table of Contents
Active Directory Operating Host Role Overview
Environmental Analysis
Clear the main domain controller DC-01.Test.com object from AD
Different Five FMSO operations with NTDSUTIL.EXE tools on the extra domain controller
Set the extra domain controller for GC (global catalog)
Reinstall and restore damage to the main domain controller
Attachment: Scripts used to detect five operating host characters in AD
Reference Information
about the author
First, Active Directory Operating Host Role Overview
Active Directory defines five operating host roles (also known as FSMO):
Architecture host Schema Master,
Domain name host Domain Naming Master
Relative identification number (RID) host RID MASTER
Main Dome Controller Simulator (PDCE)
Infrastructure master Infrastructure MASTER
And each operating host role is responsible for different work, with different functions:
Architecture host
A DC with architecture host roles is a unique DC that can update the directory architecture. These architectures are copied from the architecture host into all other domain controllers in the catalog forest. The architecture host is based on the forest, and there is only one architecture host in the entire directory forest.
Domain naming host
DC with domain named host roles is the only DC that can perform the following tasks:
Add a new domain to the forest.
Delete existing domains from the forest.
Add or delete a cross-reference object that describes the external directory.
Relative identification number (RID) host
This operator is responsible for allocating the RID pool to other DCs. Only one server performs this task. Create a security subject (such as a user,
When groups or computers, the RID needs to be combined with the identifier within the domain range to create a unique security identifier (SID). Every
Windows 2000 DC will receive the RID pool used to create an object (default is 512). The RID host ensures this by assigning different pools.
Some IDs are unique on every DC. Through the RID host, all objects can be moved between different domains in the same catalog.
The domain named host is based on the forest, only one domain named host in the entire directory forest. The relative identification number (RID) host is domain-based, and each domain in the forest has its own relative identification number (RID) host.
PDCE
The main domain controller simulator provides the following main functions:
Backward compatible low-level clients and servers allow Windows NT4.0 Backup Domain Controller (BDC) to join the new Windows 2000 environment. This machine Windows 2000 environment forwards password changes to PDCE. Whenever the DC verification password fails, it will contact PDCE to see if the password can be verified there, perhaps the reason is that the password change has not been copied to the verification DC.
Time Synchronization - PDCE in each domain in the catalog will be synchronized with PDCE in the root field of the catalog.
PDCE is domain-based, and each domain in the catalog has its own PDCE.
Infrastructure host
The infrastructure host ensures consistency of all domain operating objects. This reference contains the object when referenced to objects in another domain.
Global Unique Identifier (GUID), Safety Identifier (SID), and Divided Name (DN). If the referenced object is moved, the domain is booked.
The DC of the structural host role will be responsible for updating the SID and DN in the cross-domain object reference in this domain.
The infrastructure host is domain-based, and each domain in the catalog has its own infrastructure host.
By default, these five FMSO exist on the first DC (main domain controller) of the forest root domain, while the relative identification number (RID) host in the subdomain, the PDCE, the infrastructure host exists in the subdomain. A DC. Second, environmental analysis
The company TEST.COM has a primary domain controller DC-01.Test.com, as well as an extra domain controller DC-02.Test.com. The main domain controller (DC-01.Test.com) Since the hardware failure is suddenly damaged, there is no system state backup of DC-01.Test.com in advance, no way to repair the main domain controller (DC-01.Test) .com), how do we allow additional domain controllers (DC-02.Test.com) to replace the main domain controller, allowing Acitvie Directory to run normally, and how to make damage after damage to the damaged primary domain controller hardware The main domain controller is restored.
If your first DC is broken, there is an extra domain controller, you need to capture these five FMSOs on an additional domain controller, and you need to set the extra domain controller to GC.
