Friday, March 30, 2012

Lync and Exchange UM Integration


This article covers the Unified Messaging (UM) integration configuration between Lync Server 2010 Release Candidate and Exchange Server 2010 SP1.  Although the process is basically the same as it was in Exchange 2007 and OCS 2007 R2 there are a few important changes.  Also note these instructions were tested various times with both RC and RTM installations of Lync Server.
The lab environment used as examples was built using the same processes discussed in these three previous articles for Lync Server.  A single consolidated Exchange 2010 SP1 server was also added with all roles (CAS, Hub, Mailbox, UM).

Overview

The following steps completed in this order in a greenfield deployment should yield a working UM environment in little time.
  1. Deploy Exchange Server 2010 SP1 in same forest as a consolidated server with Unified Messaging role included.
  2. Replace the self-signed certificate with one from an internal Windows Enterprise Certificate Authority and reassign all Exchange roles to it.
  3. Create a new SIP Dial Plan in Exchange.
  4. Configure UM Dial Plan, Policy, and Auto Attendant settings.
  5. Enable Unified Messaging on at least one mailbox.
  6. Run the exchucutil.ps1 PowerShell script on the Exchange server.
  7. Configure Lync Server Dial Plan or verify existing configuration is sufficient.
  8. Run the ocsumutil.exe tool on the Lync server.

Configuration

These steps begin right where article 3 left off so if you are following along make sure to configure the Enterprise Voice setting in Lync Server as detailed in that article.

1.  Deploy Exchange Server

The deployment of Exchange Server 2010 SP1 is outside the scope of this article but there are many official and unofficial walkthroughs available online to help anyone unfamiliar with the Exchange Server deployment process.  The best place to start would be the official Microsoft documentation.  The host used in this lab is a separate, dedicated virtual guest running Windows Server 2008 R2 with 2GB of RAM assigned to it.  No previous instance of Exchange had been installed so the deployment included creating a new Exchange Organization.
Prior to deploying the Exchange Server make sure to install all of the prerequisite software for the UM role as documented in this checklist.  Pay special attention to the Microsoft Speech Platform, UC Managed API 2.0, and UM Language Pack installations.

2. Generate New Certificate

This step is a common Exchange deployment task and official instructions can be found here.  Note that the statement “you must use a public certificate if you are using Unified Messaging with Office Communications Server” is not entirely correct.  This really should state that a ‘trusted certificate’ is required, as a private certificate issued by an internal Enterprise Windows CA can be used and will work fine if both the Lync and Exchange servers are members of the same domain.  Also verify that the UM service is assigned to the new certificate once it is installed and the UM service was restarted.
When collocating the UM role on a consolidated Exchange Server the easiest configuration is to use a single SAN certificate for all Exchanges services with the server’s FQDN set as the Subject Name (e.g. lab1exch.csmvp.net) with any other required names (e.g. mail.csmvp.net, autodiscover.csmvp.net) added to the Subject Alternative Names field.

