Replica DCs on Azure – Transferring FSMO roles to the IaaS DCs

June 16, 2016 at 7:27 am in Azure, Cloud, DC, FSMO, hybrid cloud, IaaS, PowerShell, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica domain controllers (DCs) on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

After we successfully installed both IaaS virtual machines (VMs) as DCs and verified everything was running smoothly (time synchronization included) there is still one AD related action we can perform, namely transferring the Flexible Single Master Operation (FSMO) roles between the on premise DC and the ones running on Azure.

Like you probably all know, some of these FSMO roles (5 in total) are rarely used, such as the Schema and Domain naming Master roles, while others are highly used, such as the PDC emulator and Relative ID (RID) Master role. One thing to keep in mind is that each FSMO role only exists once in the domain and forest. When the entire domain is running on Microsoft Azure it’s completely logical that all FSMO roles are ran on a single Azure IaaS DC or split over different Azure IaaS DCs. However, in most production environments a hybrid (combination of on premise and Microsoft Azure resources) cloud scenario is used. In this case you should see Azure as any other secondary site and the placement of the FSMO roles should be treated in that way. Therefore, always assess all pros and cons before moving certain or all FSMO roles to a DC running as an Azure IaaS VM. In either case, I will show you how you can transfer all or some of the FSMO roles to one of the DCs running on Azure. In my examples all these transfers are done by use of the GUI, but you can also use the command-line tool Ntdsutil.

To transfer the FSMO role(s), a user must be a member of the following group(s):

image

Transfer the Schema Master role (GUI)

1) Logon to one of the Azure IaaS DCs (AZGR-DC-01), open the Schmmgmt.dll library by opening Run and typing:

image

2) Press OK if the installation is succeeded

image

3) Also from the Run command open an MMC Console by typing mmc

image

4) On the Console menu, press Add/Remove Snap-in, select Active Directory Schema, click Add> and press OK

image

5) Right-click the Active Directory Schema icon and press Operation Master…

image

6) Click Change

image

7) Click Yes

image

8) Click OK

image

image

Transfer the Domain Naming Master role (GUI)

1) Logon to one of the Azure IaaS DCs (AZGR-DC-02), open Administrative Tools and click on Active Directory Domains and Trusts

image

2) Right-click the Active Directory Domains and Trusts icon and press Operation Masters…

image

3) Press the Change button

image

4) Press Yes to confirm the change

image

5) Press OK

image

image

Transfer the RID Master, PDC Emulator and Infrastructure Master role (GUI)

  • The RID master role and the PDC emulator role should be owned by the same DC as a best practice

1) Logon to one of the DCs running on Azure (AZGR-DC-01 or AZGR-DC-02) trough RDP, open Run and type dsa.msc and press OK

image

2) When the Active Directory Users and Computers window is opened right click the domain and click Operations Masters…

image

3) In the Operations Masters window, each tab will show you who the current Operations master is for a specific FSMO (RID, PDC and Infrastructure). For example, the RID Operations master is shown in the screenshot below

image

4) To transfer the role just press Change…

image

5) Select Yes

image

6) Press OK

image

7) Like you can see the role is transferred to AZGR-DC-02

image

8) If you want to transfer another role for example to AZGR-DC-01, select Active Directory Users and Computers and select Change Domain Controller…

image

9) Select AZGR-DC-01 out of the list and press OK. This will switch the DC

image

image

10) Now repeat steps 2 till 6 to switch the Infrastructure role to AZGR-DC-01

image

Check the location of all FSMO roles (PowerShell)

1) Logon to one of the DCs running on Azure (AZGR-DC-01 or AZGR-DC-02) trough RDP and open PowerShell as an Administrator

2) Run following command (save as .ps1 or run directly)

image

That ends the this part of this series. Please continue through the rest of the series to complete the setup (if all are available). Till next time!

Wim Matthyssen (@wmatthyssen)

Share on LinkedInTweet about this on TwitterShare on Google+Share on Facebook