Understanding Flexable Single Master Operation Roles (FSMO)
Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commision a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC. Windows administrators know that one of the most important aspects involved with managing Active Directory.
These are the five FSMO Roles:
1. Schema Master Role
2. Domain Naming Master
3. RID Master
4. PDC Master
5. Infrastructure Master
Remember that the domain-naming master must be on a DC hosting the global catalog. Not only that, but the infrastructure master must not be on a DC hosting the global catalog. (The only exception to that is if all the DCs are global catalog servers, which should not be the case in an enterprise network.) There are numerous ways you may decide to place your FSMO roles.
One of the example is as below:
Look at MS article to view the FSMO placement best practices
To make these changes the logged on user must be the member of below groups.
FSMO Role
|
Administrator must be a member of
|
Schema
|
Schema Admins
|
Domain Naming
|
Enterprise Admins
|
RID
|
Domain Admins
|
PDC Emulator
| |
Infrastructure
|
When the movement of FSMO roles are planned for some reason, such as decommissioning a server that holds one or more of the FSMO roles it’s called transferring the role. The other reason to move a role is because you have to. For instance, you might be forced to move a role when a server that holds one or more FSMO roles has suffered catastrophic hardware failure or server unresponsive this can be an unplanned move, it is called seizing the role.
Transferring a role can be done either through the graphic user interface (GUI) or through the command line interface (CLI-Using ntdsutil.exe), while seizing a role can only be carried out via the command line.
Moving FSMO roles using GUI
Transferring Schema master
Transferring Schema master
To transfer schema master you need to
install schema master snap in which can be achieved just by performing a
commands as below:
1. Open cmd->
Type ‘regsvr32 schmmgmt.dll’ and
press enter key.
You
will get a success message as below
2. Start->
Run->Type ‘mmc’ and click OK.
3. On appearing window File->Add or remove
snap-in.
4. Select Active
Directory Schema->Add and OK.
5. Go to Schema master snap-in->Right click and select ‘Change active directory domain controller’.
6. Now it will list out the domain replication
partners (Note: I have only two domain controllers in my network). Select the
domain controller that you want to transfer the schema master roles and click ‘OK’. I need to move to my second server
‘server-2.serverlsbs.com’.
7. The following message appears that Active Directory Schema snap-in is not connected to the schema operation master or If the domain controller you selected is not the schema operations master, you'll receive the following message. Click 'OK'.
8. Now again right click on Active Directory Schema ->Select ‘Operation master’ > It will show the
window ‘Change Schema master’ ->
Click on ‘Change’ button.
9. Once it is done you will have a prompt to confirm to transfer the roles, Click ‘Yes’.
10.Once it is transferred you will have a success message, click ‘OK’.
The above steps will complete transferring Schema. Close the Change Schema Master dialog box and close the management console. Save the console settings or not it does not matter.
B)
Transfer the Domain Naming Master Role
with Active Directory Domains and Trusts
1. Click ‘Start’->’Administrative tools’->’Active Directory Domains and Trusts’
2. Right click on ’Active Directory Domains and Trusts’-> ‘Change active directory domain controller’.
3. Now it will list out the domain replication
partners (Note: I have only two domain controllers in my network). Select the
domain controller that you want to transfer the schema master roles and click ‘OK’. I need to move to my second server
‘server-2.serverlsbs.com’.
4. Now ‘Change active directory domain controller’ ->‘Operation master’ > It will show the window ‘Change Schema master’ -> Click on ‘Change’ button.
5. You will have the confirmation window, click ‘Yes’.
6. If the operation was success you will have a success message.
Above steps will complete transferring Domain Naming Master Role.
C)
Transfer
the PDC Emulator, Infrastructure Master, and RID Master Roles with Active Directory Users and Computers
1) Start->Administrative Tools->Active directory users and computers.
2) Right click ‘Active Directory Users and
Computers’ and select ‘Change Domain
Controller’.
3) Select the domain controller that you want
to transfer the roles and click ‘OK’.
4) Now right click on your domain name and select ‘Operations master’. It will show you the current servers allocated for PDC Emulator, Infrastructure Master, and RID Master. Change it by selecting each tabs.
5) As
soon as you try to change the Infrastructure
master role you will get a warning like
“The Infrastructure master role should not be transferred to a GC server”. In
your case DO NOT move Infrastructure master role unless all the DC's hold GC.
If the server is GC then you can click on ‘YES’
and proceed with the operation. While changing the roles you will have the
prompt click on ‘YES’ and ‘OK’ on success message.
Transferring
FSMO roles using command line interface
As described above you can transfer FSMO roles in two
ways
a)
Transfer FSMO roles b)
Seize FSMO roles
Let us consider the situation Transfer FSMO
roles
1. Log-on to server as a user who is a member
of the Enterprise Administrators group to transfer Schema master or Domain
naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles
are being transferred.
2. In order to find out the server which holds
different roles use the below command on command prompt.
‘netdom query fsmo’
This will list out as below:
Here you can see my first server ‘server-1’ is having
the roles ‘Schema master’ and ‘infrastructure master’ and on server-2 ‘PDC’,’RID
pool master’ and ‘Domain naming master’. So I am transferring all the roles
from second server to first server.
1. Click ‘Start’,
click ‘Run’, type ‘ntdsutil’
2. Type ‘roles’
and then press ENTER.
Note: To see a list of
available commands at any one of the prompts in the Ntdsut utility, type ‘?’, and then press ENTER.
3. Type ‘connections’,
and then press ENTER.
4. Type ‘connect
to server <servername>’, and then press ENTER.
Whereas
<servername> is the name of
the domain controller you want to assign the FSMO role to.
5. At the ‘server connections prompt’ type q, and then press ENTER.
6. Type transfer <role>, where role is the role that you want to transfer. For a list of
roles that you can transfer, type ‘?’ at the fsmo maintenance prompt, and then press ENTER.
Since I want to transfer the roles ‘PDC’,’RID pool
master’ and ‘Domain naming master’ to first server ‘server-1’. The commands become:
For domain naming master
Type ‘transfer
naming master’ and press enter, which will give you the prompt whether to
transfer the roles. Click ‘YES’
For transferring PDC
Type ‘transfer PDC’ and press enter. Click ‘Yes’ on confirmation window
For Transferring RID master
Type
‘transfer RID master’ to transfer
RID master roles and click ‘YES’.
Type ‘q’
twice to exist the ntdsutil utility.
To confirm the roles are transferred on command prompt
type ‘netdom query fsmo’ which will
list as
This is the successful transferring of FSMO roles
To transfer FSMO roles using Seize FSMO
roles
You should follow these steps only when for instance, you might be forced to move a role when a server that holds one or more FSMO roles has suffered catastrophic hardware failure or server unresponsive this can be an unplanned move.
1. Click Start,
click Run, type ntdsutil.
2. Type ‘roles’,
and then press ENTER.
3. Type ‘connections’,
and then press ENTER.
4. Type ‘connect
to server <servername>’, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
5. At the server connections prompt, type q, and then press ENTER.
6. Type ‘seize
role’, where role is the role that you want to seize. For a list of roles that you can seize, type ‘?’ at the fsmo maintenance prompt, and
then press ENTER, or see the list of roles at the start of this article.
For example, to seize the RID master
role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access
to the ntdsutil prompt. Type q, and
then press ENTER to quit the Ntdsutil utility.
Hope the above steps will help you.
Thanks, brother!
ReplyDelete