Vision Infosystems (VIS)

Chapter
FSMO roles

Topics Covered
Introduction to FSMO roles Explanation to all FSMO roles Method to view FSMO roles Transferring FSMO roles Seizing FSMO roles

Page No. : 1

Vision Infosystems (VIS)

Operation Master Roles

Operation master roles also called as FSMO (Flexible Single master operation) are assigned to domain controller for managing replication of Active Directory database between domain controllers. There are 5 operation master roles divided into 2 categories Forest Level Schema Master Domain Naming Master Domain Level Relative ID (RID) master PDC emulator Infrastructure Master

Forest Level Roles

1) Schema Master 2) Domain Naming Master These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one Domain naming master.

Schema Master
Schema Master is a domain controller that handles all active directory schema related activities in a Forest. The schema master performs write operations to the directory schema and replicates updates to all other domain controllers in the forest. Schema Master manages updating, alteration to active directory schema. There can be only one Schema Master domain controller in an entire forest. Only Enterprise administrators group has full rights to modify schema. Be default the first domain controller in the forest is assigned the role of schema master. We can transfer or seize the role to other domain controller in the forest. Failure of Schema Master If schema master is down or offline is not visible to network users. It only effects when you want to modify or update the schema or if any application like ISA server, Exchange Server wants to modify the schema of active directory. Transfer of Schema Master role Transferring an operations master role means moving roles from one domain controller to another. When transferring the role both the source and destination DC's must be online. Method - I 1) Go to Active Directory Schema Snap-in

Page No. : 2

Vision Infosystems (VIS)

2) Right click on Active Directory Schema and Select Operation Roles 3) Then Click Change. Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles Steps to transfer role 1) Open Command Prompt. Type: ntdsutil.exe 2) Type: roles 3) Type : connection 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: transfer schema master 7) After transfer is successful, Types : quit Seizing of Operation Master Roles Seizing of role is also a method of transferring of roles from one DC to another. The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to be become schema master if the original Schema Master is down or offline. Note : When you Seize a role then the original DC should not be brought online. Steps for Seizing of Schema Master Roles 1) Open Command Prompt and Type: ntdsutil 2) Type: roles 3) Type: connections 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: seize schema master How to identify schema master Method - I Active Directory schema snap-in Method - II Open Command Prompt and type : dsquery server -hasfsmo schema

Domain Naming Master

The domain controller handles or controls the addition or removal of domains in the forest. There

Page No. : 3

Vision Infosystems (VIS)

can be only one domain naming master in the entire active directory forest. Only Enterprise administrators group has full rights to access domain naming master. By default the first domain controller in the forest is assigned the role of schema master. We can transfer or seize the role to other domain controller in the forest. Note : In Windows 2000 functional level DNM and GC must be placed on same DC while in Windows 2003 mode it is not required. Failure of Domain Naming Master If the DNM is down or offline is not visible to network users. It will only effect when you try to add or remove any domain within an active directory forest. Transfer of Schema Master role Transferring an operations master role means moving roles from one domain controller to another. When transferring the role both the source and destination DC's must be online. Method - I Active Directory Domain and Trust snap-in Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles Steps to transfer role 1) Open Command Prompt. Type: ntdsutil.exe 2) Type: roles 3) Type : connection 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: transfer Domain naming master 7) After transfer is successful, Types : quit

Seizing of Operation Master Roles Seizing of role is also a method of transferring of roles from one DC to another. The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to become DNM if the original DNM is down or offline. Note : When you Seize a role then the original DC should not be brought online. Steps for Seizing of DNM Roles 1) Open Command Prompt and Type: ntdsutil 2) Type: roles 3) Type: connections 4) Type: connect to server <DomainController>

Page No. : 4

Vision Infosystems (VIS)

5) Type: quit 6) Type: seize domain naming master

Domain-Level
1) Relative ID master 2) Primary domain controller (PDC) emulator 3) Infrastructure master These roles must be unique in each domain. This means that each domain in the forest can have only one relative ID master, PDC emulator, and infrastructure master.

