To transfer the RID master role to another server, follow these steps:
350. In Active Directory Users And Computers, right-click the domain node and then select Change Domain Controller.
351. In the Change Directory Server dialog box, select This Domain Controller, select an available domain controller to which you want to transfer the role, and then click OK.
352. Right-click the domain node again, and then select Operations Masters. In the Operations Masters dialog box, the RID tab is selected by default. Click Change. When prompted to confirm, click Yes and then click Close.
The PDC emulator role is responsible for processing password changes and also is the default authoritative time server in the forest. All domain controllers in a domain know which server has the PDC emulator role.
When a user changes a password, the change is first sent to the PDC emulator, which in turn replicates the change to all the other domain controllers in the domain. If a user tries to log on to the network but provides an incorrect password, the domain controller checks the PDC emulator to see that it has a recent password change for this account. If so, the domain controller retries the logon authentication on the PDC emulator. This approach is designed to ensure that if a user has recently changed a password, that user is not denied logon with the new password.
Because the PDC emulator is the default time server for the forest, other computers on the network rely on the PDC emulator for time synchronization. To ensure that time synchronization is accurate in the Active Directory forest, you should configure the PDC emulator to synchronize time with a reliable external time source, a reliable internal time source, or a hardware clock. If you want the PDC emulator to use a Network Time Protocol (NTP) time source, type the following at an administrator command prompt:
w32tm /config /computer:PDCName /manualpeerlist:time.windows.com
/syncfromflags:manual /update
Here, PDCName is the fully qualified domain name of the PDC emulator and the /ManualPeerList option configures the PDC emulator to get its time from time.windows.com. Here is an example:
w32tm /config /computer:dc05.imaginedlands.com /manualpeerlist:time.windows.com
/syncfromflags:manual /update
You also could get time from pool.ntp.org. The following example sets multiple peer servers so you have alternates should a server not be available:
w32tm /config /computer:dc05.imaginedlands.com /manualpeerlist: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/syncfromflags:manual /update
Here, the servers used for time are:
If you configured a reliable time server in the forest root domain, you can configure the PDC emulator master to synchronize with this server instead by typing the following:
w32tm /config /computer:PDCName /syncfromflags:domhier /update
Here, the /SyncFromFlags option configures the PDC emulator to get its time synchronization information from the forest root domain hierarchy.
IMPORTANT The first domain controller to hold the PDC emulator role is the default authoritative time server for the forest. If the PDC emulator role is moved to a new domain controller, the time server role doesn’t move automatically to the new domain controller. In this case you must configure the Windows Time service for the new PDC emulator master role holder and reconfigure the original PDC emulator master role holder to synchronize from the domain and not from an external or internal time source.
Domain computers on the network don’t necessarily get their time directly from the PDC emulator. Generally, domain computers follow the directory hierarchy and synchronize time with a domain controller in their local domains. Domain controllers synchronize their time using a series of queries that help them determine the best time source. A domain controller will make up to six queries:
353. The domain controller queries for parent domain controllers in the same site.
354. The domain controller queries for other domain controllers in the same site.
355. The domain controller queries for a same-site PDC emulator.
356. The domain controller queries for parent domain controllers in other sites.
357. The domain controller queries for other domain controllers in other sites.
358. The domain controller queries for a PDC emulator in other sites.
NOTE Parent domain controllers prefer reliable time sources but can also synchronize with nonreliable time sources if that is all that’s available. Local domain controllers synchronize only with reliable time sources. Reliable time sources can synchronize only with domain controllers in the parent domain. The PDC emulator can synchronize with a reliable time source in its own domain or any domain controller in the parent domain.
Each query returns a list of domain controllers that can be used as a time source and a relative weighting for each based on reliability and location. A score of 8 is assigned to a domain controller in the same site. A score of 4 is assigned to a domain controller configured as a reliable time source. A score of 2 is assigned to a domain controller in a parent domain. A score of 1 is used for a domain controller that is the PDC emulator. Because the weighting scores are cumulative, a same-site PDC emulator would have a score of 9 (8 + 1).
To locate the PDC emulator for the current logon domain, enter the following command at a Windows PowerShell prompt:
(Get-ADDomain).PDCEmulator
Alternatively, start Active Directory Users And Computers. Right-click the domain you want to work with and then select Operations Masters. The Operations Masters dialog box shows the current PDC emulator in the PDC tab.
To transfer the PDC emulator role to another server, follow these steps:
359. In Active Directory Users And Computers, right-click the domain node and then select Change Domain Controller.
360. In the Change Directory Server dialog box, select This Domain Controller, select an available domain controller to which you want to transfer the role, and then click OK.
