Feb 212012
 

FSMO roles are tasks that domain controllers have to do in an Active Directory environment, they control the proper operation of the network. Each role can be held by only one server. These are ways to check who currently holds different FSMO roles and transfer them from one server to another, taken from various KB articles, condensed here for future reference, as well as a short explanation of what those roles are.

FSMO description
View role holders
– command line
– GUI
– script
Change roles
– command line
– GUI

The roles


There are five of them, three domain-wide roles and two forest-wide:

Domain roles

  • PDC Emulator: Where account information is most up-to-date. If a login fails on some other domain controller it gets forwarded to this computer before rejecting. All other computers syncronize their clocks with the PDC, so this one should sync with and external time source. Also acts as legacy PDC for older NT servers.
  • Relative IDentifier Master: Basically assigns pools of IDs (think MACs) to other domain controllers that they use to create new objects (user accounts, groups, etc.). If the pools get depleted and this server is unavailable no new objects can be created.
  • Infrastructure Master: Deals with mapping objects cross-domains. If you give access to this domain to a user from another domain, the infrastructure master comes into play. As this rarely happens, it usually doesn’t see much use. Also see Global Catalog below.

Forest roles

  • Schema Master: What is says. The schema determines the types of objects permitted in the forest and the attributes of those objects,
  • Domain Naming Master: Handles domains in the forest.

There’s one more role that’s not part of the five above, but interacts with some of them, any domain controller can have it.

  • Global Catalog: Stores a replica of all the objects in it’s domain and a partial replica of objects in other domains in the forest.

So, in case of problems with logging in with a new password, clock out of sync, password changing or account lockout, check the PDC. Can’t create new users or groups, check the RID master. Inter-domain mapping of users and such, the infrastructure master. Adding/removing domains in a forest or promoting/demoting DCs, domain naming master. Schema problems, obvious.

Splitting roles between servers

Assuming multiple servers, obviously, but in a AD network there should be at least two in order to provide some redundancy.
PDC and RID master on the same server. This shouldn’t be a Global Catalog, unless all servers hold that role.
The Infrastructure Master should run on a server that isn’t a Global catalog unless there is a single domain in the forest and all controllers are global catalogs. Unless both these conditions are met, the two roles should be kept on separate computers. Note that there can be only one Infrastructure Master per domain, but multiple catalogs.
Schema Master and Domain Naming Master should be on the same machine, which should also be a Global Catalog.
So given a simple network with two domain controllers, the best hardware should be PDC, RID master and Infrastructure Master, while the other one should be a Schema Master, Domain Naming Master and Global Catalog. Or both of them can be GCs.

Checking who holds the roles

Command line

1. netdom – included in 2k8, download for 2k3

2. ntdsutil

PDC is the server name, it’s the primary domain controller. BDC is the backup, domain.local is the name of the domain. Basically you ask a certain server what it knows about the roles.

3. dcdiag

GUI

1. to 3. – see transferring section

4. replmon.exe – all roles, does the same thing as ntdsutil above, asks a domain controller what it knows about it
Start -> Run -> replmon.exe -> Add Monitored Server (CTRL+A) -> Search directory -> Next -> Select server -> Finish -> Right click server -> Properties -> Switch to FSMO Roles tab

Script

Taken verbatim from KB235617

Transferring roles

Important note, there’s two ways to assign roles to a new controller. One is transferring, the other is seizing. Transferring is done when the original server is still online. Seizing should be done only when the original server crashed and it will never again be brought back online on the network. If brought back the original server doesn’t know that his role changed and will try to resume operation as usual, conflicts will probably occur. If the server is about to fail but can still be accessed, dcpromo should be used to demote it from domain controller status.

Command line

In the example above the roles of PDC and RID master are being transferred from ‘BACKUP’ to ‘PRIMARY’ on domain ‘domname.local’. Forced transfer is done the same way, only instead of “transfer “, it’s “seize “.

GUI

1. Active Directory Users and Computers – only domain roles (PDC/RID/Infrastructure)
Control Panel -> Administrative Tools -> Active Directory Users and Computers -> All Tasks -> Operations Master…

2. Active Directory Domains and Trusts – only Domain Naming Master
Control Panel -> Administrative Tools -> Active Directory Domains and Trusts -> Operations Master…

3. Active Directory Schema – Schema master
First, register schmmgmt.dll:

then check the snap-in in mmc:
mmc.exe -> File -> Add/Remove Snap-In -> Add -> Active Directory Schema -> Add -> Close -> OK -> Active Directory Schema -> Right click -> Operations Master

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

(required)

(required)