Search This Blog

Why it is recommended to never turn a DC back on after the role has been seized from it?

With the PDC Emulator and Infrastructure roles, this doesn't apply; they're able to recover just fine from a seizure. With the rest (RID, Schema, and Naming), it's not that you can't transfer back. It's that the recommendation is to never turn a DC back on after the role has been seized from it. The risk is that the two DCs both think they own the role; divergent schema changes, overlapping RIDs, and overlapping domains in the forest are the potential results.

How difficult it is to create these scenarios is another matter entirely (knowledge of the seizure will replicate to the old role holder and it will cease thinking it's the master - broken replication/connectivity is needed to create any risk); the recommendation to not bring the old DC back online is made due to an abundance of caution on Microsoft's part.

If you have to seize a RID, Naming, or Schema master's role, the safe course is to do metadata cleanup and reinstall the OS.

How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing.

To seize the FSMO roles by using Ntdsutil, follow these steps:

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server, where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize, where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance:Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
[Depending on the error code this may indicate a connection, ldap, or role transfer error.]
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=netDomain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server (unless every domain controller is Global Catalog server). If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:

  • Schema: Schema Admins
  • Domain Naming: Enterprise Admins
  • RID: Domain Admins
  • PDC Emulator: Domain Admins
  • Infrastructure: Domain Admins

How can I determine who are the current FSMO Roles holders in my domain/forest?

How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. Here a list of few available methods.

Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations:

FSMO Role

Number of DCs holding this role

Original DC holding the FSMO role

Schema

One per forest

The first DC in the first domain in the forest (i.e. the Forest Root Domain)

Domain Naming

One per forest

RID

One per domain

The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain)

PDC Emulator

One per domain

Infrastructure

One per domain

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:

FSMO Role

Which snap-in should I use?

Schema

Schema snap-in

Domain Naming

AD Domains and Trusts snap-in

RID

AD Users and Computers snap-in

PDC Emulator

Infrastructure

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click close.

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
3. When you're done click close.

Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.
8. Press the Close button.

Method #3 : Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server , where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.

At the select operation target: prompt, type List roles for connected server, and then press ENTER again.

select operation target: List roles for connected server

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net


select operation target:

8. Type q 3 times to exit the Ntdsutil prompt.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

  1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
  2. In the Command Prompt window, type netdom query /domain:<domain> fsmo
  3. Close the CMD window.

Which FSMO role is responsible for changing group policy?

PDC Emulator.

Which FSMO role is responsible for adding removing domain controller in Domain?

Domain Naming Master

What is the impact of Losing FSMO Role?

PDC Emulator (Domain Role)

Any Domain Controller performing an Operations Master (FSMO) function will not be the end of your environment; but each does have a potential for impact given a sufficient window of absence. In usual circumstances, however, the most crippling role to lose is the PDC Emulator.

In a mixed-mode environment, when the PDC Emulator goes down, you lose the bridgehead server for Windows NT 4.0 networks involved in trust relationships with that Active Directory domain. You also lose any down-level updating of the SAM for your Windows NT 4.0 Backup Domain Controllers, therefore Active Directory account changes such as password changes, login name changes etc. are never communicated.

Regardless of the mode or functional-level of the domain, you stand the risk of losing time-synch within the domain. The more complex and distributed the domain/forest, the greater the potential of Kerberos failures as the clocks fall apart from one-another on the Domain Controllers or clients which were directly dependent upon the defunct PDC Emulator.

Any Domain sitting above Mixed Mode would still also be susceptible to password changes not being communicated across the domain in a timely fashion.

RID Master (Domain Role)

If the Domain Controller performing as the RID Master goes down or becomes inaccessible, Windows 2000 and above domain controllers will have no place to acquire new RID pool assignments. As this function is only called upon sporadically , unless you are adding security principals in bulk, this outage may not become apparent for some time.

A more noticeable occurrence may be the failure of the movetree.exe command to function properly as it relies upon the RID Master present in the domain that the object is coming from to actually perform the move.

Infrastructure Master (Domain Role)

In the event that the Infrastructure Master Role holder is lost, the ramifications will vary based upon whether the forest is in itself a single domain, or if it contains multiple domains. If everything within your Active Directory forest is contained within a single domain, the Infrastructure Master really doesn’t have anything to do as there are no cross-domain references to be maintained.

In a forest with multiple domains, the Infrastructure Master Role holder plays a more vital role by maintaining cross-domain references (i.e. users from Domain A are members of a group in Domain B). Now the kicker here, any server in Domain B that is a Global Catalog Server will be automatically maintained due to the intercommunications of the GC processes forest-wide. This would make for an intermittent issue as some servers would have stale phantom references and others would be up-to-date.

Domain Naming Master (Forest Role)

If the Domain Naming Master role holder is lost, domains won’t be able to be added or removed from the Active Directory forest. DCPROMO is also affected, meaning that servers can neither be promoted nor demoted.

Though the loss of this role holder impacts some more common operations performed within an Active Directory forest and its contained domains, it is still doesn’t create highly visible issues within your environment.

Schema Master (Forest Role)

All Domain Controllers contain a copy of the Active Directory Schema. This Schema is essentially a template or listing of the various Active Directory object types and available attributes present within a given forest. This template is used to refresh the Active Directory database where the actual objects are stored.

The loss of the Schema Master Role holder in an Active Directory puts the forest into a state of stasis so no extensions (addition of object types and/or attributes) to the Schema can be made. This would impair activities such upgrading an Active Directory domain from Windows Server 2000 to Windows Server 2003, installing Microsoft Exchange, and/or adding new attributes to an object. All things considered, as this sort of activity does not happen on a daily basis, a forest could survive the loss of this role holder and continue with minimal inconvenience in most cases.

Brief all the FSMO Roles

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

To prevent conflicting updates the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of them in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

• Account lockout is processed on the PDC emulator.

• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

RID Master FSMO Role

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

The RID master gives every DC a pool of 500 RIDs at a time. When a new domain account or group is created, the DC assigns the new account a SID and a RID that's taken from its local allocated RID pool. When a DC's RID pool begins to run low (Pre–Windows 2000 SP4 20%, Post–Windows 2000 SP4 50%), it automatically asks the RID master for another block of RIDs. Therefore, a post–Windows 2000 SP4 DC with a default pool size of 500 requests a new pool when 250 RIDs have been consumed. To check the RID allocation with Dcdiag, type the following at a command prompt:

dcdiag.exe /test:ridmanager /v

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server, it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

Schema Master FSMO Role

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.

What is domain controller?

A domain controller is a server that has Active Directory Domain Services installed. By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest. A domain controller can also store one or more application directory partitions. There are also specialized domain controller roles that perform specific functions in an AD DS environment. These specialized roles include global catalog servers and operations masters.

What are domain, trees, and forest?

A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database, security policies, and trust relationships with other domains. In this way, each domain is an administrative boundary for objects. A single domain can span multiple physical locations or sites and can contain millions of objects.

Domain trees are collections of domains that are grouped together in hierarchical structures. When you add a domain to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain.

A child domain might in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft. In this manner, a tree has a contiguous namespace.

A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance. A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships. The first domain in the forest is called the forest root domain. The name of that domain refers to the forest, such as Nwtraders.msft. By default, information in Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information that is contained in that instance of Active Directory.

What is Active Directory Domain Services?

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS).