Promoting an AD BDC

I’ve written before about how to promote a domain controller. This covered the peaceful transition of power from one machine being the Primary Domain Controller (PDC) of an Active Directory (AD) to one of the backups.

However, I ran across a new issue. One of my virtual machines is down with a hardware issue, and I’m not sure if/when/how I will fix it. The only thing of significance on there was the PDC for my Active Directory domain. That means that the other BDC’s are doing domain functions, but there are several domain-level things I cannot do until the PDC is back online. The BDC’s become read-only and cache some changes. What I really need to do though, is promote one of these BDC’s to be the new PDC. But how do you do that?

Seizing Roles:

As it turns out, from this page: https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control you have to use the NTDSUtil.exe command-line tool – which is already available on a domain controller.  Here’s a quick look:

image

So you basically call these “seize” commands, one by one. The tool first tries to peacefully transition control, but if the domain controller is not available, then it does the seizure. Similar to a regular change of PDC, you do need to switch ALL of the roles to the PDC-elect.

Specifically, here are the commands I ran from an Administrator command-prompt:

ntdsutil.exe

and then from that prompt, these commands:

roles
connections
connect to server localhost          │
q
seize pdc
seize naming master
seize schema master
seize infrastructure master
seize RID master
q
q

After each command, it gives you a little summary of which domain controllers are serving which roles.

Verifying:

How can you be sure all of this worked? Well, I did two things – first, is using the techniques from my original blog post – using mmc.exe to verify which domain controller was serving which role. In my case too, I REMOVED the old/dead PDC from the Active Directory. When I tried to do that, it told me that it still had one role, which I overlooked (schema master). Once I switched over that role, I was allowed to delete the old PDC without error messages. Now, the domain operates normally, the old/offline PDC is removed from the domain, and one of the BDC’s is now serving as the primary domain controller.

Posted in Computers and Internet, General, Infrastructure, Windows

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 7 other followers

%d bloggers like this: