Because the location of the Flexible Single Master Operation (FSMO) roles' masters is very important for the proper functioning of a multi-domain forest, an administrator must know which domain controllers possess a specific role(s) at any moment of the entire network's lifetime. Therefore, he or she must have the facilities to find the role masters easily and to transfer a role from one DC to another. Moreover, it is necessary to have a way to forcibly transfer a role from a defunct DC. This is referred to as the "seizing of role" process.
To find the owners of FSMO roles (operation masters), an administrator can use the "standard" administrative tools (see the previous chapter):
The Active Directory Users and Computers snap-in displays the RID, PDC, and Infrastructure masters.
The Active Directory Domains and Trusts snap-in displays the Domain Naming master.
The Active Directory Schema snap-in displays the Schema master.
This approach is, however, time-consuming, and it makes sense to use some command-line tools or scripts. Some such tools are described below; for more information, see Chapter 17, "Scripting Administrative Tasks" (the "How to Find an FSMO Master?" section and Listing 17.20).
A brand-new command-line utility, DsQuery.exe, will help you to find a specific role master, for example:
C:\>dsquery server -hasfsmo rid "CN=NETDC1,CN=Servers,CN=NET-Site,CN=Sites,CN=Configuration, DC=net, DC=dom"
You can also specify other roles: pdc, infr, name, schema.
NetDom.exe (see Chapter 12, "Manipulating Active Directory Objects") can display all operation masters known to a specified DC. Use the following command syntax:
C:\>netdom QUERY /Domain:net.dom FSMO
This command file is, in fact, a chain of instructions to the NTDSutil tool. (These instructions can also be entered manually.) The main command in that file is the following:
ntdsutil roles Connections "Connect to server %1" Quit "select Operation Target" "List roles for connected server" Quit Quit Quit
The only mandatory parameter is the name of the DC from which the information is retrieved. A sample screen output is shown below (the utility's prompt is in bold):
C:\>dumpfsmos.cmd netdc1 ntdsutil: roles fsmo maintenance: Connections server connections: Connect to server netdc1 Binding to netdcl ... Connected to netdc1 using credentials of locally logged on user. server connections: Quit fsmo maintenance: select Operation Target select operation target: List roles for connected server Server "netdc1" knows about 5 roles Schema - CN=NTDS Settings, CN=NETDC1, CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom Domain - CN=NTDS Settings,CN=NETDC1,CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom PDC - CN=NTDS Settings,CN=NETDC1,CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom RID - CN=NTDS Settings,CN=NETDC1,CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom Infrastructure - CN=NTDS Settings,CN=NETDC3,CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom select operation target: Quit fsmo maintenance: Quit ntdsutil: Quit Disconnecting from netdc1...
All operation masters can be displayed with ReplMon.exe. Start the tool and add servers to the Monitored Servers list (tree). (In this case, it is enough to add one server only.) Select a DC from the tree pane, open the Properties window, and click the FSMO Roles tab. Fig. 8.3 shows a sample view of this tab.
Fig. 8.3: Viewing all operation masters (the owners of FSMO roles) for a domain
From this window, you can test any operation master by clicking Query. ReplMon answers with the following message: "Active Directory Replication Monitor was able/unable to resolve, connect, and bind to the server hosting this FSMO role."
In addition, ReplMon can display all Global Catalog servers in the enterprise (select the Show Global Catalog Servers in Enterprise command in a monitored server's context menu).
Usually, to transfer an FSMO role from one DC to another, the administrative snap-ins should be used. To seize a role, you must use the NTDSutil.exe.
For additional information on FSMO roles, you might be interested in Microsoft Knowledge Base articles Q223787 and Q223346.
You might want, for some reason (e.g., before shut downing a DC for maintenance), to transfer a FSMO role from the role's master to another DC in the domain. In the Active Directory Users and Computers snap-in window, you must first connect to the DC that is the potential (new) operation master, point to the root node in the tree pane, and select the Operation Masters command on either the context or Action menus. Click the appropriate tab: RID, PDC, or Infrastructure. You will see the current owner of a FSMO role and the potential master name. Click the Change button, and you will get a new operation master.
Be careful when transferring the Infrastructure role. If there are two or more DCs in the domain, make sure that a message similar to the following one has not appeared in the Directory Service log on the new operation master:
Event Type: Error Event Source: NTDS General Event Category: Directory Access Event ID: 1419 Date: 5/31/2002 Time: 6:07:14 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: NETDC1 Description: The local domain controller is both a global catalog and the infrastructure operations master. These two roles are not compatible. If another domain controller exists in the domain, it should be made the infrastructure operations master. The following domain controller is a good candidate for this role. Domain controller: CN=NTDS Settings, CN=NETDC3, CN=Servers, CN=NET- Site, CN=Sites, CN=Configuration, DC=net, DC=dom If all domain controllers in this domain are global catalogs, then there are no infrastructure update tasks to complete, and this message might be ignored.
The Active Directory Domains and Trusts snap-in allows you to transfer the Domain naming master FSMO role to any DC in the domain tree. This procedure is simple: connect to the DC that will be the new role's owner, point to the root node in the tree pane, and select the Operations Master command from the context menu. Make sure that the names of the current master and future master are correct, click Change, and confirm the operation. Remember that only one server in the forest (enterprise) can perform the Domain naming master role, and in addition, that server must be a Global Catalog server.
The Active Directory Schema snap-in allows transfer of the Schema Master FSMO role to any DC in the forest. You should first connect to the potential master of the role, point to the root node in the tree pane, and select the Operations Master command from the context menu. After checking the DC name, click Change. Remember that only one server in the forest can perform the Schema Master role.
To modify the schema in Windows 2000, you must first enable this operation (see Chapter 7, "Domain Manipulation Tools"). When you have transferred the Schema Master role to a DC, the flag The Schema may be modified on this Domain Controller remains set on the old schema master. This might not be in accordance with your intentions, however.
The NTDSutil can be used for transferring any FSMO role. This is the only tool that allows an administrator to forcibly assign a role to a DC. (It is assumed that the old owner of this role has been destroyed and cannot be repaired.) Using NTDSutil will be discussed in detail in Chapter 10, "Diagnosing and Maintaining Domain Controllers."