FSMO roles
Topics Covered
Introduction to FSMO roles
Explanation to all FSMO roles
Method to view FSMO roles
Transferring FSMO roles
Seizing FSMO roles
Placement of FSMO roles
Symptom of FSMO failure
Operation Master Roles
Operation master roles also called as FSMO (Flexible Single master operation) are assigned to
domain controller for managing replication of Active Directory database between domain
controllers.
There are 5 operation master roles divided into 2 categories
Forest Level Domain Level
Schema Master Relative ID (RID) master
Domain Naming Master PDC emulator
Infrastructure Master
Note : To view all the 5 roles with a single command use the command “NETDOM QUERY
FSMO”
Forest Level Roles
1) Schema Master
2) Domain Naming Master
These roles must be unique in the forest. This means that throughout the entire forest there can
be only one schema master and one Domain naming master.
Schema Master
Schema Master is a domain controller that handles all active directory schema related activities
in a Forest. The schema master performs write operations to the directory schema and replicates
updates to all other domain controllers in the forest. Schema Master manages updating, alteration
to active directory schema. There can be only one Schema Master domain controller in an entire
forest. Only Enterprise administrators group has full rights to modify schema. Be default the first
domain controller in the forest is assigned the role of schema master. We can transfer or seize the
role to other domain controller in the forest.
Failure of Schema Master
If schema master is down or offline is not visible to network users. It only effects when you want
to modify or update the schema or if any application like ISA server, Exchange Server wants to
modify the schema of active directory.
Transfer of Schema Master role
Transferring an operations master role means moving roles from one domain controller to
another. When transferring the role both the source and destination DC's must be online.
Method - I
1) Go to Active Directory Schema Snap-in
2) Right click on Active Directory Schema and Select Operation Roles
3) Then Click Change.
Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles
Steps to transfer role
1) Open Command Prompt. Type: ntdsutil.exe
2) Type: roles
3) Type : connection
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: transfer schema master
7) After transfer is successful, Types : quit
Seizing of Operation Master Roles
Seizing of role is also a method of transferring of roles from one DC to another. The difference
between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing
means forcing a DC to be become schema master if the original Schema Master is down or
offline.
Note : When you Seize a role then the original DC should not be brought online.
Steps for Seizing of Schema Master Roles
1) Open Command Prompt and Type: ntdsutil
2) Type: roles
3) Type: connections
4) Type: connect to server <DomainController>
5) Type: quit
Vision Infosystems (VIS)
Page No. : 62
6) Type: seize schema master
How to identify schema master
Method - I
Active Directory schema snap-in
Method - II
Open Command Prompt and type : dsquery server -hasfsmo schema
Domain Naming Master
The domain controller handles or controls the addition or removal of domains in the forest. There
can be only one domain naming master in the entire active directory forest. Only Enterprise
administrators group has full rights to access domain naming master. By default the first domain
controller in the forest is assigned the role of schema master. We can transfer or seize the role to
other domain controller in the forest.
Note : In Windows 2000 functional level DNM and GC must be placed on same DC while in
Windows 2003 mode it is not required.
Failure of Domain Naming Master
If the DNM is down or offline is not visible to network users. It will only effect when you try to
add or remove any domain within an active directory forest.
Transfer of Schema Master role
Transferring an operations master role means moving roles from one domain controller to
another. When transferring the role both the source and destination DC's must be online.
Method - I
Active Directory Domain and Trust snap-in
Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles
Steps to transfer role
1) Open Command Prompt. Type: ntdsutil.exe
2) Type: roles
3) Type : connection
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: transfer Domain naming master
7) After transfer is successful, Types : quit
Seizing of Operation Master Roles
Seizing of role is also a method of transferring of roles from one DC to another. The difference
between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing
means forcing a DC to become DNM if the original DNM is down or offline.
Note : When you Seize a role then the original DC should not be brought online.
Steps for Seizing of DNM Roles
1) Open Command Prompt and Type: ntdsutil
2) Type: roles
3) Type: connections
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: seize domain naming master
Domain-Level
1) Relative ID master
2) Primary domain controller (PDC) emulator
3) Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have
only one relative ID master, PDC emulator, and infrastructure master.
