Recipe 15.18. Finding the FSMO Role HoldersProblemYou want to find the domain controllers that are acting as one of the FSMO role holders. SolutionUsing a graphical user interfaceFor the Schema Master:
For the Domain Naming Master:
For the PDC Emulator, RID Master, and Infrastructure Master:
Using a command-line interfaceIn the following command, you can leave out the /Domain <DomainDNSName> option to query the domain in which you are currently logged on: > netdom query fsmo /Domain:<DomainDNSName> You can also use the dsquery server command to list the FSMO role owners as shown here where <Role> can be schema, name, infr, pdc, or rid: > dsquery server -hasfsmo <Role> Using VBScript' This code prints the FSMO role owners for the specified domain. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g., emea.rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") strDomainDN = objRootDSE.Get("defaultNamingContext") strSchemaDN = objRootDSE.Get("schemaNamingContext") strConfigDN = objRootDSE.Get("configurationNamingContext") ' PDC Emulator set objPDCFsmo = GetObject("LDAP://" & strDomainDN) Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN) Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN) Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN) Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN) Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner DiscussionSeveral Active Directory operations are sensitive, such as updating the schema, and therefore need to be done on a single domain controller. Active Directory cannot guarantee the proper execution of these functions in a situation where they may be invoked from more than one DC. The FSMO mechanism is used to limit these functions to a single DC. There are five designated FSMO roles that correspond to these sensitive functions. A FSMO role can apply either to an entire forest or to a specific domain. Each role is stored in the fSMORoleOwner attribute on various objects in Active Directory depending on the role. Table 15-3 lists FSMO roles:
Using VBScriptIf you want to get the DNS name for each FSMO, you'll need to get the parent object of the ntdSDSA object and use the dNSHostName attribute. The code for getting the Schema Master could be changed to the following to retrieve the DNS name of the DC: set objSchemaFsmo = GetObject("LDAP://cn=Schema,cn=Configuration," & strForestDN) set objSchemaFsmoNTDS = GetObject("LDAP://" & objSchemaFsmo.fsmoroleowner) set objSchemaFsmoServer = GetObject(objSchemaFsmoNTDS.Parent) Wscript.Echo "Schema Master: " & objSchemaFsmoServer.Get("dNSHostName") See AlsoMS KB 197132 (Windows 2000 Active Directory FSMO Roles), MS KB 223346 (FSMO Placement and Optimization on Windows 2000 Domain Controllers), MS KB 234790 (HOW TO: Find Servers That Hold Flexible Single Master Operations Roles), and MS KB 324801 (HOW TO: View and Transfer FSMO Roles in Windows Server 2003) |