Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Migrating Root Domain Controller and Child Domain Controller with FSMO roles

Migrating Root Domain Controller and Child Domain Controller with FSMO roles

In this tutorial, you will learn how to migrate your domain controller with flexible single master operation (FSMO) roles to a Window Server 2016 active directory.

By Tushar Kumar, Alibaba Cloud Community Blog author

Assume the following scenario. Your current domain controller is running on a Windows 2012 server at your local on-premises data center, and you want to migrate your domain controller with flexible single master operation (FSMO) roles to Windows server 2016 active directory. Well, in this blog, we will show you how to do exactly that, walking you through the steps to accomplish all of this. In reality these steps can be applied for migrating Windows 2012, 2008, 2008 R2 Servers.

Using a domain controller with FSMO has its advantages. Flexible single master operation (FSMO) is a multi-master model that assigns clear roles and responsibilities to every domain controller while at the same time also giving you the flexibility to transfer roles if needed.

Flexible single master operation (FSMO) can be divided broadly into five roles, which are:

  • Schema master
  • Domain naming master
  • RID master
  • PDC emulator
  • Infrastructure master

Another advantage of FSMO is that it mitigates the following issue: Migrating Root and Child domain controllers directly with an OS-level snapshot may cause errors in the domain controller, so it's always better to go for AD Sync and FSMO roles transfer.

Pre-Requisites

Before you can precede to migrate your domain controller, you will need the following:

Procedure

Before proceeding with any of the steps below, first you should check if you can ping your on-premises network with your Windows Server 2016 ECS instance.

If everything's fine, then add your ECS instance into the same domain in the active directory (AD). This is how you do it:

Control Panel > System and Security > System > Under Computer name, domain, and workgroup settings, Change Settings > Change Domain

Next, you can run the Get-ADDomain |fl Name, DomainMode command on your ECS instance to retrieve the current domain functional level. After running this command, you'll see the on-premises DC mentioned as output.

Next to migrate, follow these steps:

  • Set up your network adapter with custom DNS to Localhost (127.0.0.1) and secondary DNS to your on-premises data center IP address.

Now we need to install the active directory role on the Alibaba Cloud ECS instance. This is how you do it:

Open Server Manager > Click on Add roles and features > On the wizard Click Next > Select Role-Based or feature-based installation and Click Next > Click Next >

Under Roles check Active Directory Domain Services.

1

Next, on the next Features tab, click Next, and on the AD DS description page, click Next, and on confirmation page, click Next. After that, wait for the installation to complete. Once it is done, this window will appear.

2

Click on Promote this Server to a domain Controller. You will be prompted with Active Directory Domain Services Configuration window,

3

Select the deployment operation: Add a domain Controller to an existing domain. Then, provide your AD Domain (for example, alibabapoc.com) and click Next.

On the next screen, provide a DSRM password, keep the rest as it is and click Next. Then, on DNS Options page, click Next. On the next window, select the source replication by choosing Select your On-premises DC.

4

Continue to click Next until you reach the Pre-requisites tab, and then click Install. Once the installation is completed, the server will automatically restart.

Now you can see all your users are now available on your new Active Directory on Cloud ECS instance, so check for our FSMO roles by running the netdom query fsmo command:

5

From the above output, you can see the FSMO roles are still owned by on-premises DC. To change this, run the below command:

GEt-CimInstance Win32_OperatingSystem | Fl Csname

Note that you need to replace Csname to your own Csname.

Now your Alibaba ECS instance is ready. Let's transfer the FSMO Roles. Right now for Root domain controller, we have five FSMO roles as schema master and domain naming master roles, are only assigned once in the forest, so we'll not have those while moving child domain controller.

Now, run the following command on your on-premises data center. In the following command, replace Your_DC_CSName with Cloud Instance CSName)

Move-ADDirectoryServerOperationMasterRole -Identity YOUR_DC_CSNAME  -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

Then, type A [Yes to all] once asked for permissions, and check if the roles are transferred by running the Netdom query fsmo command:

6

Now your Roles are transferred. Let's prepare your on-premises machine to decommission:

Log on to your on-premises data center.

Run the following command in PowerShell (Administrator): Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

This command will ask you for local administrator credentials. Then, after completion, the server will get restarted will restart the server, after which you can Decommission the server.

Now Log on to ECS instance on AlibabaCloud:

Update Domain functional level, and then run this command in PowerShell (Administrator): Set-ADDomainMode -identity YOUR_DOMAIN -DomainMode YOUR_WINDOWS_VERSION

For this command, replace YOUR_DOMAIN with your Domain name and YOUR_WINDOWS_VERSION with your server version running after migration. The values are as follows:

7

In my case domain my Cloud DC is running on Server 2016 and domain is alibabapoc.com, therefore, my command will be like this: Set-ADDomainMode -identity alibabapoc.com -DomainMode Windows2016Domain

Now update Forest Functional level. Run the following command in PowerShell (Administrator):

Set-ADForestMode -Identity YOUR_DOMAIN -ForestMode Your_windows_version

Change the command to fit your situation. Again, for the example above, Cloud DC is running on Server 2016 and domain is alibabapoc.com. Whereas, for instance, Set-ADForestMode -Identity alibabapoc.com -ForestMode Windows2016Forest means that your DC is up and running on Alibaba Cloud.

You can repeat the same steps to migrate your child domain controller just 2 FSMO roles will not be there (Schema master and Domain naming master).

Windows Migration Tech Share Tutorials Access Management Active Directory FSMO
0 0 0
Share on

Read previous post:

MVP #FridayFive: September 2019 Edition 1

Read next post:

Building a Serverless Application on Alibaba Cloud (Part 1)

Alibaba Clouder

2,599 posts | 762 followers

You may also like

Comments

Alibaba Clouder

2,599 posts | 762 followers

Related Products

More Posts by Alibaba Clouder

See All