Creating Read Only Domain Controller

Read only Domain Controller is one of the best feature in Sever 2008. In Previous version of Windows this
feature is not available. If a user had to Authenticate over wide area network there was no such alternative.
The Main purpose of this feature to secure your domain Controller in Branch office. Most of the time you will see that Branch offices always lack in physical Security as well as highly experienced IT professional availability. In order to secure your Branch office you can have read only domain controller in branch office now you will learn how to create read only domain Controller . In order to perform this Task you must have
a Server working as a domain controller and you  must remember that first domain in the forest can not be read only. so let's learn how to install a read only domain controller. I will upload the Image as well. so that you can have better understanding of creating Read Only Domain Controller.
1:Start>dcpromo

 don't select the second option because that is for creating child domain. Select first option and and click next as you click next

you need to put the Administrator Credential and password and click ok on the next window

you will see it will examine the DNS Configuration and give you the options. look at the image

in next window you will see the option to select read only domain controller as you seen in the image given below

select the Read Only domain controller(RODC) click on next

Make sure that you select the first option that is highlighted there by me click next you can also set the name

of a user who can administer the Read-Only Domain Controller. see in imageda

and click next then you will see the window which will show you the location where the database will be stored leave the default location.

in next window you will see that it will prompt you to enter the password that password actually for domain
controller restore mode.

just click next and come on to next window

you can export the settings as well if you want to just click next.

you are almost done all you need to you need to wait unless it complete this process.

Transferring FSMO Roles

In this post let's learn how to transfer FSMO Roles. It's very easy to Transfer FSMO Roles. when you say
that you are going to transfer the FSMO Roles it means all five Roles you are going to move between domain Controllers it can be imitated either by Administrator or by demoting Domain Controller. FSMO Roles Transfer is never initiate by Operating System itself. so let's learn how to Transfer FSMO Roles from
one Domain to another domain. I will update the screen shot as well don't worry. For example if you want to transfer the Schema Master Role you must first run a command which "regsvr32 schmmgmt" otherwise you will not be able to transfer the schema Master Role between domain Controller. There are two way to transfer the FSMO Roles Either by using GUI or by Ntdsutil.exe command line tool. you can use Active directory Schema snap-in or Active Directory domain and Trust and you can use Active Directory user and computer snap-in too depends which role you want to transfer. I will let you know how to transfer the schema Role so first of all you need run the same command regsvr32 schmmgmt.dll on the server you want transfer the role from. After you run the command regsvr32 schmmgmt.dll you must get the message on the screen.

As you see in image you will also get the same message on the screen if you run the right command . Then
click on start>Administrative Tool>Active Directory domain and Trust>right click and select the option change domain controller as shown in screenshot

and then you need to right click Active Directory Domain and Trust and select the option operation Master
as shown in image below.

After that you will see a operation Master window and then you need to click on change you should get
a window which says are you sure you want to transfer the operation master role to a different computer
you need to click yes

As you click on yes you will get message that role has been Transferd successfully . Like this you can transfer other role as well.

FSMO Roles

In this post let's talk about the FSMO Roles. As we all know Active Directory is a Multi Master Replication
Model. Means Clients can register their records in  any available Active Directory Domain  Controller as well as they can access resources within Active Directory NTDS.Dit Database. Before you learn how to transfer FSMO Roles you must have a better understating why do we use FSMO roles, the answer is to avoid Conflicts in Active Directory . In old day there was only single master Replication. Primary DNS used
to have a read and write copy of DNS Data, Means Client Must locate their DNS Server and register their
resources in order to locate all other resources in Active Directory Domain Infrastructure. The main Drawback of Single Master Replication was single point of failure. If in case the Primary DNS was not reachable Clients Could not Register it's records to other domain Controller. Primary zone is forward look up zone in AD. And it's highly recommended to have reverse look up zone in all size of Network because it contains host names and IP Mapping Information.
So the Main purpose of FSMO roles is to avoid conflicts in AD and if there is any changes and update in AD FSMO Roles will take of it accordingly. We have Five Roles in FSMO
1: Schema Master 
2:Domain Naming Master
3:Infrastructure Master
4:RID(Relative ID) Master
5: PDC Emulator Master

1: Schema Master: This role is forest wide role and it is responsible for any update and medication or if there is any changes in Schema. Once the update is complete it will replicate these updates to other domain
controllers in the forest. There can be only one schema master in the whole forest.

2:Domain Naming Master: This is also a Forest wide Role. And it is responsible for if there is any addition and Removal of Domain in the Forest.When you create a new domain in an existing forest, the new domain represents a separate naming context and a new Cross-Ref object must be created in a Partitions container. As we know only one Domain Naming Master is allowed to make changes in Partition Container
in the forest . By default first Domain Controller in the forest would hold this role however you can transfer this to other domain Using Active Directory Domain and Trust in.

3:Infrastructure Master Role:   This role is responsible for updating the objects SID and distinguish name in cross domain object references. as it is domain wide role there can be only one domain controller acting as the infrastructure master in each domain.

4:RID(Relative ID) : All object in Active Directory Domain have a Security Identifier (SID)  which is a combination of Domain ID and sequential number called Relative ID which is supplied by Relative ID. It is a domain wide role. In Domains that are in Default in windows server 2000 mixed domain functional level only PDC Emulator create Security Principle. That's the reason RID and PDC Emulator are held by a domain controller so that it can ensure that SID is unique and sequential.

5:PDC Eumlator: PDC Emulator has a very unique Role. you might have seen in the offices when you Enter your user name and password which you have been provided by Administrator you are logged on , In some cases you might have seen you get an error message which says invalid user name and password. Have you ever thought how do you get that error message . when you enter the wrong user name and password domain controller checks for the password and for the confirmation it sends user's credential to the PDC Emulator. Because PDC Emulator contains the latest information about the objects credentials . if it finds that user has entered the wrong user name and password then user gets an error message on the screen invalid user name and password. when an Administrator change or reset the password those information are updated at the same time in PDC Emulator.
Apart from this PDC Emulator perform other task as well. I believe now you have the better knowledge of FSMO Roles now you will learn how to transfer the FSMO roles.