SysAdmin Talk

When you configure the first Domain Controller for your organization using the Active Directory Installation Wizard (or dcpromo for short), it is configured with all five FSMO roles by default. Here I will cover how you can view and transfer the specific FSMO roles of various Domain Controllers in your domain. As this is a short how-to article, I won’t go into the specific details of when you would need to transfer roles, but in short you may want to take a certain domain controller down for maintenance one day and may find it necessary to transfer some, or all of these roles.

To start with you will obviously require more than one Domain Controller in your Windows domain. In my case I have a “Primary” and “Secondary” domain controller called “NOOBS-DC1″ and “NOOBS-DC2″.

By now you’ve probably heard about Role Based Access Control (RBAC) in Exchange 2010, which introduces a completely different permission model than was used previously in Exchange 2007. Instead of assigning permissions using access control lists, RBAC uses management roles to delegate what you can do and where you can do it. Exchange provides several built-in roles used for typical management tasks, but in this post we’ll look at a real world example where a custom management role will be required.

In an Active Directory domain running at the Windows Server 2003 or higher functional level  the lastLogonTimestamp attribute can be used to find out if a user or computer has logged on to the domain recently.  This can be useful information for finding inactive user and computer accounts so that they can be removed from AD.