3. Create Exchange UM Dial Plan

In this deployment the VoIP Security option Secured was used used so that both SIP signaling traffic and RTP media traffic will be transmitted between Lync and Exchange using encrypted TLS communications.  Opting to use the SIP Secured setting would only protect the SIP traffic using TLS while all RTP traffic would be transmitted over TCP.
Additionally a value of 4 was selected for the number of digits in extension numbers as the dial plan previously configured in the Lync server is based on the pattern 312-555-75xx, where the last four digits are treated as the user’s extension.  Since normalization patterns were created to translate 75xx patterns into RFC 3966 patterns (+131255575xx) then we want the Exchange UM dial plan to automatically select the last 4 digits of the user’s Telephone Number field as their extension when they are later enabled for UM.
  • Using the Exchange Management Console navigate to the UM Dial Plans tab under Organization Configuration > Unified Messaging.  Create a new UM Dial Plan with any Name desired (e.g. DefaultUM), and any valid PIN length (e.g. 4). The URI Type must be set to SIP URI and the VOIP Security was set to Secured.  As this lab is using a North American dialing plan the Country/Region Code was set to 1.
image
    An improvement in the Exchange Server 2010 process is seen next as the wizard will ask which UM server to associate the new dial plan with.  Previously with Exchange Server 2007 this step had to be performed manually afterwards.
  • Select the consolidated Exchange server running the UM role and then complete the wizard.
image
During the wizard completion the following error may appear as the default UM service startup mode is set to TCP and is not compatible with the VoIP Security option selected.  This will also prevent the Unified Messaging service from starting on the Exchange server.
The VoIPSecurity type of dial plan(s) ‘DefaultUM’ does not match the UMStartupMode of Unified Messaging server ‘LAB1EXCH’. Please ensure that if the UMStartupMode of the Unified Messaging server is TCP, the dial plan has a VoIPSecurity type of Unsecured. If the UMStartupMode of the Unified Messaging server is TLS, the dial plan should have a VoIPSecurity type of either SIPSecured or Secured.
  • To resolve this issue complete the wizard and then use the Exchange Management Console to navigate to the UM Settings tab on the UM server properties located under Server Configuration > Unified Messaging.  Change the Startup Mode to TLS.  (Dual could also have been selected but in this lab all communications will be using TLS so there is no reason to for the UM service to listen over TCP as well.  This approach is also more secure in production deployments.)
image
  • To apply this change the Microsoft Exchange Unified Messaging service must be restarted, although it should not even be running at this point so then it just needs to be started.
Alternatively the Exchange Management Shell can be used with the following PowerShell cmdlets to perform all of the steps shown above in this section.
New-UMDialPlan -Name ‘DefaultUM’ -NumberOfDigitsInExtension ’4′ -URIType ‘SipName’ -VoIPSecurity ‘Secured’ -CountryOrRegionCode ’1′
Set-UMServer -Identity ‘LAB1EXCH’ -DialPlans ‘DefaultUM’ -UMStartupMode ‘TLS’
Start-Service MSExchangeUM

4. Configure UM Settings

This first step is optional but I typically prefer to tweak a couple settings before enabling users for UM, specifically the minimum PIN length as the default of 6 is annoyingly long for demo purposes, plus enabling common patterns allows me to set easy-to-remember PINs like ‘1234’ or ‘1111’.
  • From the PIN policies tab on the default UM Mailbox Policy set the Minimum PIN Length to 4 and enable Allow common patterns in PIN.
image
Next is the Exchange Subscriber Access and Auto Attendant configuration.  As this lab is using 312-555-75xx in the Lync Dial Plan I selected 7556 and 7557 for the SA and AA telephone numbers.
  • Enter the desired telephone number on the Subscriber Access tab of the newly created UM Dial Plan (e.g. +13125557556).
image
    • Create a new UM Auto Attendant with any Name (e.g. AutoAttendant) (do not include any spaces) and enter the desired phone number in the Pilot Identifier List (e.g. +13125557557).  Select the new UM Dial Plan as the associated dial plan and select both settings to enable and speech-enable the auto attendant.
image
  • Alternatively the PowerShell cmdlet shown below can be used to create the new UM Auto Attendant with the setting described above.
New-UMAutoAttendant -Name ‘AutoAttendant’ -UMDialPlan ‘DefaultUM’ -Status ‘Enabled’ -SpeechEnabled $true -PilotIdentifierList ‘+13125557557′

5. Enable Mailboxes for UM

Select at least one mailbox using the Exchange Management Console and enable Unified Messaging on it.  This account should already be enabled for Lync Server and Enterprise Voice.
  • Run the Enable Unified Messaging wizard on the mailbox and select the default policy.  Retain the automatic settings but verify that the extension and SIP address shown match the desired settings for that user.
image
image
Once again, the Exchange Management Shell can be used to perform the same step, as shown by the following cmdlet.
Enable-UMMailbox –Identity ‘kristina’ -PinExpired $false -UMMailboxPolicy ‘DefaultUM Default Policy’ -Extensions ’7502′ -SIPResourceIdentifier ‘Kristina@csmvp.net’
  • Verify that the EUM and SIP addresses are properly configured on the mailbox after the wizard completes.
image

6. Run Exchange UC Configuration Script

This script is basically unchanged in SP1 and performs the same actions: creating the UM IP Gateway and IP Hunt Group as well as granting permissions to Lync server to read specific UM-related objects in Active Directory.
Make sure to allow for any outstanding AD replication to complete before running this script so that the newly created UM dial plan and any other changes are read by the script in their updated state.  If run to soon sometimes the Dial Plans listed in the last line of the script output will display as “not found” even though the configuration would typically be functional at that point.  If that happens it is safe to re-run the script multiple times at it will identify any successful previous changes and thus report that no new changes were applied in those cases.
  • Using the Exchange Management Shell execute the exchucutil.ps1 script located in the Exchange Server’s Scripts directory, as shown in the path below.
[PS] C:\Program Files\Microsoft\Exchange Server\v14\Scripts>.\ExchUCUtil.ps1
Using Global Catalog: GC://DC=csmvp,DC=net
Configuring permissions for csmvp.net\RTCUniversalServerAdmins …
CSMVP Net: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.
UM DialPlan Container: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.
UM AutoAttendant Container: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.

Configuring permissions for csmvp.net\RTCComponentUniversalServices …
CSMVP Net: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.
UM DialPlan Container: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.
UM AutoAttendant Container: The appropriate permissions haven’t been granted for the Office Communications Servers and Administrators to be able to read the UM dial plan and auto attendants container objects in Active Directory. The correct permissions are being added to the container objects.

Configuring UM IP Gateway objects…
Pool: lab1ls.csmvp.net
A UMIPGateway doesn’t exist in Active Directory for the Office Communications Server Pool. A new UM IP gateway is being created for the Pool.
IsBranchRegistrar: False
MessageWaitingIndicatorAllowed: True
OutcallsAllowed: True
WARNING: The command completed successfully but no settings of ’1:1′ have been modified.
Dial plans: DefaultUM

Permissions for group csmvp.net\RTCUniversalServerAdmins
ObjectName                     AccessRights                   Configured
———-                     ————                   ———-
CSMVP Net                      ListChildren                   True
UM DialPlan Container          ListChildren, ReadProperty     True
UM AutoAttendant Container     ListChildren, ReadProperty     True

Permissions for group csmvp.net\RTCComponentUniversalServices
ObjectName                     AccessRights                   Configured
———-                     ————                   ———-
CSMVP Net                      ListChildren                   True
UM DialPlan Container          ListChildren, ReadProperty     True
UM AutoAttendant Container     ListChildren, ReadProperty     True

PoolFqdn                       UMIPGateway                    DialPlans
——–                       ———–                    ———
lab1ls.csmvp.net               1:1                            {DefaultUM}

7. Configure Lync Dial Plans

As mentioned earlier the Lync Server voice configuration is already complete.  To validate which settings are required in Lync follow just the Enabling Enterprise Voice section of this previous article (the Deploying a Media Gateway section is not required for UM connectivity.)
  • To validate the configuration will support the extension dialing configured for the SA and AA UM objects use the Lync Server Control Panel to create a New Voice Test Routing Case.  Enter the SA extension (e.g. 7556) and the Expected translation (e.g. +13125557556) and make sure the test passes. 
image

8. Run Lync UM Configuration Tool

This utility is used to create the AD contact objects for Lync Server to resolve and locate the Exchange Subscriber Access and Auto Attendant services.
In the past it was always required to configure the UM Dial Plan name to be the identical FQDN as what the OCS Location Profile was named.  But now with SP1 on Exchange Server 2010 that is no longer required, as indicated by the informational text on the bottom of the next screenshot.
  • Execute the OcsUmUtil.exe program located in the Lync Server’s Support directory, as shown in the path below.
C:\Program Files\Common Files\Microsoft Lync Server 2010\Support\OcsUmUtil.exe
  • Click Load Data and the Active Directory forest name should populate the Exchange UM Dial Plan Forest field.
image
  • Click Add to create the Subscriber Access contact first.  Select the desired Organizational Unit and Name.  The defaults can be used for the remainder of the settings.
  • Click Add again to create another contact and select Auto-Attendant as the Contact Type. Select the desired Organizational Unit and Name.  The defaults can be used for the remainder of the settings as well.
image
image
  • Close the Exchange UM integration Utility and force an address book update in a Lync client to verify the new Exchange contacts.  Depending on the AD forest configuration replication may need to complete before attempting the address book update process.
image     image

 http://blog.schertz.name/2010/11/lync-and-exchange-um-integration/

The Delegates settings were not saved correctly" error when you try to add a delegate in Outlook 2010

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  How to back up and restore the registry in Windows
Outlook can be configured to enable you to add delegates without requiring you to grant the "send on behalf of" permission. To do this, follow these steps:
  1. Exit Outlook 2010.
  2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your situation.

    Windows Vista
  3.  
    1. Click Start, type regedit in the Start Search box, and then press ENTER.
    2. If you are prompted for an administrator password or for confirmation, type the password or click Continue.

    Windows XP
    1. Click Start, and then click Run.
    2. If you are prompted for an administrator password or for confirmation, type the password or click Continue.
  4. Locate and then click the following registry subkey:

        HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences
    If you use policies, click the following subkey:

        HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Outlook\Preferences
  5. After you select the subkey that is specified in step 3, click New on the Edit menu, and then click DWORD Value.
  6. Type IgnoreSOBError, and then press Enter.
  7. Right-click IgnoreSOBError, and then click Modify.
  8. In the Value data box, type 1, and then click OK.
  9. On the File menu, click Exit to exit Registry Editor.
After you add the registry value, you can add a delegate without having write permissions to your own user object on the global catalog server. When you do this, a message that resembles the following message is logged in the Windows Application event log to help track the event:
Source: Outlook
Category: None
Event ID: 27
Type: Error
User: N/A
Computer: computer_name

Description:
SOB error ignored

Tuesday, March 27, 2012

there was a problem sending the command to the program

Consider the following scenario:

You double-click a Microsoft Excel workbook in Microsoft Windows Explorer

or

You double-click a short-cut to an Excel file located on your desktop or any other location

The Microsoft Excel application starts, but the Excel file does not open and you receive an error message.
The error message may be different depending on the version of Windows you are using.

In Windows 7, you may see this error message:
There was a problem sending the command to the program.

In Windows Vista, you may see this error message:
Windows cannot find 'FilePath\FileName', Make sure you typed the name correctly, and then try again.

In Windows XP, you may see this error message:
Cannot find the file 'path' (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

There was a problem sending the command to the program.


CAUSE

This problem may occur if the Ignore other applications that use Dynamic Data Exchange (DDE) setting in Excel is selected.

RESOLUTION

To have us fix this problem for you in Excel 2010, Excel 2007 and Excel 2003, go to the "Fix it for me" section. If you would rather fix it yourself or you have a version Excel prior to 2003, go to the "Let me fix it myself" section.



Fix it for me

To fix this problem automatically on Excel 2010, Excel 2007 or Excel 2003, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.
Fix this problem
Microsoft Fix it 50392

Note This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Let me fix it myself

To resolve this problem yourself, follow the steps for your version of Microsoft Excel:


Microsoft Excel 2010
  1. Click the File tab, and then click Options.
  2. Click Advanced, and then click to clear the Ignore other applications that use Dynamic Data Exchange (DDE) check box in the General area.
  3. Click OK.
Microsoft Office Excel 2007
  1. Click the Microsoft Office Button, and then click Excel Options.
  2. Click Advanced, and then click to clear the Ignore other applications that use Dynamic Data Exchange (DDE) check box in the General area.
  3. Click OK.
Microsoft Office Excel 2003 or earlier versions of Excel
  1. Click Options, on the Tools menu.
  2. Click the General tab.
  3. Click to clear the Ignore other applications that use Dynamic Data Exchange (DDE) check box, and then click OK.
After you do this, you should be able to open workbooks by double-clicking them in Windows Explorer.

MORE INFORMATION

When you double-click an Excel workbook in Windows Explorer, a dynamic data exchange (DDE) message is sent to Excel, instructing it to open the workbook that you double-clicked.

If the Ignore other applications that use Dynamic Data Exchange (DDE) setting is selected, Excel ignores DDE messages sent to it by other programs. As a result, the DDE message sent to Excel by Windows Explorer is ignored, and Excel does not open the workbook that you double-clicked.

http://support.microsoft.com/kb/211494

Monday, March 12, 2012

Lync Server 2010 Setup or Remove Lync Components fails on Windows Server 2008 R2 SP1 Error: Prerequisite installation failed: Wmf2008R2

The Lync Server 2010 Setup or Remove Component installation fails on the prerequisite check for the Media-Format-Package and returns the following information back to the Setup Lync Server components page:

Name of prerequisite: Wmf2008R2   MM/DD/YYYY HH:MM:SS AM
Name of prerequisite: Wmf2008R2   MM/DD/YYYY HH:MM:SS AM    
Type of prerequisite: exe   MM/DD/YYYY HH:MM:SS AM    
Method used to check prerequisite state: WmfNeeded2008R2()   MM/DD/YYYY HH:MM:SS AM   
Result of state check: True   MM/DD/YYYY HH:MM:SS AM  
Executing external command: C:\Windows\system32\dism.exe /online /norestart /add-package
/packagepath:C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-
Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum /ignorecheck   MM/DD/YYYY HH:MM:SS AM     
Installation result: -2146762496   MM/DD/YYYY HH:MM:SS AM     
Error: Prerequisite installation failed: Wmf2008R2
Details
Type: PrereqInstallFailed
Stack Trace
at Microsoft.Rtc.Internal.Tools.Bootstrapper.BootstrapperTask.AddMsiPrereq(String prereqName)
at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog[T](Action`1 action, T arg)
Type of prerequisite: exe   MM/DD/YYYY HH:MM:SS AM    
Method used to check prerequisite state: WmfNeeded2008R2()   MM/DD/YYYY HH:MM:SS AM    
Result of state check: True   MM/DD/YYYY HH:MM:SS AM
Executing external command: C:\Windows\system32\dism.exe /online /norestart /add-package
/packagepath:C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-
Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum /ignorecheck   MM/DD/YYYY HH:MM:SS AM    
Installation result: -2146762496   MM/DD/YYYY HH:MM:SS AM    
Error: Prerequisite installation failed: Wmf2008R2
Details
Type: PrereqInstallFailed
Stack Trace
at Microsoft.Rtc.Internal.Tools.Bootstrapper.BootstrapperTask.AddMsiPrereq(String prereqName)
at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog[T](Action`1 action, T arg)

CAUSE

The Lync Server 2010 Setup or Remove Component installation prerequisite check cannot locate the  Server 2008 R2 SP1 version of Microsoft Windows Media Format.

