Deploying and Managing Active Directory DS Domain Controllers
Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. At the core of Windows AD DS is the domain controller. The domain controller provides login services, group policies, domain naming services (DNS), and other identity management services for users and computers in a domain along with other enterprise management services.
In this course, we start by reviewing the Windows AD DS environment including forests and domains. Then we review considerations for deploying domain controllers in a virtualized environment, on-premises, and in Azure. Next, we look at use cases for deploying read-only domain controllers at locations where physical security cannot be guaranteed. Lastly, we examine flexible single master operations roles and how to locate and move them to support troubleshooting efforts.
- Deploy and manage domain controllers on-premises
- Deploy and manage domain controllers in Azure
- Deploy read-only domain controllers (RODCs)
- View, manage, and troubleshoot flexible single master operations (FSMO) roles
- System administrators with responsibilities for managing hybrid identities
- Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
- Anyone preparing for the Azure AZ-800 Administering Windows Server Hybrid Core Infrastructure exam
- A basic understanding of deploying and managing Microsoft Windows servers
- Windows Server installation media and an environment to run Windows Server (trial available at https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022)
In this demo, we view and move FSMO Roles in a forest. The lab environment has two writable domain controllers in the same domain. We deployed Read-Only domain controller in the previous lab because that domain controllers read only, it won't work for this demo. Let's get started in the second domain controller added to the domain. Here we are logged into the second domain controller added to the domain. This domain controller is new and should not have any FSMO roles assigned to it. Let's verify that by viewing the FSMO roles next.
We can find the RID, PDC emulator and infrastructure FSMO role holders from Active Directory users and computers. These roles are scoped to the domain, open AD users in computers. Be sure to set the view to advanced features. This will show all the options available in the management console. Right click on the domain and go to operation masters. Here chose the RID Master, Windows DC1. The PDC Master. Here again, Operations Master is Windows DC1 and Infrastructure Master.
Notice we have the option to transfer the role. If for example, while removing this domain controller from the domain, we can use this to transfer the roles to the new domain controller. This has to be initiated by the domain controller, we're transferring the roles to. We're on Windows DC2, let's transfer the RID Master role from Windows DC1. We'll go back to RID Master, change, and click 'Yes', and 'OK'. Now our RID Master is on Windows DC2. We can close this and close Active Directory users in computers.
Next, we'll review the schema FSMO role holder. To do this from the graphical interface, we first have to register the schema management dll. Search for run, that brings up the run box. Next, run the command on the screen to register the schema management dll. Click 'OK' to run and that run successfully, click 'OK'. Next, run mmc.exe to open the management console. Go to file then add remove snap-ins, add Active Directory schema, 'OK'. Right click on Active Directory schema and go to Operations Master. Here chose the current schema Master and we have the option to change it if needed.
Close that and let's find the domain naming FSMO role holder next. We don't need to save the console. Open Active Directory domains and trusts. Right click on Active Directory domains and trusts and go to Operation Master. It shows the current domain name in Operation Master and the option to transfer the role. Notice that both options are showing Windows DC1 but we're on Windows DC2. What if we want to change it to Windows DC2. Let's close this, right click, change Active Directory domain controller and we'll select Windows DC2. Now right click again, go to Operations Master, and now we have the option to change Operations Master to Windows DC2. Let's change and yes, click 'OK'.
Now it's updated to Windows DC2. Close this and we can close Active Directory domains and trusts. That's a lot of clicking, let's look at another option. We can get the FSMO roles with the DCdiag tool as well. Open the command prompt cmd. We'll make this a little bigger and from here we'll type the command on the screen. Hit 'Enter' to run the command. That returns a lot of information, scroll back towards the top to doing primary tests. Under starting test, notes of role holders. It shows the role and the computer that holds the role. We have schema owner, Windows DC1. Domain owner, Windows DC2. PDC owner is Windows DC1. RID owner is Windows DC2 and Infrastructure Update owner is Windows DC1. That is how to view and transfer FSMO roles in a forest and a domain.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.