Professional Documents
Culture Documents
In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to
the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one
schema master in the whole forest.
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
Infrastructure Master:
Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result,
cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC's event log. If all the domain
controllers in a domain also host the global catalog, all the domain controllers
have the current data, and it is not important which domain controller holds the
infrastructure master role.
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DC's allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domain's
RID master. The domain RID master responds to the request by retrieving RIDs
from the domain's unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain controller acting
as the RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC emulator
at the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role
holders follow the hierarchy of domains in the selection of their in-bound time
partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC
emulator master in each domain in the forest.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the
default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement. In this article I will only deal with
Windows Server 2003 Active Directory, but you should bear in mind that most
considerations are also true when planning Windows 2000 AD FSMO roles.
Configure a standby operations master - For each server that holds one or
more operations master roles, make another DC in the same domain available as
a standby operations master. Making a DC as a standby operation master
involves the following actions:
1. In Active Directory Sites and Services snap-in, in the console tree in the
left pane, expand the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations
master role to display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the
standby operations master then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for
the connection object or accept the default name and click OK.
To create a connection object on the standby operations master perform the
same procedure as above, and point the connection to the current FSMO role
holder.
Highly available server - FSMO functions require that the FSMO role holder is
highly available at all times. A highly available DC is one that uses computer
hardware that enables it to remain operational even during a hardware failure.
For example, having a RAID1 or RAID5 configuration enables the server to keep
running even if one hard disk fails.
Although most FSMO losses can be dealt with within a matter of hours (or even
days at some cases), some FSMO roles, such as the PDC Emulator role, should
never be offline for more than a few minutes at a time.
What will happen if you keep a FSMO role offline for a long period of time? This
table has the info:
One exception is the performance of the PDC Emulator, mainly when used in
Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:
The RID master, the PDC master, and the infrastructure master are per-domain roles.
Each domain has its own RID master, PDC master, and infrastructure master.
Therefore, if a forest has three domains, there are three RID masters, three PDC
masters, and three infrastructures masters.
NOTE: For the Active Directory Schema snap-in to be available, you may have to
register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32
schmmgmt.dll in the Open box, and then click OK. A message is displayed that
states the registration was successful.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the
default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future
FSMO role holder are online and operational is called Transferring, and is
described in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might consider moving
the FSMO role from the original, non-operational holder, to a different DC. The
process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server
online again. Since none of the FSMO roles are immediately critical (well, almost
none, the loss of the PDC Emulator FSMO role might become a problem unless
you fix it in a reasonable amount of time), so it is not a problem to them to be
unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO
roles to a reliable computer. Administrators should use extreme caution in
seizing FSMO roles. This operation, in most cases, should be performed only if
the original FSMO role owner will not be brought back into the environment.
Only seize a FSMO role if absolutely necessary when the original role holder is
not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize <role>, where <role> is the role you want to seize. For
example, to seize the RID Master role, you would type seize rid master:
Options are:
7. You will receive a warning window asking if you want to perform the
seize. Click on Yes.
Note: All five roles need to be in the forest. If the first domain controller is out
of the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until
you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain
controller as the Global Catalog server. If the Infrastructure Master runs on a GC
server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a GC server holds a
partial replica of every object in the forest.
How can I transfer some or all of the FSMO Roles from one DC
to another?
Moving the FSMO roles while both the original FSMO role holder and the future
FSMO role holder are online and operational is called Transferring, and is
described in this article.
The transfer of an FSMO role is the suggested form of moving a FSMO role
between domain controllers and can be initiated by the administrator or by
demoting a domain controller. However, the transfer process is not initiated
automatically by the operating system, for example a server in a shut-down
state. FSMO roles are not automatically relocated during the shutdown process -
this must be considered when shutting down a domain controller that has an
FSMO role for maintenance, for example.
However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might consider moving
the FSMO role from the original, non-operational holder, to a different DC. The
process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by
using an MMC snap-in tool. Depending on the FSMO role that you want to
transfer, you can use one of the following three MMC snap-in tools:
To transfer the FSMO role the administrator must be a member of the following
group:
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure
Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Users and Computers and
press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder, the target,
and press OK.
4. Right-click the Active Directory Users and Computers icon again and
press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the
Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Domains and Trusts and press
Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press
OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid
master:
Options are:
7. You will receive a warning window asking if you want to perform the
transfer. Click on Yes.
8. After you transfer the roles, type q and press ENTER until you quit
Ntdsutil.exe.
9. Restart the server and make sure you update your backup.