361. Right-click the domain node again and then select Operations Master. In the Operations Masters dialog box, click the PDC tab. Click Change. When prompted to confirm, click Yes and then click Close.
The infrastructure master is responsible for updating cross-domain, group-to-user references. This means that the infrastructure master is responsible for ensuring that changes to the common name of a user account are correctly reflected in the group membership information for groups in other domains in the forest.
The infrastructure master manages name changes by comparing its directory data to that of a global catalog. If the data is outdated, it updates the data and replicates the changes to other domain controllers in the domain. If for some reason the infrastructure master is unavailable, group-to-user name references will not be updated and cross-domain group membership might not accurately reflect the actual names of user objects.
To locate the infrastructure master for the current logon domain, enter the following command at a Windows PowerShell prompt:
(Get-ADDomain).InfrastructureMaster
Alternatively, start Active Directory Users And Computers. Right-click the domain you want to work with and then select Operations Masters. The Operations Masters dialog box shows the current infrastructure master in the Infrastructure tab.
To transfer the infrastructure master role to another server, follow these steps:
362. In Active Directory Users And Computers, right-click the domain node and then select Change Domain Controller.
363. In the Change Directory Server dialog box, select This Domain Controller, select an available domain controller to which you want to transfer the role, and then click OK.
364. Right-click the domain node again and then select Operations Masters. In the Operations Masters dialog box, click the Infrastructure tab. Click Change. When prompted to confirm, click Yes and then click Close.
When an operations master fails and is not coming back online, you need to seize the role to forcibly transfer it to another domain controller. Seizing a role is a drastic step that you should perform only when the previous role owner will never be available again. Don’t seize an operations master role when you can transfer it gracefully using the normal transfer procedure. Seize a role only as a last resort.
Before you seize a role and forcibly transfer it, you should determine how up to date the domain controller that will take over the role is with respect to the previous role owner. Active Directory tracks replication changes using update sequence numbers (USNs). Because of replication latency, domain controllers might not all be up to date. If you compare a domain controller’s USN to that of other servers in the domain, you can determine whether the domain controller is the most up to date with respect to changes from the previous role owner. If the domain controller is up to date, you can transfer the role safely. If the domain controller isn’t up to date, you can wait for replication to occur and then transfer the role to the domain controller.
For working with Active Directory replication, Windows Server includes Repadmin and Windows PowerShell cmdlets. To display the highest sequence number for a specified naming context on each replication partner of a designated domain controller, type the following at a command prompt:
repadmin /showutdvec DomainControllerName NamingContext
Here, DomainControllerName is the fully qualified domain name of the domain controller and NamingContext is the DN of the domain in which the server is located, such as
repadmin /showutdvec atserver18 dc=tvpress,dc=local
The output shows the highest USN on replication partners for the domain partition:
Atlanta-First-Site\ATSERVER11 @ USN 149258 @ Time 2017-02-18 10:15:46
Atlanta-First-Site\ATSERVER29 @ USN 149261 @ Time 2017-02-18 10:15:46
In this example, if AtServer11 was the previous role owner and the domain controller you are examining has an equal or larger USN for AtServer11, the domain controller is up to date. However, if AtServer11 was the previous role owner and the domain controller you are examining has a lower USN for AtServer11, the domain controller is not up to date and you should wait for replication to occur before seizing the role. You could also use Repadmin /Syncall to force the domain controller that is the most up to date with respect to the previous role owner to replicate with all of its replication partners. Note that you could also use Repadmin /Replsingleobject to replicate a specific object using its distinguished name.
With PowerShell, you can use the Get-AdReplicationUpToDatenessVectorTable cmdlet to display similar information about USNs. Simply follow the cmdlet name with the name of the domain controller to examine, such as
get-adreplicationuptodatenessvectortable atserver18.tvpress.local
The output shows a list of the highest USNs seen by the specified domain controller for every domain controller in the forest. You also can use Sync-ADObject to replicate a specific object.
To seize an operations master role, follow these steps:
365. Open a command prompt on the console of the server you want to assign as the new operations master locally or by means of Remote Desktop.
366. List current operations masters by typing netdom query fsmo.
367. Type ntdsutil. At the ntdsutil prompt, type roles.
368. At the fsmo maintenance prompt, type connections.
369. At the server connections prompt, type connect to server followed by the fully qualified domain name of the domain controller to which you want to assign the operations master role.
370. After you establish a connection to the domain controller, type quit to exit the server connections prompt.
371. At the fsmo maintenance prompt, type one of the following:
seize pdc
seize rid master
seize infrastructure master
seize schema master
seize domain naming master
372. At the fsmo maintenance prompt, type quit.
373. At the ntdsutil prompt, type quit.