FSMO (Flexible Single Master Operations)

There are times when you may need to change the Domain Controller
which holds one of the 5 FSMO roles. Either you could be facing a
disaster recovery, where you have lost the first Windows 2003 Domain
Controller, or you are organized and want to get the most out of your
Active Directory Forest. Although you rarely need to deal with
Microsoft's FSMO, there is the feeling that knowledge of these
Operation Masters gives you power over your Windows 2003 Servers.

Topics for FSMO

• Background of Operations Masters

• 5 FSMO Roles
• Checking which DC holds which FSMO role
• The 'Knack' of Changing Operations Master
• Advice and Troubleshooting FSMO

Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple
master model. The benefit is you can add a computer, or change a
user's password on any domain controller. For example, if you have
three domain controllers, you can physically create a new computer
account in the NTDS.dit database on any of the three. Within five
minutes (15 seconds in Windows 2003), the new computer object will
be replicated to the other two domain controllers.

Technically, the Microsoft multiple master model uses a change

notification mechanism. Occasionally problems arise if two
administrators perform duplicate operations before the next replication
cycle. For example, you created an OU called Accounts last week,
today at the same instant you create new users in that OU, another
administrator on another DC, deletes that OU. Active Directory does
it's best to obey both administrators. It deletes the OU and creates
the Users, but as it cannot create the Users in the OU because it was
deleted, the result is the users are added to the orphaned objects in
the 'LostAndFound' folder. You can troubleshoot what has happed by
locating the 'LostAndFound' folder in Active Directory Users and
Computers.
From the View Menu in Active Directory Users and Computer,
click: Advanced Features.

It was worth investigating how Active Directory handles orphaned

objects because the point of FSMO is that a few operations are so
critical that only one domain controller can carry out that process.
Imagine what would happen if two administrators tried to make
different changes to the same schema object - chaos. That is why
administrators can only change the schema on one Domain Controller.
Emulating a PDC is the most famous example of such a Single Master
Operation; creating a new child domain would be another example.

The Five FSMO Roles

There are just five operations where the usual multiple master model
breaks down, and the Active Directory task must only be carried out
on one Domain Controller. FSMO roles:

1. PDC Emulator - Most famous for backwards compatibility

with NT 4.0 BDC's. However, there are two other FSMO roles
which operate even in Windows 2003 Native Domains,
synchronizing the W32Time service and creating group
policies. I admit that it is confusing that these two jobs have
little to do with PDCs and BDCs.
2. RID Master - Each object must have a globally unique
number (GUID). The RID master makes sure each domain
controller issues unique numbers when you create objects
such as users or computers. For example DC one is given
RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
3. Infrastructure Master - Responsible for checking objects
in other other domains. Universal group membership is the
most important example. To me, it seems as though the
operating system is paranoid that, a) You are a member of a
Universal Group in another domain and b) that group has
been assigned Deny permissions. So if the Infrastructure
master could not check your Universal Groups there could be
a security breach.
4. Domain Naming Master - Ensures that each child
domain has a unique name. How often do child domains get
added to the forest? Not very often I suggest, so the fact
that this is a FSMO does not impact on normal domain
activity. My point is it's worth the price to confine joining and
leaving the domain operations to one machine, and save the
tiny risk of getting duplicate names or orphaned domains.
 5. Schema Master - Operations that involve expanding user
properties e.g. Exchange 2003 / forestprep which adds
mailbox properties to users. Rather like the Domain naming
master, changing the schema is a rare event. However if you
have a team of Schema Administrators all experimenting with
object properties, you would not want there to be a mistake
which crippled your forest. So its a case of Microsoft know
best, the Schema Master should be a Single Master Operation
and thus a FSMO role.

(There is a also an important Global Catalog Role, however its not a

FSMO role as you can have more than one Global Catalog. See more
on Global Catalog Server)

How many FSMO Domain controllers in your Forest?

Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst
two (4. 5.) are unique to the entire forest. Thus, if you have three
domains there will be 3 PDC emulators, but only 1 Schema Master.

Checking which DC holds which FSMO role

RID, PDC, Infrastructure (1. 2. and 3.)

You can discover which server holds the Operation Master by opening
Active Directory Users and Computers, Right click your Domain and
select Properties, Operations Masters.
Domain Naming Master (4.)

To see the Domain Naming Master (4.), navigate to the little used,
Active Directory Domains and Trusts, Right click your Domain and
select Properties, Operations Masters.

Schema Master (5.)