Third, remove the main domain controller DC-01.Test.com object from the AD
3.1 Remove the main domain controller (DC-01.Test.com) from the AD on an additional domain controller (DC-02.test.com).
C:> NTDSUTIL
NTDSUTIL: Metadata Cleanup
Metadata Cleanup: Select Operation Target
SELECT OPERATION TARGET: Connections
Server Connections: Connect To Domain Test.com
Select Operation Target: List Sites
Found 1 Site (s)
0 - cn = default-first-site-name, cn = sites, cn = configuration, DC = test, DC = COM
Select Operation Target: SELECT Site 0
Site - cn = default-first-site-name, cn = sites, cn = configuration, dc = test, DC = COM
No current Domain
NO CURRENT SERVER
No current naming context
SELECT OPERATION TARGET: List Domains in Site
Found 1 Domain (s)
0 - DC = TEST, DC = COM
Found 1 Domain (s)
0 - DC = TEST, DC = COM
Select Operation Target: SELECT DOMAIN 0
Site - cn = default-first-site-name, cn = sites, cn = configuration, dc = test, DC = COM
Domain - DC = TEST, DC = COM
NO CURRENT SERVER
No current naming context
Select Operation Target: List Servers for Domain in Site
Found 2 Server (s)
0 - CN = DC-01, CN = Servers, cn = default-first-site-name, cn = sites, cn = configuration, DC = TEST, DC = COM
1 - CN = DC-02, CN = Servers, CN = default-first-site-name, cn = sites, cn = configuration, DC = TE
ST, DC = COM
Select Operation Target: SELECT Server 0
Select Operation Target: quit
Metadata Cleanup: Remove SELECTED Server
The dialog box appears, press "OK" to delete the DC-01 master server.
Metadata Cleanup: quit
NTDSUTIL: QUIT
3.2 Use the ADSI Edit tool to remove DOMAIN Controllers in Active Directory Users and Computers, DC-01 server objects,
Adsi Edit is a tool in Windows 2000 Support Tools, and you need to install Windows 2000 Support Tool, the installer under the Support / Tools directory in the Windows 2000 CD. Open the Adsi Edit tool, expand Domain NC [DC-02.Test.com], expand OU = Domain Controllers, right-click CN = DC-01, then select Delete, delete the DC-01 server object, as shown in Figure 1:
3.3 Remove DC-01 Server Objects in Active Directory Sites and Service
Open the Active Directory Sites and Service in Administrative Tools, expand Sites, expand Default-first-site-name, expand Servers, right-click DC-01, select Delete, click the Yes button, as shown in Figure 2:
Fourth, perform five FMSO operations through NTDSUTIL.EXE tools on the extra domain controller
C:> NTDSUTIL
NTDSUTIL: ROLES
FSMO MAINTENANCE: SELECT OPERATION TARGET
SELECT OPERATION TARGET: Connections
Server Connections: Connect To Domain Test.com
Select Operation Target: List Sites
Found 1 Site (s)
0 - cn = default-first-site-name, cn = sites, cn = configuration, DC = test, DC = COM
Select Operation Target: SELECT Site 0
Site - cn = default-first-site-name, cn = sites, cn = configuration, dc = test, DC = COM
No current Domain
NO CURRENT SERVER
No current naming context
SELECT OPERATION TARGET: List Domains in Site
Found 1 Domain (s)
0 - DC = TEST, DC = COM
Select Operation Target: SELECT DOMAIN 0SITE - CN = Default-first-site-name, CN = Sites, CN = Configuration, DC = TEST, DC = COM
Domain - DC = TEST, DC = COM
NO CURRENT SERVER
No current naming context
Select Operation Target: List Servers for Domain in Site
Found 1 Server (s)
0 - CN = DC-02, CN = Servers, CN = default-first-site-name, cn = sites, cn = configuration, DC = TE
ST, DC = COM
Select Operation Target: SELECT Server 0
Select Operation Target: quit
FSMO Maintenance: Seize Domain Naming Master
The dialog box appears, press "OK"
FSMO Maintenance: SEIZE INFRASTRUCTURE MASTER
The dialog box appears, press "OK"
FSMO MAINTENANCE: SEIZE PDC
The dialog box appears, press "OK"
FSMO MAINTENANACE: SEIZE RID MASTER
The dialog box appears, press "OK"
FSMO Maintenance: Seize Schema Master
The dialog box appears, press "OK"
FSMO MAINTENANCE: quit
NTDSUTIL: QUIT
(Note: SEIZE is operating when the original FSMO is not online, if the original FSMO is online, you need to use the Transfer action)
5. Set additional control (dc-02.test.com) is GC (global catalog)
Open the Active Directory Sites and Services in Administrative Tools, expand Sites, expand Default-first-site-name, expand Servers, expand DC-02.Test.com (additional controller), right-click NTDS Settings to select Properties, then " "Global Catalog" front tick, click the "OK" button, then restart the server.