RID master
RID master is a DC which assigns or distributes RIDs to every DC in a Domain. So when a
object is created in a domain like user, group, computer, etc. the DC assigns SID to the object
which consist of Domain SID and RID. The domain SID is same for every object in the domain
while the RID is unique to every object created in a domain. There should one only one RID
master per domain. So suppose you have 3 domain, then 3 RID is required i.e. one for each
domain.
Failure of RID Master
If the RID master is down or offline is not visible to network users, unless they are creating
objects and the domain in which they are creating the objects runs out of relative IDs (RIDs).
Transfer of RID Master role
Transferring an operations master role means moving roles from one domain controller to
another. When transferring the role both the source and destination DC's must be online.
Method - I
Active Directory Users and Computers snap-in
Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles
Steps to transfer role
1) Open Command Prompt. Type: ntdsutil.exe
2) Type: roles
3) Type : connection
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: transfer RID master
7) After transfer is successful, Types : quit
Seizing of Operation Master Roles
Seizing of role is also a method of transferring of roles from one DC to another. The difference
between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing
means forcing a DC to be become RID master if the original RID master is down or offline.
Note : When you Seize a role then the original DC should not be brought online.
Steps for Seizing of RID master Roles
1) Open Command Prompt and Type: ntdsutil
2) Type: roles
3) Type: connections
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: seize RID master
How to identify RID Master
Method - I
Active Directory Users and Computer snap-in
Method - II
Open Command Prompt and type : dsquery server -hasfsmo RID
PDC Emulator
PDC emulator provides emulated PDC service for Windows NT BDCs. If your domain consist
of computers running Windows 2000 or Windows XP Professional or Windows NT backup
domain controllers (BDCs), the PDC emulator master acts as a Windows NT primary domain
controller. It processes password changes from clients and replicates updates to the BDCs. There
can be only one domain controller acting as the PDC emulator master in each domain in the
forest. i.e. if you have 4 domain then in each domain one PDC emulator is required.
The PDC emulator master is also responsible for handling or synchronizing the time on all
domain controllers in a domain. The PDC emulator gets is clock from an external time source.
You can synchronize the time on the PDC emulator with an external server by executing the "net
time".
net time \\ServerName /setsntp:TimeSource
PDC emulator uses SNTP (Simple Network Time Protocol) to synchronize its clock with
external time server.
The domain controller configured with the PDC emulator role supports two authentication
protocols:
• Kerberos V5 protocol
• NTLM protocol
Where as other domain controller in the domain supports only Kerberos V5 Authentication
protocol.
Failure of PDC emulator
If the PDC master is down or offline is effects network users. Therefore, when the PDC emulator
master is not available, you may need to immediately seize the role.
Transfer of PDC Master role
Transferring an operations master role means moving roles from one domain controller to
another. When transferring the role both the source and destination DC's must be online.
Method - I
Active Directory Users and Computers snap-in
Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles
Steps to transfer role
1) Open Command Prompt. Type: ntdsutil.exe
2) Type: roles
3) Type : connection
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: transfer PDC
7) After transfer is successful, Types : quit
Seizing of Operation Master Roles
Seizing of role is also a method of transferring of roles from one DC to another. The difference
between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing
means forcing a DC to be become PDC emulator if the original PDC emulator is down or offline.
Note : When you Seize a role then the original DC should not be brought online.
Steps for Seizing of PDC emulator Roles
1) Open Command Prompt and Type: ntdsutil
2) Type: roles
3) Type: connections
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: seize PDC
How to identify PDC emulator
Method - I
Active Directory Users and Computer snap-in
Method - II
Open Command Prompt and type : dsquery server -hasfsmo PDC
Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to
objects in other domains. The infrastructure master compares or sync. its data with that of a
global catalog. Global catalogs receive regular updates for objects in all domains through
replication, so the global catalog data will always be up to date. If the infrastructure master finds
data that is out of date, it requests the updated data from a global catalog. The infrastructure
master then replicates that updated data to the other domain controllers in the domain. There can
be only one domain controller acting as the infrastructure master in each domain. i.e. If you have
3 domain then in each domain there should be one infrastructure master.
Unless there is only one domain controller in the domain, the infrastructure master role should
not be assigned to the domain controller that is hosting the global catalog. If the infrastructure
master and global catalog are on the same domain controller, the infrastructure master will not
function. The infrastructure master will never find data that is out of date, so it will never
replicate any changes to the other domain controllers in the domain. In the case where all of the
domain controllers in a domain are also hosting the global catalog, all of the domain controllers
will have the current data and it does not matter which domain controller holds the infrastructure
master role.
