Archive

Posts Tagged ‘FSMO’

Active Directory FSMO Roles

Active Directory Flexible Single Master of Operation (FSMO) Roles are on domain controllers which perform specific functions. They assist Active Directory where the normal methods of updating in a multi-master environment are not adequate. For example the FSMO Primary Domain Controller Emulator role, acts as the authoritative time source for the domain.

When replacing domain controllers (either due to hardware upgrade, or as a transitional upgrade to a newer version of AD), it is important to transfer the FSMO roles to a new domain controller. Note: FSMO roles can be seized if required (i.e. a domain controller stops functioning or if the roles are not transferred before the decommissioning of a domain controller).

One of the issues with transferring the FSMO roles is that there is no single MMC to perform the function and if you are running Server Core, there are no GUI’s anyway. This document explains how to transfer the roles from the command line.

Summary of FSMO Roles

FSMO Role Number of DCs holding this role MMC to move role Membership of security group to transfer role
Schema One per forest Schema snip-in Schema Admins
Domain Naming One per forest AD Domains and trusts snap-in Enterprise Admins
RID One per domain AD Users and Computers snap-in Domain Admins
PDC Emulator One per domain AD Users and Computers snap-in Domain Admins
Infrastructure One per domain AD Users and Computers snap-in Domain Admins

Identifying which Domain Controllers holds the FSMO roles

If you have a single domain within a single forest, it is quite common for a single domain controller to hold all the FSMO roles. The easiest way to identify FSMO holders is the following command:

C:\>NETDOM QUERY FSMO
Schema master          DC01.humber.local
Domain naming master   DC01.humber.local
PDC                    DC01.humber.local
RID pool manager       DC01.humber.local
Infrastructure master  DC01.humber.local
The command completed successfully.

The information can also be found from the Ntdsutil utility (Note: This is a very powerful tool and entering incorrect commands can damage or break Active Directory!).

Transferring FSMO Roles

Microsoft recommends logging on to the Domain Controller that will have the FSMO roles assigned.

  1. Ensure the account you are using is a member of the appropriate security group(s) to transfer the FSMO roles.
  2. Log on to the Domain Controller that will have the FSMO role(s) assigned to it, and launch a command prompt.
  3. Type ntdsutil and press ENTER.
  4. Type roles, and then press ENTER.
  5. Type connections, and then press ENTER.
  6. Type connect to server servername, and then press ENTER (servername is the name of the domain controller you want to assign the FSMO role to and should be the server where you are logged on).
  7. At the server connections prompt, type q, and then press ENTER.
  8. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER.
  9. To transfer all the roles, type the following commands:
    Transfer infrastructure master
    Transfer naming master
    Transfer PDC
    Transfer RID master
    Transfer schema master
    Note that the syntax for the PDC emulator role is different as there is no “master” after it.
  10. At the fsmo maintenance prompt, type q, and then press ENTER to back to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
  11. Remove the account you are using from any unnecessary security groups.

Seizing FSMO Roles

To seize FSMO Roles, perform the same steps as above, but replace the word “transfer” with the word “seize” in steps 8 and 9. If you have to seize roles, you should understand that consequences of reconnecting the DC that originally held the roles on your domain. Further reading is recommended. See: Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller (http://support.microsoft.com/kb/255504).

Infrastructure Master FSMO Role

Older Microsoft documentation recommends not having the Infrastructure Master role on a domain controller running a Global Catalog. A Domain Controller holds the Global Catalog has more work to perform, however, as computers are a lot more powerful that they were when Active Directory was originally created, this is now not an issue. Newer documentation lists some important exceptions to this rue.

The Infrastructure Master role updates references from objects in its domain to objects in other domains. This means that if you only have a single domain in a forest, there is no work for it to do, so it can sit on a Domain Controller that is a Global Catalog.

Additionally if every Domain Controller is a Global Catalog in a multi domain forest, then again, the Infrastructure Master has no work to do.

If you’ve installed Active Directory Recycle Bin, then tombstone objects are now deleted objects (with all information retained), and every Domain Controller is responsible for updating this information. With this configuration, the Infrastructure Master role, again, no longer performs any work.

See:

Advertisements