You are on page 1of 16

Understanding FSMO Roles in Active Directory

What are the FSMO Roles in Active Directory?

FREE Tool: Visualize Active Directory Performance

Understanding FSMO Roles in Active Directory by <a href=Daniel Petri - January 8, 2009 Printer Friendly Version What are the FSMO Roles in Active Directory? FREE Tool: Visualize Active Directory Performanc e Solarwinds' Free WMI monitor gives you complete visibility into Active Directory performance, tracking changes and modifications to your sensitive AD data. Design your own custom AD monitoring template or download free pre-built templates from the Solarwinds community. -The Petri IT Knowledgebase Team Get the Free Download Here ... Windows 2000/2003 Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. " id="pdf-obj-0-14" src="pdf-obj-0-14.jpg">

Solarwinds' Free WMI monitor gives you complete visibility into Active Directory performance, tracking changes and modifications to your sensitive AD data.

Design your own custom AD monitoring template or download free pre-built templates from the Solarwinds community.

-The Petri IT Knowledgebase Team

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect

password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO

copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

How to view and transfer FSMO roles in Windows Server 2003

View products that this article applies to. System TipThis article applies to a different version of Windows than the one you are

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domainView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you . Visit the Windows XP Solution Center This article was previously published under Q324801 On This PageSUMMARY o FSMO Roles o Transfer the Schema Master RoleRegister Schmmgmt.dllTransfer the Schema Master Role o Transfer the Domain Naming Master Role o Transfer the RID Master, PDC Emulator, and Infrastructure Master RolesREFERENCES Expand all | Collapse all SUMMARY This article describes how to transfer Flexible Single Master Operations (FSMO) ... This article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003. Back to the top " id="pdf-obj-3-17" src="pdf-obj-3-17.jpg">
  • This article was previously published under Q324801

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domainView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you . Visit the Windows XP Solution Center This article was previously published under Q324801 On This PageSUMMARY o FSMO Roles o Transfer the Schema Master RoleRegister Schmmgmt.dllTransfer the Schema Master Role o Transfer the Domain Naming Master Role o Transfer the RID Master, PDC Emulator, and Infrastructure Master RolesREFERENCES Expand all | Collapse all SUMMARY This article describes how to transfer Flexible Single Master Operations (FSMO) ... This article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003. Back to the top " id="pdf-obj-3-97" src="pdf-obj-3-97.jpg">

This article describes how to transfer Flexible Single Master Operations (FSMO) ...

  • This article describes how to transfer Flexible Single Master Operations (FSMO) roles

(also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003.

FSMO Roles

  • In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master: The schema master domain controller controls all updates and

modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the

addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. Infrastructure Master: The infrastructure is responsible for updating references from

objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Relative ID (RID) Master: The RID master is responsible for processing RID pool

requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in

If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.

Transfer the Schema Master Role

  • Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

FSMO Roles In a forest, there are at least five FSMO roles that are assigned toBack to the top Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file. Register Schmmgmt.dll 1. Click Start , and then click Run . " id="pdf-obj-4-54" src="pdf-obj-4-54.jpg">
  • 1. Click Start, and then click Run.

2.

Type regsvr32 schmmgmt.dll in the Open box, and then click OK.

  • 3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK . 3. Click OKBack to the top Transfer the Domain Naming Master Role 1. Click Start , point to Administrative Tools , and then click Active Directory Domains and Trusts . 2. Right-click Active Directory Domains and Trusts , and then click Connect to Domain Controller . NOTE : You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: o In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK . -or- o In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK . 4. In the console tree, right-click Active Directory Domains and Trusts , and then click Operations Master . 5. Click Change . 6. Click OK to confirm that you want to transfer the role, and then click Close . Back to the top " id="pdf-obj-5-17" src="pdf-obj-5-17.jpg">
  • 1. Click Start, click Run, type mmc in the Open box, and then click OK.

  • 2. On the File, menu click Add/Remove Snap-in.

  • 3. Click Add.

  • 4. Click Active Directory Schema, click Add, click Close, and then click OK.

  • 5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.

  • 6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.

  • 7. In the console tree, right-click Active Directory Schema, and then click Operations Master.

  • 8. Click Change.

  • 9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK . 3. Click OKBack to the top Transfer the Domain Naming Master Role 1. Click Start , point to Administrative Tools , and then click Active Directory Domains and Trusts . 2. Right-click Active Directory Domains and Trusts , and then click Connect to Domain Controller . NOTE : You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: o In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK . -or- o In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK . 4. In the console tree, right-click Active Directory Domains and Trusts , and then click Operations Master . 5. Click Change . 6. Click OK to confirm that you want to transfer the role, and then click Close . Back to the top " id="pdf-obj-5-83" src="pdf-obj-5-83.jpg">
  • 1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

  • 2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller. NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  • 3. Do one of the following:

o

In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-

o

In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

  • 4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

  • 5. Click Change.