RESOLUTION

To resolve this problem, install Windows Desktop Experience. To do this, follow these steps:
  1. Click Start, click Administrative Tools, and then double-click Server Manager
  2. In Server Manager, click Add Features under Features Summary
  3. In the Add Features Wizard dialog box, make sure that the Desktop Experience option is selected
  4. Click Next, and then click Install
  5. After the installation process is complete, click Close, and then close Server Manager
Note After you install Windows Desktop Experience, you must restart the computer

 http://support.microsoft.com/kb/2522454

Creating Central Management Store Failure - When publishing lync 2010 server

Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft Lync Server 2010\DbSetup\xdssetup.wsf" /dbexists /sqlserver:lyncfe1.domain.com\rtc /publisheracct:DOMAIN\RTCUniversalServerAdmins /replicatoracct:DOMAIN\RTCUniversalConfigReplicator /consumeracct:DOMAIN\RTCUniversalReadOnlyAdmins /role:master /verbose
---------------
Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
Connecting to SQL Server on lyncfe1.domain.com\rtc
Error connecting (
name: Error
description:
number: -2147203052
message:
)
Attempting to start SQL Server and connect...
Error starting SQL Server on lyncfe1.domain.com\rtc
Error (
name: Error
description: Permission denied
number: -2146828218
message: Permission denied
)
Ensure that lyncfe1.domain.com\rtc is a valid SQL instance.
---------------
Exit code: ERROR_START_SQLSERVICE (-1)
When running /dbexists, non-zero exit codes are not necessarily errors
---------------

Resolution:

It is because there is no SPN for the Front End pool FQDN. Rather than adding an SPN I just deleted my front end server from the topology builder and added a new one using the FQDN of the actual lync server and it worked fine.

Error Code 0x80070021

THE ERROR:

HTTP Error 500.19 - Internal Server Error with Error Code: 0x80070021
The requested page cannot be accessed because the related configuration data for the page is invalid.

ERROR DETAILS:

Module: RequestFilteringModule
Notification: BeginRequest
Handler: StaticFile
Error Code: 0x80070021 Config Error: This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Config File: \\?\C:\RnDInternet\web.config
152:
153:
154:

ERROR SCREEN SHOT:

image

KB Article for this error:


STEPS TO RESOLVE - HOW TO CORRECT:

Most of the time following steps correct this issue:
  • Go to C:\Windows\System32\inetsrv\config folder and open applicationHost.config file. Search for
    Change


    TO

  • Alternatively you can use appcmd.exe command to unlock this section.

    Use following command to unlock this section globally:

    %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/requestFiltering

    Use following command to unlock this section for a particular site/app:

    %windir%\system32\inetsrv\appcmd.exe unlock config "SiteName/app/url" -section:system.webServer/security/requestFiltering

But in my case I already had the required changes in applicationHost.config file. Also I notice the error code is different then normally error code. To resolve the issue I had to uninstall the IIS feature and add it back. Just by doing this everything works.
To uninstall & Install the IIS feature, go to Control Panel –> Programs and Features and then click at “Turn windows feature on or off”.
image
It will open a new dialog box in which select & expand the “Internet Information Services” –> “World Wide Web services” –> “Application Development Features” and uncheck everything. Click OK to start uninstall process.
 image
After the uninstall is done, follow the same process to open Windows Feature dialog box and select the features you want. I normally install following features.
image
I hoe this article will help other facing similar issue. Please feel free to share more tips and suggestions.

 http://blog.laksha.net/2009/08/http-error-50019-internal-server-error.html

Saturday, March 10, 2012

Transferring FSMO roles



The five FSMO roles are:
  1. Schema Master
  2. Domain Naming Master
  3. Infrastructure Master
  4. Relative ID (RID) Master
  5. PDC Emulator
The FSMO roles are going to be transferred, using the following three MMC snap-ins :
  • Active Directory Schema snap-in  : Will be used to transfer the Schema Master role
  • Active Directory Domains and Trusts snap-in : Will be used to transfer the Domain Naming Master role
  • Active Directory Users and Computers snap-in : Will be used to transfer the RID MasterPDC Emulator, and Infrastructure Master roles
Lets start transferring the FSMO roles.
  • Using Active Directory Schema snap-in to transfer the Schema Master roleYou have to register schmmgmt.dll in order to be able to use the Active Directory Schema snap-in
  1. Click Start > Run
  2. Type regsvr32 schmmgmt.dll

  3. Click OK

    A popup message will confirm that schmmgmt.dll was successfully registered. Click OK
  4. Click Start Run, type mmc, then click OK

  5. Click File > then click Add/Remove Snap-in...

  6. From the left side, under Available Snap-ins, click on Active Directory Schema, then click Add > and then click OK
  7. Right click Active Directory Schema, then click Change Active Directory Domain Controller... 