The infrastructure master is also responsible for updating the group-to-user references whenever
the members of groups are renamed or changed. When you rename or move a member of a group
(and that member resides in a different domain from the group), the group may temporarily
appear not to contain that member. The infrastructure master of the group's domain is responsible
for updating the group so it knows the new name or location of the member. This prevents the
loss of group memberships associated with a user account when the user account is renamed or
moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group
update. Only an administrator looking at that particular group membership would notice the
temporary inconsistency.
Failure of Infrastructure Master
If the Infrastructure master is down or offline is effects network users, unless they have recently
moved or renamed a large number of accounts.
Transfer of RID Master role
Transferring an operations master role means moving roles from one domain controller to
another. When transferring the role both the source and destination DC's must be online.
Method - I
Active Directory Users and Computers snap-in
Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles
Steps to transfer role
1) Open Command Prompt. Type: ntdsutil.exe
2) Type: roles
3) Type : connection
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: transfer Infrastructure Master
7) After transfer is successful, Types : quit
Seizing of Operation Master Roles
Seizing of role is also a method of transferring of roles from one DC to another. The difference
between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing
means forcing a DC to be become Infrastructure Master if the original Infrastructure Master is
down or offline.
Note : When you Seize a role then the original DC should not be brought online.
Steps for Seizing of Infrastructure Master Roles
1) Open Command Prompt and Type: ntdsutil
2) Type: roles
3) Type: connections
4) Type: connect to server <DomainController>
5) Type: quit
6) Type: seize infrastructure master
How to identify Infrastructure Master
Method - I
Active Directory Users and Computer snap-in
Method - II
Open Command Prompt and type : dsquery server -hasfsmo infra
FSMO Roles Placement
Proper placement of FSMO Roles boils down to three simple rules:
• First Rule : In your active directory forest root domain, place your Schema Master and
Domain Naming Master on the same domain controller to simplify administration of
these roles, and also make sure that this domain controller contains a copy of the Global
Catalog.
• Second Rule : In each domain, place the PDC Emulator and RID Master roles on the
same domain controller and make sure the hardware for this machine can handle the load
of these roles and any other duties it has to perform.
• Third Rule : In each domain, make sure that the Infrastructure Master role is not held by
a domain controller that also hosts the Global Catalog, but do make sure that the
Infrastructure Master is a direct replication partner of a domain controller hosting the
Global Catalog that resides in the same site as the Infrastructure Master.
To summarize these three rules then and make them easy to remember:
• Forest root domain - Schema Master and Domain Naming Master on the same machine,
which should also host the Global Catalog.
• Every domain - PDC Emulator and RID Master on the same machine, which should
have beefy hardware to handle the load.
• Every domain - Never place the Infrastructure Master on a machine that hosts the Global
Catalog, unless your forest has only one domain or unless every domain controller in
your forest hosts the Global Catalog.
Symptoms of FSMO
If one or more of your FSMO role holders has problems, bad things can happen. To help you
troubleshoot such situations, the table below describes some of the symptoms that can occur
when FSMO role holders go missing or don't work properly.
Symptom
Possible Role
Involved
Reason
Users can't log on. PDC Emulator
If system clocks become unsynchronized,
Kerberos may fail.
Can't change passwords. PDC Emulator Password changes need this role holder.
Account lockout not
working.
PDC Emulator
Account lockout enforcement needs this role
holder.
Can't raise the functional
level for a domain.
PDC Emulator
This role holder must be available when the
raising the domain functional level.
Can't create new users or
groups.
RID Master RID pool has been depleted.
Problems with universal
group memberships.
Infrastructure
Master
Cross-domain object references need this role
holder.
Can't add or remove a
domain.
Domain Naming
Master
Changes to the namespace need this role
holder.
Can't promote or demote a
DC.
Domain Naming
Master
Changes to the namespace need this role
holder.
Can't modify the schema. Schema Master Changes to the schema need this role holder.
Can't raise the functional
level for the forest.
Schema Master
This role holder must be available when the
raising the forest functional level.
No comments:
Post a Comment