6. Reinstall and restore damage to the main domain controller
After repairing DC-01.Test.com's damaged hardware, reinstall Windows 2000 Server after the DC-01.Test.com server, after installing Windows 2000 Server, run DCPROMO to upgrade to additional domain controllers; if you need Make DC-01.Test.com as five FMSO roles, perform role conversion through NTDSUTIL tools, and perform TRANSFER operations (Note: You cannot use seize). And use the Active Directory Sites and Services to set DC-01.Test.com to GC, cancel the GC function of DC-02.Test.com.
It is recommended that Domain Naming Master does not want to be on a DC with Rid Master, while Domain Naming Master must be GC.
Attachment: Scripts used to detect five operating host characters in AD
Give everyone a script, used to detect five FSMO characters in the AD, save the following code, saved as fsmo.vbs, then execute it .Set Objrootdse = getObject ("ldap: // rootdse")
DIM TEXT
'Schema Master
Set objschema = getObject ("ldap: //" & objrootdse.get ("SchemanamingContext")))
strschemamaster = objschema.get ("fsmoroleowner")
Set objntds = getObject ("ldap: //" & strschemamaster)
Set objcomputer = getObject (objntds.parent)
Text = "Forest-Wide Schema Master FSMO:" & objcomputer.name & vbcrlf
Set objntds = Nothing
Set objcomputer = Nothing
'Domain Naming Master
Set objPartitions = getObject ("ldap: // cn = partitions," & _
Objrootdse.get ("configurationnamingcontext")))
STRDOMAINNAMINGMASTER = ObjPartitions.get ("fsmoroleowner")
Set objntds = getObject ("ldap: //" & strdomainnamingmaster)
Set objcomputer = getObject (objntds.parent)
Text = Text & "Forest-Wide Domain Naming Master FSMO:" & objcomputer.name & vbcrlf
Set objntds = Nothing
Set objcomputer = Nothing
'PDC Emulator
Set objdomain = getObject ("ldap://" & objrootdse.get ("defaultnamingcontext")))
StrpdCemulator = objdomain.get ("fsmoroleowner")
Set objntds = getObject ("ldap: //" & strpdcemulator)
Set objcomputer = getObject (objntds.parent)
TEXT = TEXT & "Domain's PDC Emulator FSMO:" & objcomputer.name & vbcrlf
Set objntds = Nothing
Set objcomputer = Nothing
'Rid Master
Set objridManager = getObject ("ldap: // cn = rid manager $, cn = system," & _
Objrootdse.get ("defaultnamingcontext")))
StridMaster = ObjridMaster.get ("fsmoroleowner") set objntds = getObject ("ldap: //" & strridmaster)
Set objcomputer = getObject (objntds.parent)
Text = TEXT & "Domain's Rid Master FSMO:" & objcomputer.name & vbcrlf
Set objntds = Nothing
Set objcomputer = Nothing
'INFRASTRUCTURE MASTER
Set objinfrastructure = getObject ("ldap: // cn = infrastructure," & _
Objrootdse.get ("defaultnamingcontext")))
StrinfrastructureMaster = Objinfrastructure.get ("fsmoroleowner")
Set objntds = getObject ("ldap: //" & strinfrastructureMaster)
Set objcomputer = getObject (objntds.parent)
TEXT = TEXT & "Domain's Infrastructure Master Fsmo:" & objcomputer.name & vbcrlf
TEXT = TEXT & VBCRLF & "Design By CoolnetBoy (CoolnetBoy@hotmail.com"
WScript.echo Text
Reference Information
Microsoft Windows 2000 Server Resource Kit
