Active Directory assigns roles to domain controllers to help take care of its maintenance needs. Sometimes you may need to change the assigned roles of domain controllers because of performance issues or hardware failure. There are two ways of doing so: transferring roles and seizing roles. Roles are normally transferred when the current role holder works and seized when it doesn’t. The question is: How do you actually transfer or seize a domain controller’s operations master? In this Daily Drill Down, I’ll show you how.

Editor’s Note

Don’t just jump into this process. Make sure you understand what’s involved in transferring and seizing operations master roles by checking out these two previous Daily Drill Downs: “When to move operations master roles to another server” and “Lay the groundwork for a successful server role change.”

Transferring operations master roles
At the end of “Lay the groundwork for a successful server role change,” I showed you how to identify which domain controller held which operations master role. You’ll also remember that there was a Change button on the Properties screen for the operations master that allows you to change the role to another server. For our purposes here, however, let’s take a closer look at the process of transferring some of the master roles and refine the technique a bit.

The main point of refinement comes when you want to transfer roles to an alternate domain. If you want to work with a domain other than the one that’s displayed, you can do so by opening the Active Directory Users And Computers console.

When the console opens, you’ll notice that directly beneath the Active Directory Users And Computers domain that you right-clicked on earlier is a domain name (that is, assuming you’re in a multidomain environment to begin with). If this domain name isn’t the domain that you want to make the change in, right-click on the domain name and select the Connect To Domain command from the resulting context menu. Doing so will display a dialog box that will allow you to select the domain that you want.

You’ll need to check to make sure Windows is selecting the correct alternate system. When you first bring up the operations master, Windows will display the name of the system that currently held the operations master role and the name of an alternate system to which Windows suggests you transfer the role. However, there’s a good chance that the system that Windows has selected as the alternate may not be the system to which you actually want to transfer the role. Fortunately, there’s an easy way to select a different system.

First, right-click on the domain name and then select the Connect To Domain Controller command from the resulting context menu. When you do, you’ll see a dialog box appear that allows you to select any domain controller within the entire domain. Make your selection and click OK. Now when you try to transfer the operations master roles, Windows will tell you that you can transfer the roles to the domain controller to which you’ve connected.

Selecting a new Domain Naming Master
Forest-level operations master roles are the Domain Naming Master and the Schema Master. The Domain Naming Master contains a copy of every object in the entire Active Directory. Whenever you create a new domain, the Active Directory checks with this server to make sure that the name hasn’t already been taken. The Domain Naming Master is also a global catalog server. By default, Windows assigns the Domain Naming Master role to the first domain controller within a forest.

If you’re going to transfer the Domain Naming Master role, the first thing that you must do is determine which server has previously been assigned the role. If you’re the one who initially implemented Active Directory on your network, and no one has ever moved roles, then obviously this role will still be assigned to your first Windows 2000 domain controller.

If you don’t have the luxury of instantly knowing which server contains the Domain Naming Master role, you can easily look up that information by opening the Active Directory Domains And Trusts console. You can do this by selecting the Programs | Administrative Tools | Active Directory Domain And Trusts commands from the Start menu. When the console opens, right-click on Active Directory Domains And Trusts (at the top of the column on the left) and then select the Operations Master command from the resulting context menu. When you do, you’ll see a dialog box that provides you with the name of the server that’s currently holding the Domain Naming Master role and the name of a server to which you can move the role. You may transfer the role between the two servers by clicking the Change button.

So what do you do if you want to move the Domain Naming Master role to a server other than the one that Windows selects? You can select a different server by clicking the Close button to return to the main console screen. On the main console screen, right-click on Active Directory Domains And Trusts once again. This time, however, instead of selecting the Operations Master command from the resulting context menu, select the Connect To Domain Controller command.

You’ll then see a dialog box that displays every domain controller in the entire domain. By default, the Any Writable Domain Controller option is selected. However, you can use this dialog box to directly select the domain controller to which you want to transfer the role. You can even select a domain controller from a different domain; however, I don’t recommend doing this. Although I’ve never personally worked up the nerve to try transferring a forest-level operations master role to a different domain, I’ve heard some pretty scary stories from friends who have attempted such a feat.

I should point out that simply selecting a domain controller on this screen alone doesn’t transfer the Domain Naming Master role. To transfer the role, you’ll need to select your domain controller and click OK. Then, right-click on Active Directory Domains And Trusts again and select the Operations Master command from the resulting context menu. This time, you’ll have the option to transfer the Domain Naming master role to the server that you selected.

