Managing FSMO Roles in the Forest | Windows .NET Server 2003 Domains & Active Directory

Because the location of the Flexible Single Master Operation (FSMO) roles' masters is very important for the proper functioning of a multi-domain forest, an administrator must know which domain controllers possess a specific role(s) at any moment of the entire network's lifetime. Therefore, he or she must have the facilities to find the role masters easily and to transfer a role from one DC to another. Moreover, it is necessary to have a way to forcibly transfer a role from a defunct DC. This is referred to as the "seizing of role" process.

Finding FSMO Role Owners

To find the owners of FSMO roles (operation masters), an administrator can use the "standard" administrative tools (see the previous chapter):

The Active Directory Users and Computers snap-in displays the RID, PDC, and Infrastructure masters.
The Active Directory Domains and Trusts snap-in displays the Domain Naming master.
The Active Directory Schema snap-in displays the Schema master.

This approach is, however, time-consuming, and it makes sense to use some command-line tools or scripts. Some such tools are described below; for more information, see Chapter 17, "Scripting Administrative Tasks" (the "How to Find an FSMO Master?" section and Listing 17.20).

Windows .NET — DsQuery Utility

A brand-new command-line utility, DsQuery.exe, will help you to find a specific role master, for example:

    C:\>dsquery server -hasfsmo rid    "CN=NETDC1,CN=Servers,CN=NET-Site,CN=Sites,CN=Configuration,      DC=net, DC=dom"

You can also specify other roles: pdc, infr, name, schema.

Windows Domain Manager (NetDom.exe) (ST)

NetDom.exe (see Chapter 12, "Manipulating Active Directory Objects") can display all operation masters known to a specified DC. Use the following command syntax:

    C:\>netdom QUERY /Domain:net.dom FSMO

DumpFSMOs.cmd (RK)

This command file is, in fact, a chain of instructions to the NTDSutil tool. (These instructions can also be entered manually.) The main command in that file is the following:

    ntdsutil roles Connections "Connect to server %1" Quit      "select Operation Target" "List roles for connected server"      Quit Quit Quit

The only mandatory parameter is the name of the DC from which the information is retrieved. A sample screen output is shown below (the utility's prompt is in bold):

    C:\>dumpfsmos.cmd netdc1    ntdsutil: roles    fsmo maintenance: Connections    server connections: Connect to server netdc1    Binding to netdcl ...    Connected to netdc1 using credentials of locally logged on user.    server connections: Quit    fsmo maintenance: select Operation Target    select operation target: List roles for connected server    Server "netdc1" knows about 5 roles    Schema - CN=NTDS Settings, CN=NETDC1, CN=Servers,      CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom    Domain - CN=NTDS Settings,CN=NETDC1,CN=Servers,      CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom    PDC - CN=NTDS Settings,CN=NETDC1,CN=Servers,      CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom    RID - CN=NTDS Settings,CN=NETDC1,CN=Servers,      CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom    Infrastructure - CN=NTDS Settings,CN=NETDC3,CN=Servers,      CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom    select operation target: Quit    fsmo maintenance: Quit    ntdsutil: Quit    Disconnecting from netdc1...

Active Directory Replication Monitor (ReplMon.exe) (ST)

All operation masters can be displayed with ReplMon.exe. Start the tool and add servers to the Monitored Servers list (tree). (In this case, it is enough to add one server only.) Select a DC from the tree pane, open the Properties window, and click the FSMO Roles tab. Fig. 8.3 shows a sample view of this tab.

click to expand
Fig. 8.3: Viewing all operation masters (the owners of FSMO roles) for a domain

From this window, you can test any operation master by clicking Query. ReplMon answers with the following message: "Active Directory Replication Monitor was able/unable to resolve, connect, and bind to the server hosting this FSMO role."

Note

In addition, ReplMon can display all Global Catalog servers in the enterprise (select the Show Global Catalog Servers in Enterprise command in a monitored server's context menu).

Transferring and Seizing FSMO Roles

Usually, to transfer an FSMO role from one DC to another, the administrative snap-ins should be used. To seize a role, you must use the NTDSutil.exe.

Note

For additional information on FSMO roles, you might be interested in Microsoft Knowledge Base articles Q223787 and Q223346.

RID, PDC, and Infrastructure Operation Masters

You might want, for some reason (e.g., before shut downing a DC for maintenance), to transfer a FSMO role from the role's master to another DC in the domain. In the Active Directory Users and Computers snap-in window, you must first connect to the DC that is the potential (new) operation master, point to the root node in the tree pane, and select the Operation Masters command on either the context or Action menus. Click the appropriate tab: RID, PDC, or Infrastructure. You will see the current owner of a FSMO role and the potential master name. Click the Change button, and you will get a new operation master.

Be careful when transferring the Infrastructure role. If there are two or more DCs in the domain, make sure that a message similar to the following one has not appeared in the Directory Service log on the new operation master:

    Event Type: Error    Event Source: NTDS General    Event Category: Directory Access    Event ID: 1419    Date: 5/31/2002    Time: 6:07:14 PM    User: NT AUTHORITY\ANONYMOUS LOGON    Computer: NETDC1    Description:    The local domain controller is both a global catalog and the    infrastructure operations master. These two roles are not compatible.    If another domain controller exists in the domain, it should be made the    infrastructure operations master. The following domain controller is a    good candidate for this role.    Domain controller:    CN=NTDS Settings, CN=NETDC3, CN=Servers, CN=NET-    Site, CN=Sites, CN=Configuration, DC=net, DC=dom    If all domain controllers in this domain are global catalogs, then there    are no infrastructure update tasks to complete, and this message might    be ignored.

Domain Naming Operation Master

The Active Directory Domains and Trusts snap-in allows you to transfer the Domain naming master FSMO role to any DC in the domain tree. This procedure is simple: connect to the DC that will be the new role's owner, point to the root node in the tree pane, and select the Operations Master command from the context menu. Make sure that the names of the current master and future master are correct, click Change, and confirm the operation. Remember that only one server in the forest (enterprise) can perform the Domain naming master role, and in addition, that server must be a Global Catalog server.

Schema Operation Master

The Active Directory Schema snap-in allows transfer of the Schema Master FSMO role to any DC in the forest. You should first connect to the potential master of the role, point to the root node in the tree pane, and select the Operations Master command from the context menu. After checking the DC name, click Change. Remember that only one server in the forest can perform the Schema Master role.

Attention

To modify the schema in Windows 2000, you must first enable this operation (see Chapter 7, "Domain Manipulation Tools"). When you have transferred the Schema Master role to a DC, the flag The Schema may be modified on this Domain Controller remains set on the old schema master. This might not be in accordance with your intentions, however.

Using NTDSutil

The NTDSutil can be used for transferring any FSMO role. This is the only tool that allows an administrator to forcibly assign a role to a DC. (It is assumed that the old owner of this role has been destroyed and cannot be repaired.) Using NTDSutil will be discussed in detail in Chapter 10, "Diagnosing and Maintaining Domain Controllers."