain controller and the secondary domain controller operate normally, and AD replication can be achieved between them. Secondary domain controllers need to be promoted to primary domain controllers and primary domain controllers demoted to normal member servers. This scenario is generally applied to the original domain controller for system upgrade (Transfer the domain role first, then downgrade, install or upgrade the higher version system, and then transfer the role back to the primary domain controller role again) or use a higher configuration server to replace the primary domain controller to play the role of primary domain controller (use a high configuration server to configure as a secondary domain controller, and then transfer the primary domain controller role to this host, the original host becomes the secondary domain controller, and the high configuration host becomes the primary domain controller)

Scenario 2: The secondary domain control server is running normally, while the primary domain control server is Down due to a sudden emergency failure and the primary domain cannot run normally. The secondary domain controller needs to forcibly seize the RID, PDC, Domain, Schema, Naming roles and GC functions to become the new primary domain controller, and forcibly delete the remaining primary domain controller information in the domain. This scenario is generally applied to the primary domain system or the data is damaged and cannot work normally. The secondary domain controller forcibly competes for the five roles to be promoted to the primary domain controller, and deletes the remaining primary domain controller information. It is recommended that the host name and ip address of the original primary domain controller be different when rejoining the domain environment (after reinstalling the system).

Scenario 1:

Environment: Primary domain controller ds01.bicionline.org, secondary domain controller pdc01.bicionline.org, two domain control servers running normally, AD replication can be achieved between each other.

Purpose: The primary domain controller transfers RID, PDC, Domain, Schema, Naming roles, and GC functionality to the secondary domain controller and demotes it to a normal server.

Solution: Transfer roles through graphical interface or command line interface, downgrade domains through service manager, delete original domain control DNS records in all zones in DNS server, and delete original domain control servers in 'Sites and Services'.

GUI operation:

Transfer PDC, RID, Infrastructure Role:

Log in pdc01. bicionline.org auxiliary domain server, enter "Active Directory Users and Computers pdc01.bicionline.org", right click "bicionline.org" to select operation host, and change 3 host roles: as shown below

Transfer Schema Host Role:

Windwos server 2012 Register the regsvr32 schmmgmt command to view the domain schema via mmc. as shown below

a. Register domain architecture

b. Open mmc console and add unit Active Directory Schema.

c. Right-click "Active Directory Schema pdc01.bicionline.org" and select "Operation Host" option.

Transfer Domain Naming Operation Host:

Enter "Active Directory Domain and Trust Relationship pdc01.bicionline.org", right-click and select the operation host to change the Naming role: as shown below

Command line operations:

The previous steps are operated through the graphical interface, and role transfer can also be realized through the ntdsutil tool: the steps are as follows

Run-cmd -ntdsutil Enter #

Skill: Input? , you can view the command line and command function comments that can be entered in this mode.

roles Enter//Role Function Options

connections Enter//Enter connection mode

connect to server pdc01.bicionline.org Enter//connect to pdc01 server

exit Enter//exit

transfer naming master Enter//Make the connected server a named host

transfer infrastructure master Enter

transfer PDC Enter

transfer RID master Enter

transfer schema master Enter

Scenario 2:

Environment: Primary domain controller ds01.bicionline.org, secondary domain controller pdc01.bicionline.org, secondary domain control server running normally, primary domain control server Down and unable to recover.

Objective: The secondary domain control server forcibly captures RID, PDC, Domain, Schema, Naming roles and GC functions to become the new primary domain control, and forcibly deletes the remaining primary domain control information in the domain.

Solution: Forcibly seize the five roles through the Ntdsutil tool, delete the original domain control server, delete the original domain control DNS records in all zones in the DNS server, and delete the original domain control server in 'Sites and Services'.

Solution steps:

Role transfer can also be realized through ntdsutil tool: steps are as follows

Run-cmd -ntdsutil Enter #

Skill: Input? , you can view the command line and command function comments that can be entered in this mode.

roles Enter//Role Function Options

connections Enter//Enter connection mode

connect to server pdc01.bicionline.org Enter//connect to pdc01 server

exit Enter//exit

seize naming master Enter//overwrite naming host role on connected servers

seize infrastructure master Enter

seize PDC Enter

seize RID master Enter

seize schema master Enter

Clean up residual information (metadata) of ds01 server

Run--cmd---ntdsutil

metadata cleanup Enter//Enter server object cleanup mode

Select operation target Enter//Enter operation target selection mode

connections Enter//Enter connection mode

connect to server pdc01 Enter//connect to pdc01 server

quit enter

list sites Enter//List the sites in the currently connected domain

Select site 0 //Select site 0

list domains in site /List domains in site

select domain 0 //select domain 0

list servers for domain in site //List all servers in 0 domain at 0 site

select server 0 //select the server to delete in the domain (domain control)

remove selected server //Remove selected server (domain controlled)

Delete the DNS records for ds01 in each zone of the DNS server, delete the DS01 server in 'Sites and Services', and configure pdc01 as a GC (Global Catalog). These points are easy to ignore, please remember.

To sum up, it is recommended to implement role transfer between the primary domain controller and the secondary domain controller for different scenarios. It is recommended to backup the data before doing the operation, and be careful when cleaning up the residual information of the primary domain.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.