RID master
RID master is a DC which assigns or distributes RIDs to every DC in a Domain. So when a object is created in a domain like user, group, computer, etc. the DC assigns SID to the object which consist of Domain SID and RID. The domain SID is same for every object in the domain while the RID is unique to every object created in a domain. There should one only one RID master per domain. So suppose you have 3 domain, then 3 RID is required i.e. one for each domain. Failure of RID Master If the RID master is down or offline is not visible to network users, unless they are creating objects and the domain in which they are creating the objects runs out of relative IDs (RIDs). Transfer of RID Master role Transferring an operations master role means moving roles from one domain controller to another. When transferring the role both the source and destination DC's must be online. Method - I Active Directory Users and Computers snap-in Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles Steps to transfer role 1) Open Command Prompt. Type: ntdsutil.exe 2) Type: roles 3) Type : connection 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: transfer RID master 7) After transfer is successful, Types : quit

Page No. : 5

Vision Infosystems (VIS)

Seizing of Operation Master Roles Seizing of role is also a method of transferring of roles from one DC to another. The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to be become RID master if the original RID master is down or offline. Note : When you Seize a role then the original DC should not be brought online. Steps for Seizing of RID master Roles 1) Open Command Prompt and Type: ntdsutil 2) Type: roles 3) Type: connections 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: seize RID master

How to identify RID Master Method - I Active Directory Users and Computer snap-in Method - II Open Command Prompt and type : dsquery server -hasfsmo RID

PDC Emulator
PDC emulator provides emulated PDC service for Windows NT BDCs. If your domain consist of computers running Windows 2000 or Windows XP Professional or Windows NT backup domain controllers (BDCs), the PDC emulator master acts as a Windows NT primary domain controller. It processes password changes from clients and replicates updates to the BDCs. There can be only one domain controller acting as the PDC emulator master in each domain in the forest. i.e. if you have 4 domain then in each domain one PDC emulator is required. The PDC emulator master is also responsible for handling or synchronizing the time on all domain controllers in a domain. The PDC emulator gets is clock from an external time source. You can synchronize the time on the PDC emulator with an external server by executing the "net time". net time \\ServerName /setsntp:TimeSource

Page No. : 6

Vision Infosystems (VIS)

PDC emulator uses SNTP (Simple Network Time Protocol) to synchronize its clock with external time server. The domain controller configured with the PDC emulator role supports two authentication protocols: Kerberos V5 protocol NTLM protocol Where as other domain controller in the domain supports only Kerberos V5 Authentication protocol. Failure of PDC emulator If the PDC master is down or offline is effects network users. Therefore, when the PDC emulator master is not available, you may need to immediately seize the role. Transfer of PDC Master role Transferring an operations master role means moving roles from one domain controller to another. When transferring the role both the source and destination DC's must be online. Method - I Active Directory Users and Computers snap-in Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles Steps to transfer role 1) Open Command Prompt. Type: ntdsutil.exe 2) Type: roles 3) Type : connection 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: transfer PDC 7) After transfer is successful, Types : quit Seizing of Operation Master Roles Seizing of role is also a method of transferring of roles from one DC to another. The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to be become PDC emulator if the original PDC emulator is down or offline. Note : When you Seize a role then the original DC should not be brought online. Steps for Seizing of PDC emulator Roles 1) Open Command Prompt and Type: ntdsutil

Page No. : 7

Vision Infosystems (VIS)

2) Type: roles 3) Type: connections 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: seize PDC

How to identify PDC emulator Method - I Active Directory Users and Computer snap-in Method - II Open Command Prompt and type : dsquery server -hasfsmo PDC

Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares or sync. its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. There can be only one domain controller acting as the infrastructure master in each domain. i.e. If you have 3 domain then in each domain there should be one infrastructure master. Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role. The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.

Page No. : 8

Vision Infosystems (VIS)

There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency. Failure of Infrastructure Master If the Infrastructure master is down or offline is effects network users, unless they have recently moved or renamed a large number of accounts. Transfer of RID Master role Transferring an operations master role means moving roles from one domain controller to another. When transferring the role both the source and destination DC's must be online. Method - I Active Directory Users and Computers snap-in Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles Steps to transfer role 1) Open Command Prompt. Type: ntdsutil.exe 2) Type: roles 3) Type : connection 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: transfer Infrastructure Master 7) After transfer is successful, Types : quit Seizing of Operation Master Roles Seizing of role is also a method of transferring of roles from one DC to another. The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to be become Infrastructure Master if the original Infrastructure Master is down or offline. Note : When you Seize a role then the original DC should not be brought online. Steps for Seizing of Infrastructure Master Roles 1) Open Command Prompt and Type: ntdsutil 2) Type: roles 3) Type: connections 4) Type: connect to server <DomainController> 5) Type: quit 6) Type: seize infrastructure master

Page No. : 9

Vision Infosystems (VIS)

How to identify Infrastructure Master Method - I Active Directory Users and Computer snap-in Method - II Open Command Prompt and type : dsquery server -hasfsmo infra

Page No. : 10