The Schema Master (5.) is the most difficult FSMO to find. The reason
is the Schema snap-in is hidden by default. Perhaps is this is Microsoft
saying - don't mess with the object definitions. However, you can
reveal the Schema and its FSMO settings thus:

1) Register the Schema Snap with this command,

RUN regsvr32 schmmgmt.dll

2) Run MMC, File menu, Add\Remove Snap-in, click the Add button
and select,
Active Directory Schema

3) Select Active Directory Schema, Right Click, Operations Master.

Footnote

I have to confess a hidden agenda with FSMO. If I want to instantly

know how well someone knows Active Directory, I introduce FSMO into
the conversation and watch their reaction. Professionals will know
what FSMO means and its significance, amateurs just frown.

FSMO - Advice

FSMO (Flexible Single Master Operations)

This page will advise you what to do if you lose the Domain Controller
holding one of the FSMO roles. I will also cover the implications of
having more than one FSMO master for the same role. If you have
lost your FSMO master then I have a troubleshooting section, and a
separate page on transferring FSMO roles. Incidentally, the modern
tendency is to use the term Operation Masters, whereas in Windows
2000, FSMO was the term of choice.

PDC Emulator

Of the 5 roles, this is the role that you will miss the soonest. Not only
with NT 4.0 BDC's complain, but also there will be no time
synchronization. Another problem is that you probably will not be able
to change or troubleshoot group policies as the default setting is for
the PDC emulator also to be the group policy master.

Implications for Duplicates

If the old PDC emulator returns, then it is not as serious as duplicates

with some of the other roles. Quickly seize PDC role from another
machine.

RID Master

One Domain Controller is responsible for giving all the rest of the
Domain Controllers a pack of unique numbers so that no two new
objects have the same GUID (Globally Unique Identifier).

If you lose the RID master the chances are good that the existing
Domain Controllers will have enough unused RIDs to last a week or so
do not be in a hurry to seize.

Implications for Duplicates

You must not allow two RID masters, as the possibility of two objects
with the same RID would be disastrous. So if the original is found it
must be reformatted and reinstalled before re-joining the forest.

Infrastructure Master

The consequence for a missing Infrastructure master is that group

memberships may be incomplete. If you only have one domain, then
there will be no impact as the Infrastructure Master is responsible for
updating your user's membership in other domains in the forest.

Implications for Duplicates

No damage occurs if the old Infrastructure master returns, just check

out the Roles and decide which machine should hold the role.

Forest Wide Roles

Schema Master

If you lose the Schema Master, then long term it is serious because
you cannot install Exchange 2003 or extend the schema. However,
short term no-one will notice a missing Schema Master, so try and
repair the old one rather than seize the role.

Implications for Duplicates

You must not allow two Schema Masters, so if the original is found or
repaired, it must be completely rebuilt rather than allowed into the
forest.

Domain Naming Master

This is a forest wide role that is responsible for adding child domains
and new trees. Unless you are going to run DCPROMO, then you will
not miss this FSMO role, so wait rather than seize the role.

Implications for Duplicates

You must not allow the original Domain Naming Master to return,
rebuild before you let the machine back in the forest.

Troubleshooting FSMO

Symptoms of FSMO Problems

I find that the first sign of a problem with a FSMO is that Active
Directory Users and Computers is slow to initialize. Moreover, if you
try to even view Group Policies, you get an error such as:
Inaccessible GPO - Access Denied or
Failed to open the Group Policy Object. You may not have appropriate
rights.

The cause of these symptoms is that the FSMO master holding the
PDC emulator is unavailable. Fingers crossed it's a temporary
problem, however the problem persists then you need to investigate
which Domain Controller holds, or held the PDC emulator role.

Troubleshooting Toolkit

DCDiag - Not only does DCDiag have a routing to check the FSMOs
but it also provides information on Active Directory replication. As
ever with troubleshooting, you want to get to the root cause not
merely treat one of the symptoms.

NetDOM - It's a close call whether to run NetDOM before or after

DCDiag, the answer partly depends on whether NetDom is already
installed or if you need to get it from the Windows Server 2003
Support tools.

From the command line type netdom query fsmo. You should see a
list of the of the 5 roles with the corresponding Domain Controller.

DNS - Excuse what may seem like a digression, but it never ceases to
amaze me how often faulty DNS configuration is the source of an
Active Directory problem. Therefore, head for the DNS snap-in and
observe that all settings are as expected. Remember the Monitor to
tab. Make sure that each DNS server is registering itself and
registering with other DNS Servers.

