This article describes how to use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.
Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:
Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.
Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).
This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.
To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.
This article describes a condition that occurs when a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.
When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database, monitoring and troubleshooting tools such as Repadmin.exe do not report any replication errors.
After hotfix 875495 or Windows Server 2003 Service Pack 1 is installed, a Microsoft Windows Server 2003 domain controller logs Directory Services event 2095 when it encounters a USN rollback. The text of the event message directs administrators to this article to learn about recovery options.
workgroup = MYGROUP
server string = Samba Server Version %v
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
security = user
map to guest = Bad User
passdb backend = tdbsam
load printers = yes