  • 6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start , point toView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows XP Solution Center This article was previously published under Q223787 On This PageSUMMARYMORE INFORMATION o Transferring the Flexible Single Master Operation Role o Seizing the Flexible Single Master Operation Role Expand all | Collapse all " id="pdf-obj-6-4" src="pdf-obj-6-4.jpg">
  • 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  • 2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller. NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  • 3. Do one of the following:

o

In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-

o

In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

  • 4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.

  • 5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.

  • 6. Click OK to confirm that you want to transfer the role, and then click Close.

Flexible Single Master Operation Transfer and Seizure Process

View products that this article applies to. System TipThis article applies to a different version of Windows than the one you are

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start , point toView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows XP Solution Center This article was previously published under Q223787 On This PageSUMMARYMORE INFORMATION o Transferring the Flexible Single Master Operation Role o Seizing the Flexible Single Master Operation Role Expand all | Collapse all " id="pdf-obj-6-81" src="pdf-obj-6-81.jpg">
  • This article was previously published under Q223787

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start , point toView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows XP Solution Center This article was previously published under Q223787 On This PageSUMMARYMORE INFORMATION o Transferring the Flexible Single Master Operation Role o Seizing the Flexible Single Master Operation Role Expand all | Collapse all " id="pdf-obj-6-126" src="pdf-obj-6-126.jpg">

This article describes how Flexible Single Master Operations (FSMO) roles are t ...

  • This article describes how Flexible Single Master Operations (FSMO) roles are transferred from one domain controller to another and how this role can be forcefully appointed in the event that the domain controller that previously held the role is no longer available.

For more information about FSMO roles in general, please see the following article in the Microsoft Knowledge Base:

  • 197132 (http://support.microsoft.com/kb/197132/EN-US/ ) Windows 2000 Active

Directory FSMO Roles

For additional information about the correct placement of FSMO roles, please see the following article in the Microsoft Knowledge Base:

  • 223346 (http://support.microsoft.com/kb/223346/EN-US/ ) FSMO Placement and

Optimization on Windows 2000 Domains

Transferring the Flexible Single Master Operation Role The transfer of an FSMO ...

  • Transferring the Flexible Single Master Operation Role

  • The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller, but is not initiated automatically by the operating system. This includes a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process--this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change.

Operational attributes are attributes that translate into an action on the server. This type of attribute is not defined in the schema, but is instead maintained by the server and intercepted when a client attempts to read or write to it. When the attribute is read, generally the result is a calculated result from the server. When the attribute is written, a pre-defined action occurs on the domain controller.

The following operational attributes are used to transfer FSMO roles and are located on the RootDSE (or Root DSA Specific Entry--the root of the Active Directory tree for a given domain controller where specific information about the domain controller is kept). In the operation of writing to the appropriate operational attribute on the domain controller to receive the FSMO role, the old domain controller is demoted and and the new domain controller is promoted automatically. No manual intervention is required. The operational attributes that represent the FSMO roles are:

becomeRidMaster becomeSchemaMaster becomeDomainMaster becomePDC becomeInfrastructureMaster If the administrator specifies the server to receive the FSMO role using a tool such as Ntdsutil, the exchange of the FSMO role is defined between the current owner and the domain controller specified by the administrator.

When a domain controller is demoted, the operational attribute "GiveAwayAllFsmoRoles" is written, which triggers the domain controller to locate other domain controllers to offload any roles it currently owns. Windows 2000 determines which roles the domain controller being demoted currently owns and locates a suitable domain controller by following these rules:

  • 1. Locate a server in the same site.

  • 2. Locate a server to which there is RPC connectivity.

  • 3. Use a server over an asynchronous transport (such as SMTP).

In all transfers, if the role is a domain-specific role, the role can be moved only to another domain controller in the same domain. Otherwise, any domain controller in the enterprise is a candidate.

Seizing the Flexible Single Master Operation Role

  • Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.

When the administrator seizes an FSMO role from an existing computer, the "fsmoRoleOwner" attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The "fsmoRoleOwner" attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.