DCPROMO - Rather drastic, but sometimes just running this program

to demote a Domain Controller creates error messages, which are
handy additional sources of information. If there are no error
messages, you may just choose to cancel. However, if you go ahead
and run DCPROMO to demote a domain controller, watch out for a
check box that says 'This is the last domain controller in the domain'.
If that box is UNchecked the wizard will automatically move any FSMO
roles to another domain controller.

NTDSUTIL - Powerful Command Line tool, note the Seize.

 How to Transfer FSMO Roles

FSMO (Flexible Single Master Operations)

Remember that in the acronym FSMO, the word Flexible means that
you can move the role to a more suitable domain controller. There are
two scenarios for transferring the FSMO roles, the first is a planned
transfer where the original FSMO Operations Master is up and
running. Alternatively, if the original FSMO master has been stolen,
corrupted or otherwise unavailable then you need NTDSUTIL

Topics for Transferring the FSMO Master.

• Planning the FSMO Transfer

• Where to Find the 5 FSMO Operation Masters
• Pull those Operations Masters
• At Last - We get to Press the Change Button
• NTDSUTIL
• Summary - FSMO transfer

Planning the FSMO Transfer

As a matter of planning strategy, decide if this move is a short term

fix, or part of a long term transfer of role. Another consideration is do
you want all the roles on the same Domain Controller. The answer is
probably not, for example, best practice suggests that the
Infrastructure master should not be on a Global Catalog.

If the Global Catalog server and Infrastructure Master are on the same
server, the Global Catalog no longer updates information. You can
either just accept this peculiarity, or research why it thinks it knows
best and does not need to replicate. This is only a problem in a multi-
domain forest.

Your planning should also take into account the fact that each domain
has its own RID, PDC and Infrastructure Master, while there is only
one Schema and one Domain Naming Master for the entire Active
Directory Forest.

Finally a minor consideration, have you the correct rights, for example,
do you have access to an account, which is and Enterprise
Administrator and Schema Administrator.

Where to Find the 5 FSMO Masters

Three of the FSMO Operational Masters are found under

the domain in Active Directory Users and Computers.
The FSMO roles found here are: RID, PDC and
Infrastructure masters. Right click on the domain name
(cp.com in diagram) then select Operations Masters.

The Domain Naming Master is tucked away under the

Active Directory Domains and Trusts. While the hardest
FSMO master to find is the Schema Master, the reason
being you first have to register the schema snap in with
the command: Start, Run Start, regsvr32
schmmgmt.dll.

Now that you have located the 5 Operation Masters, the technique to
transfer ownership is the same in each case.

Pull those Operations Masters

The key concept is Pull. Make sure that you are connected to the
destination server. This is really such a simple point but once you
have grasped the concept, the knack transferring FSMO roles will be
easy. Sorry to harp on, but unless you make the new FSMO domain
controller the focus for the MMC snap in, trust me, you will be
frustrated.

At Last - We get to Press the Change Button

Now that you have the 'focus' on the new Operations

Master, your transfer will proceed smoothly. After double
checking that the server names are the correct way around, just click
on the Change Button.

Now it's on to the next Operations Master, remember that there are 5
roles. Although some Forests may have more than one RID, PDC and
Infrastructure master, usually you only need to take one server out of
commission at a time. However if you are taking the opportunity to
restructure your FSMO roles then you may have to make more than 5
changes.

NTDSutil

NT directory service utility (NTDSutil) reminds me of

UNIX or mainframes. What you get with NTDSutil is
command line program with powerful verbs that can
dramatically affect the operating system. Rather like
ESEutil you should take every opportunity to practice
with NTDSutil, so that when you have to use it in
anger you will know what you are doing. Even so
backup because there are no safety checks and the
wrong command can wreak havoc.

When you are configuring FSMO with NTDSutil, the

command that is,
Seize PDC (or Seize RID etc). However, as soon as you execute
NTDSutil you realize how many different jobs this utility has.

Make use of help at every NTDSutil prompt

Sample NTDSutil command session

ntdsutil, roles - help

connections - help
connect to server yourserver (change yourserver but include the word
'to')
seize pdc (or other FSMO Role)

C:\>ntdsutil
ntdsutil: roles
fsmo maintenance: help
? - Show this help information
Connections - Connect to a specific domain controller
Help - Show this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master

fsmo maintenance: connections

server connections: help

? - Show this help information

Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Show this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds %s %s %s - Set connection creds as domain, user, pwd.
Use "NULL" for null password,
* to enter password from the console.

server connections: connect to server william

Binding to william ...
Connected to william using credentials of locally logged on user.
server connections: seize pdc