You can transfer the three domain-wide FSMO roles (PDC Emulator, RID Master, and Infrastructure Master) with the GUI or via the command line. To transfer the roles via the GUI, follow the steps in this article.
Learn how to transfer the Schema Master FSMO role and the Domain Naming master FSMO role.
By default, the Active Directory Schema MMC snap-in is not registered on domain controllers or machines with the Remote Server Administration Tools (RSAT) installed. To use the snap-in for the first time on a new machine, follow the steps in this article to learn how to register the snap-in
Sometimes domain controllers encounter catastrophic failures that take them off the network permanently – perhaps a hardware failure or an extended network outage that exceeds the tombstone lifetime. In these cases, the traditional process of demoting the domain controller won’t work and you’ll be forced to manually clean up Active Directory instead. This manual process is known as metadata cleanup. Metadata cleanup removes all of the references to the domain controller from Active Directory so that things like replication continue to work without error. Depending on what version of Windows you’re working with, this can be as simple as deleting the domain controller’s computer account with AD Users and Computers, or it might require a trip to the command line to put ntdsutil to work.
Windows Server 2008 and Newer (Active Directory Users and Computers)
The Windows Server 2008 version of Active Directory Users and Computers (ADUC) introduced a convenient one click approach to performing metadata cleanup. To t…
Active Directory provides a time synchronization hierarchy that ensures that time dependent protocols such as Kerberos will work correctly. The PDC emulator in the forest root domain must be configured to synchronize with an authoritative external source – either a hardware clock, government time source, or another NTP server. As a matter of best practice, consider configuring a domain controller that has been identified as an alternate PDC emulator role holder to also synchronize with an external source. This way, if you transfer the PDCe FSMO role, you won’t need to reconfigure the time service on the new domain controller. This post teaches you how to properly configure the forest root domain PDC emulator for time synchronization.
The process to convert a member server to a domain controller (DC) – known as promotion – requires a number of inputs to complete the wizard. As Active Directory has evolved, additional steps/inputs have been added to the wizard, but, the process itself has undergone very little change. If you are coming to Windows Server 2012 or newer from a previous version of Active Directory, the most noticeable change is that the dcpromo tool dating to Windows 2000 is gone. In fact, if you try to run dcpromo on a Windows Server 2012 or newer server, you’ll receive an error. This article walks you through the process and inputs necessary to promote a domain controller
If you have a domain controller that is no longer on the network, hasn’t replicated during the forest’s tombstone lifetime, or has been cleaned up in Active Directory via metadata cleanup, you’ll need to do a forced demotion in order to get the server back to a normal state. The procedure to do this varies depending on whether the server in question is running Windows Server 2012 or newer, or if it’s running a prior version of Windows Server. In this post, we'll look at the process for both the legacy and modern approaches to this problem.
The final step to publish AD FS on the Internet is to install and configure the Web Application Proxy (WAP). Installing and configuring WAP is a simple process that requires an SSL certificate and a few details about the AD FS environment. Once WAP is installed, it can be used for much more than simply publishing AD FS. WAP can be used to publish claims aware applications as well as enable claims based authentication to applications that use Windows Integrated Authentication.
Active Directory Federation Services (AD FS) is a critical component of your identity infrastructure as you begin to examine and move services to the cloud. AD FS securely extends your existing Active Directory beyond the boundaries of the firewall in a standardized and interoperable manner that is accepted across the industry. In this article, we will explore the steps to install the first AD FS server on Windows Server 2012 R2 as well as the prerequisite tasks that you will need to complete prior to installing AD FS.
Learn how to quickly promote a domain controller to global catalog status within your forest. Next, you'll learn how to keep an eye on the initial global catalog replication process to see when the promotion is complete.
When you join a machine to the domain, by default it will be placed in the Computers container under the root of the domain. This can be undesirable, particularly if you want to apply distinct Group Policy to machines when they are initially joined to the domain. Fortunately, Active Directory lets you change the default location for new Computer accounts. This article walks you through the quick and easy steps necessary to change the default location for new computer objects.