Finding who holds these roles, how to transfer the FSMO roles, and how to (if necessary) seize the FSMO roles.
Although Active Directory ® consists of a multi-master architecture, there are some situations which could prove negative if two computers attempted a change on the Active Directory Database simultaneously. Such changes are performed by designated Active Directory Masters. During the promotion of the first DC in the Forest, Active Directory nominates the DC five master roles; two of which are masters at the Forest level and three that hold roles at the Domain level (for example, if you were to have 7 domains in your Forest, you would have 23 FSMO Roles present; a PDC, RID Master, and Infrastructure Master for each domain, and one Domain Naming Master and Schema Master for the entire Forest.
Below is a brief description of the FSMO (pronounced "fiz-moe") Roles, followed by the procedures to view and change the holders of these roles.
FSMO Roles
PDC Emulator (Domain Level Role) – Acts as an NT Primary Domain Controller for Windows NT compatibility. The master role will pass domain information (such as account creation, password changes, etc.) to NT BDC’s. This process ends when a domain is converted to native mode.
RID Master (Domain Level Role) – Security enabled objects (users, computers, etc.) require a Security IDentifier for authentication; DC’s assign these SIDs from a pool of numbers. When a DC is introduced into the domain, it is granted 512 values to add to its pool from the RID Master. When the DC’s RID pool is depleted to 100 values, the DC contacts the RID Master for another 512 number set. The RID Master uses this method to ensure that no two security enabled objects on the domain possess the same SID.
Infrastructure Master (Domain Level Role) – Master Role responsible for maintaining references to objects included in cross-domain operations (such as operations including a user from one domain belonging to a group in another domain). In a single domain situation, the Infrastructure Master performs no operations.
Domain Naming Master (Forest Level Role) – Makes forest-wide domain name space changes to the directory. Add and removes domains and cross-references to domains.
Schema Master (Forest Level Role) – Responsible for all changes made to the Active Directory Schema. When a change is required, the DC holding the Schema Master Role makes the necessary changes to its directory and, afterward, replicates the schema changes to all other DC’s in the forest.
A Global Catalog Server as the Infrastructure Master Role Holder?
Keep in mind that in a single domain forest, it makes no difference if the Infrastructure Master role is held by a Global Catalog server (because in a single domain forest, the Infrastructure Master has nothing to do). However, if a forest has more than one domain, you will want the Infrastructure Master role held by a non-GC server.
A GC server receives regular updates, and therefore contains no ‘stale data’. The Infrastructure Master receives updates to its stale data from a GC server. The Infrastructure Master then replicates its update data to other non-GC servers. If the Infrastructure Master role is held by a GC server then, due to the nature of the server, its data never becomes stale, and updates to cross-domain object references on non-GC servers do not occur.
It is acceptable for a GC server to hold the Infrastructure Master role if all servers in that domain are Global Catalog servers because no server will have out-of-date object references.
RID Master, PDC Emulator, and Infrastructure Master (Domain Level Roles)
Viewing the Role Holders
Open the Active Directory Users and Computers MMC Snap-In by logging on to a Domain Controller and Clicking Start > Programs > Administrative Tools > Active Directory Users and Computers or by Clicking Start > Run and typing “dsa.msc”.
Right Click on the Top Level Domain Object (the name of the domain the DC is a controller for) and Click “Operations Masters…”
Click on the RID, PDC, and Infrastructure tabs to view the role holders.
Transferring the Roles to another DC
If you are not at the domain controller you wish to transfer these roles to, you must first connect to it
Right Click on “Active Directory Users and Computers” and Click “Connect to Domain Controller…”
Highlight the name on the DC that you would like to connect to, and Click the OK button
Right Click on the Top Level Domain Object (the name of the domain the DC is a controller for) and Click “Operations Masters…
On each tab (RID, PDC, and Infrastructure Master) you will see then name of the current role holder, along with the name of the server that you are currently connected to. If you would like to change the role holder to the displayed name (the server that you are connected to), Click the Change button.
You will receive a pop-up asking “Are you sure you want to transfer the operations master role?” Click Yes. You will receive another pop-up stating that “The operations master role was successfully transferred”. Click OK, and the name of the new role holder will be displayed in the “Operations master” field.