Selecting a new Schema Master
Changing the Schema Master role isn’t as simple as transferring the Domain Naming Master role. To identify the Schema Master role assignment, you must install the Active Directory Schema snap-in for Microsoft Management Console. To do this, open the Control Panel and double-click the Add/Remove Programs icon. When Windows displays the Add/Remove Programs Control Panel applet, click the Change Or Remove Windows Programs button. When you do, you’ll see a list of all of the programs that are currently installed on your system.

Now, look through the list until you locate Windows 2000 Administration Tools. Select Windows 2000 Administration Tools and then click the Change button that’s associated with it. Windows will now launch the Windows 2000 Administration Tools Setup Wizard. Click Next to bypass the introductory screen and jump into the wizard. The next screen that you’ll see gives you a choice of uninstalling or installing the Administrative tools. Select the Install All Of The Administrative Tools radio button and click Next. Windows will now validate and install all of the administrative tools. When the installation process completes, click Finish to terminate the wizard.

The next step in the process is to open the Active Directory Schema snap-in. You can do this by selecting the Run command from the Start menu and entering the MMC command at the Run prompt. When you do, an empty Microsoft Management Console session will open. Select the Add/Remove Snap In command from the Console menu to display the Add/Remove Snap In properties sheet. Now, click the Standalone tab’s Add button to display a list of all of the available snap-ins. Select Active Directory Schema from the list and click the Add button, followed by the Close button and the OK button.

You’ll now see the Active Directory Schema snap-in displayed within the console. Right-click on the Active Directory Schema node that’s located in the column on the left and then select the Operations Master command from the resulting context menu. When you do, you’ll see a dialog box pretty much identical to the one that you used to transfer the Domain Naming Master role.

As before, this dialog box will display the name of the server that’s presently holding the role and the name of a server to which you can transfer the role. If you need to transfer the Schema Master role to a server other than the one that Windows has selected for you, you can do so by clicking the Cancel button to return to the main console screen. Then, right-click on the Active Directory Schema node again and select the Select Domain Controller command. When you do, you’ll see the Change Domain Controller dialog box.

This dialog box isn’t quite as nice as the one used earlier in selecting a domain controller for the Domain Naming Master role. Instead of being able to select a domain controller from a list, you’ll have to specify a domain controller. The dialog box contains two radio buttons. The default choice is Any DC. To change domain controllers, you’ll have to select the Specify Name radio button and then enter the full DNS name of the domain controller that you’d like to use. Again, I don’t recommend trying to shift the Schema Master role to a different domain.

Once you’ve selected your domain controller, click OK to return to the main console screen. Right-click on the Active Directory Schema node again and select the Operations Master command from the resulting context menu. This time, the Change Schema Master dialog box will give you the option of transferring the Schema Master role to the domain controller that you’ve selected. You may complete the transfer by clicking the Change button and clicking OK.

Seizing roles
Now that you know how to transfer roles, let’s take a look at the process of seizing roles. Remember that you’ll only seize a role if the machine holding the role is dead and has no hope of ever being resurrected. If you seize a role and the server that previously contained the role comes back online one day, you could corrupt the entire Active Directory.

To seize a role, log in as someone who has the authority to seize a role, open a command prompt window, and enter the following commands:
ntdsutil
roles
connections
connect to server servername
quit

In this case, servername is the server to which you’re going to move the role.You can see a sample of these commands in Figure A.

Figure A
Enter these commands to prepare for seizing a role.

Now, enter one of the following commands to seize the role:
SEIZE INFRASTRUCTURE MASTER
SEIZE RID MASTER
SEIZE PDC
SEIZE SCHEMA MASTER
SEIZE DOMAIN NAMING MASTER

Naturally, the command you enter will vary depending on the role you want to seize. Quit NTDSUTIL and then restart your server. It may take some time for the changes to replicate across Active Directory, but after they do, your domain controller will have completed seizing the role.

Conclusion
In order for the Active Directory to function correctly, specific maintenance tasks must be routinely performed at the domain level and at the forest level. Unfortunately, the server to which Windows assigns these tasks may not always be the best choice. In such situations, or when the server needs to be taken offline for maintenance, it may be necessary to delegate these tasks to a different server within the organization. If a server that’s performing an operations master role dies and has no hope of ever being resurrected, it’s extremely important that you seize the role and assign it to another server. Once you know the procedures involved for transferring and seizing roles, you can make adjustments as needed.