Primary Domain Controller (PDC) FSMO:

LDAP://DC=MICROSOFT,DC=COM RID Master FSMO:

LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM Schema Master FSMO:

LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com Infrastructure Master FSMO:

LDAP://CN=Infrastructure,DC=Microsoft,DC=Com Domain Naming Master FSMO:

LDAP://CN=Partitions,CN=Configuration,DC=Microsoft,DC=Com For example, if Server1 is the PDC in the Microsoft.com domain and is retired and the administrator is unable to demote the computer properly, Server2 needs to be assigned the FSMO role of the PDC. After the seizure of the role takes place, the value CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com is present on the following object:

LDAP://DC=MICROSOFT,DC=COM

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

System TipThis article applies to a different version of Windows than the one you are

Primary Domain Controller (PDC) FSMO: LDAP://DC=MICROSOFT,DC=COM RID Master FSMO: LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM Schema Master FSMO: LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com InfrastructureView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows XP Solution Center This article was previously published under Q255504 On This PageSUMMARYMORE INFORMATION o Transfer FSMO roles o Seize FSMO rolesSteps to reproduce the problem Expand all | Collapse all SUMMARY " id="pdf-obj-9-27" src="pdf-obj-9-27.jpg">
  • This article was previously published under Q255504

Primary Domain Controller (PDC) FSMO: LDAP://DC=MICROSOFT,DC=COM RID Master FSMO: LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM Schema Master FSMO: LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com InfrastructureView products that this article applies to. System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows XP Solution Center This article was previously published under Q255504 On This PageSUMMARYMORE INFORMATION o Transfer FSMO roles o Seize FSMO rolesSteps to reproduce the problem Expand all | Collapse all SUMMARY " id="pdf-obj-9-80" src="pdf-obj-9-80.jpg">

This article describes how to use the Ntdsutil.exe utility to transfer or to se ...

  • This article describes how to use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

Certain domain and enterprise-wide operations that are not good for multi-master ...

  • Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

Schema master - The Schema master role is forest-wide and there is one for each

forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command. Domain naming master - The Domain naming master role is forest-wide and there

is one for each forest. This role is required to add or remove domains or application partitions to or from a forest. RID master - The RID master role is domain-wide and there is one for each

domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups. PDC emulator - The PDC emulator role is domain-wide and there is one for each

domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords. Infrastructure master - The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

An administrator reassigns the role by using a GUI administrative tool.

An administrator reassigns the role by using the ntdsutil /roles command.

An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the

new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles

that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-

dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the

dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:

Collapse this tableExpand this table

FSMO role

Partition

Schema

CN=Schema,CN=configuration,DC=<forest root domain>

Domain Naming Master CN=configuration,DC=<forest root domain>

PDC

DC=<domain>

RID

DC=<domain>

Infrastructure

DC=<domain>

A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has

been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

Transfer FSMO roles

  • To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

    • 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

    • 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

    • 3. Type roles, and then press ENTER. Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.

    • 4. Type connections, and then press ENTER.

    • 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.

    • 6. At the server connections prompt, type q, and then press ENTER.

    • 7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.

8.

At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

  • To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

    • 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

    • 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

    • 3. Type roles, and then press ENTER.

    • 4. Type connections, and then press ENTER.

    • 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.

    • 6. At the server connections prompt, type q, and then press ENTER.

    • 7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.

    • 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility. Notes

o

Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base:

  • 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and

optimization on Windows 2000 domain controllers

o

If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article:

(http://support.microsoft.com/kb/216498/ ) How to remove data in

active directory after an unsuccessful domain controller demotion

o

Removing domain controller metadata with the Windows 2000 version or

o

the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO role-

o

holders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server:

  • 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  • 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.

  • 3. Open the Servers folder, and then click the domain controller.

  • 4. In the domain controller's folder, double-click NTDS Settings.

  • 5. On the Action menu, click Properties.

  • 6. On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:

  • 197132 (http://support.microsoft.com/kb/197132/ ) Windows 2000 Active Directory

FSMO roles

  • 223787 (http://support.microsoft.com/kb/223787/ ) Flexible Single Master Operation

transfer and seizure process

o If the domain controller that formerly held any FSMO role is not present in the216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion o Removing domain controller metadata with the Windows 2000 version or o the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO role- o holders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest. To test whether a domain controller is also a global catalog server: 1. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services . 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available. 3. Open the Servers folder, and then click the domain controller. 4. In the domain controller's folder, double-click NTDS Settings . 5. On the Action menu, click Properties . 6. On the General tab, view the Global Catalog check box to see if it is selected. For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base: 197132 (http://support.microsoft.com/kb/197132/ ) Windows 2000 Active Directory FSMO roles 223787 (http://support.microsoft.com/kb/223787/ ) Flexible Single Master Operation transfer and seizure process Back to the top Steps to reproduce the problem Run DCPROMO on a Windows Server 2008 computer to join a domain where the RID mas ... " id="pdf-obj-14-85" src="pdf-obj-14-85.jpg">

Run DCPROMO on a Windows Server 2008 computer to join a domain where the RID mas ...

Run DCPROMO on a Windows Server 2008 computer to join a domain where the RID

master is offline. You will receive a warning that you must have an active RID master. Then, you will see a reference to KB article 255504.

Run DCPROMO on a Windows Server 2008 computer to join a domain where the RID masterBack to the top Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations. " id="pdf-obj-15-6" src="pdf-obj-15-6.jpg">

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.