Schema Master (Enterprise Level Role)
Viewing the Role Holder
Add the Active Directory Schema Snap-In
Register the schmmgmt.dll file by Clicking Start > Run and typing “regsvr32 schmmgmt.dll” (if this is not done, the Active Directory Schema Snap-In may not be available as a choice in Step c).
Click Start > Run and type “mmc”.
Click “Console” at the top left, and click “Add / Remove Snap-In…”
Click "Add".
Highlight “Active Directory Schema” and Click “Add”. Click Close. Click OK.
Right Click the “Active Directory Schema” Snap-In displayed in the Console, and click “Operations Master…” The current Schema Master will be displayed.
You may again view the Schema Master by repeating the above steps, however, you will to register the schmmgmt.dll (step 1a) only once per server on which you need to view the Active Directory Schema Snap-in.
Transferring the Role to another DC
Set the focus of the snap-in to the domain controller that you would like to transfer the Schema Master role to.
Right Click on “Active Directory Schema” (visible in the MMC console after performing the steps above) and Click “Change Domain Controller…”
Select “Specify Name” and type the Fully Qualified Domain Name (ex. server.example.com) of the Domain Controller that you would like to connect to. Click OK.
Right Click “Active Directory Schema” and Click “Operations Masters…”
Click the Change button.
You will receive a pop-up asking “Are you sure you want to transfer the operations master role?” Click Yes. You will receive another pop-up stating that “The operations master role was successfully transferred”. Click OK, and the name of the new role holder will be displayed in the “Operations master” field.
Domain Naming Master (Enterprise Level Role)
Viewing the Role Holder
Open the “Active Directory Domains and Trusts” MMC Snap-In by Clicking Start > Programs > Administrative Tools > Active Directory Domains and Trusts or by typing “domain.msc”.
In the left panel, Right Click on “Active Directory Domains and Trusts” and Click “Operations Master…” The current Domain Naming Master will be displayed.
Transferring the Role to another DC
If you are not at the domain controller you wish to transfer these roles to, you must first connect to it
Right Click on “Active Domains and Trusts” and Click “Connect to Domain Controller…”
Highlight the name on the DC that you would like to connect to, and Click the OK button
Right Click “Active Directory Domains and Trusts” and Click “Operations Masters…”
Click the Change button.
You will receive a pop-up asking “Are you sure you want to transfer the operations master role?” Click Yes. You will receive another pop-up stating that “The operations master role was successfully transferred”. Click OK, and the name of the new role holder will be displayed in the “Operations master” field.
Seizing the FSMO Roles using NTDSUtil.exe
While transferring roles is a much safer maneuver, some situations (such as a Domain Controller abruptly “passing on”) warrant the seizure of the FSMO roles. Seizing the roles should be saved as a last resort plan…
Start the NTDSUtil executable by Clicking Start > Run and typing “ntdsutil”.
To view the help on any mode of NTDSUtil we will enter, simply type a question mark (?) and Enter.
Type “roles”, and press Enter to enter the FSMO Maintenance area.
Type “connections” and press Enter to enter the Server Connections area.
Connect to the server that you would like to transfer the roles to (necessary even if this is the server you are currently at) by typing the following command: “connect to server <servername>” (ex. If your server is named “testdc” then type “connect to server testdc”). You will receive confirmation of the connection.
Now that you have connected to the server you wish to seize the roles, type “q” to exit the Server Connections area.
Type “?” then Enter to view a list of commands you may issue.
To seize a role, type “seize <name of role that you would like to seize>” and press Enter (ex. If you would like to seize the Schema Master role, type “seize schema master”). You will receive a confirmation pop-up asking “Are you sure you want server “<name of your server>” to seize the <name of role to be seized> role with the value below?
CN= NTDS Settings, <rest of Distinguished Name>, etc. etc.
Click Yes
A safe transfer of the role will be attempted before a more forceful seizure, if the transfer fails, the role will be seized. Following the seizure, NTDSUtil will output the Distinguished Name of each role holder, which is useful for confirmation purposes.
Continue issuing the “seize” command until all roles are held by the new server. If you need help with a command, type “?” to view a list of commands you may issue.
To exit NTDSUtil: type “q” to exit the FSMO Maintenance mode, then type “q” to exit NTDSUtil.exe
Fusion 13 has taken painstaking effort to ensure the validity of its data;
however, the information contained in this document is provided without warranty.
The data presented is offered simply as a suggestion.
Fusion 13 can in no way be held responsible for how these suggestions are implemented in any environment.