  8. From the listed Domain Controllers, click on the domain controller that you want to be the schema master role holder and then click on OK



    You will receive a message box stating that the schema snap-in is not connected to a schema operations master. That is for sure, as we have not yet set this Windows Server 2008 domain controller as a Schema Master role holder. This will be done in the next step. Click OK

  9. In the console tree, right click Active Directory Schema [DomainController.DomainName], and then click Operations Master...

  10. On the Change Schema Master page, the current schema master role holder will be displayed ( ex. ELMAJ-DC.ELMAJDAL.NET) and the targeted schema holder as well (ex. ELMAJ-DC2K8.ELMAJDAL.NET). Once you click Change, the schema master holder will become 
    ELMAJ-DC2K8.ELMAJDAL.NET
     , click Change




    Click Yes to confirm the role transfer



    The role will be transferred and a confirmation message will be displayed. Click OK 


    Then click Close, as you can see in the below snapshot, the current schema master is ELMAJ-DC2K8.ELMAJDAL.NET


  • Using Active Directory Domains and Trusts snap-in to transfer the Domain Naming Master Role

  1. Click Start Administrative Tools > then click Active Directory Domains and Trusts

  2. Right click Active Directory Domains and Trusts, then click Change Active Directory Domain Controller...

  3. From the listed Domain Controllers, click on the domain controller that you want to be the Domain Naming master role holder and then click onOK

  4. Right click Active Directory Domains and Trusts, then click Operations Master...

  5. On the Operations Master page, we are going to change the Domain Naming role holder from ELMAJ-DC.ELMAJDAL.NET to ELMAJ-DC2K8.ELMAJDAL.NET, Click Change



    Click YES to confirm the transfer of the Domain Naming role



    The role will be transferred and a confirmation message will be displayed. Click OK , then click Close



Till now, we have successfully transferred two FSMO roles, the Schema Master role and the Domain Naming role. The last three roles can be transferred using a single Snap-in.

  • Using Active Directory Users and Computers snap-in to transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
  1. Click Start > Administrative Tools > then click Active Directory Users and Computers

  2. Right click Active Directory Users and Computers, then click All Tasks > Operations Master...

  3. You will have three Tabs, representing three FSMO roles (RID, PDC, Infrastructure). Click the Change button under each of these three tabs to transfer the roles. 



    Click Yes to confirm the role transfer



    The role will be transferred and a confirmation message will be displayed. Click OK 

    As for the Infrastructure role, once you click on the Change button you will receive the below message



    By default, when you first install your first Domain Controller, it holds the five roles and beside that it is a Global Catalog. If your environment is a multi-domain/forest, then you should think about structuring your FSMO roles and transfer the Infrastructure role to a none Global Catalog domain controller. Else if you have small number of domain controllers ( ex. two domain controllers) then you should not worry about this. Click Yes

  4. The Tabs should now look like this:


That's it, by now, you have successfully transferred the five FSMO roles to the Windows Server 2008 Domain Controller.


SummaryThere are five FSMO roles in a forest, to transfer any of these roles you have to use the appropriate Active Directory snap-in. In my next article, I will be showing you the complete steps required to successfully migrate/upgrade your domain controller to a new hardware server.


http://www.elmajdal.net/win2k8/Transferring_FSMO_Roles_in_Windows_Server_2008.aspx