Managing FSMO roles using standard MMC snap-ins is not a very convenient process, since you have to use different snap-ins to access different roles, and some of them are not so easy to get to. In addition, MMC snap-ins do not allow role capture operations in the event of a failure of the domain controller on which they were located. It is much more convenient to use the utility for these purposes. ntdsutil about what and will be discussed in this article.
Before proceeding to the practical part, let's remember what they are and consider what exactly will happen to ActiveDirectory if they fail. There are five FSMO roles in total, two for the forest and three for the domain.
Forest-level roles exist in a single instance and, despite their importance, are the least critical to the functioning of AD. What happens if each of them is unavailable:
- Schema Master- it is impossible to change the scheme. but this procedure held every few years when introducing controllers on a newer OS to the network or installing some other server products, such as Exchange. In practice, the absence of the owner of the scheme can be overlooked for years.
- Domain naming master- it is impossible to add or remove a domain. Similarly with the master of the scheme, his absence can go unnoticed for quite a long time.
Domain-level roles exist one per domain and are more critical to the functioning of AD.
- Infrastructure host- if there are several domains on controllers that are not global directories membership in domain local groups may be violated. If all domain controllers are global catalogs (today this is the configuration recommended by Microsoft), then the existence of the infrastructure master can be safely forgotten, just like with a single domain in the forest.
- RID host- after a while it will be impossible to create a new object in AD, the time depends on the remaining number of free SIDs, which are issued in batches of 500 blanks. If your AD has a small number of objects and you don't create new ones every day, then the absence of the RID master will go unnoticed for a long time.
- PDC emulator- the most critical role. If it is unavailable, it will immediately become impossible entrance to a pre-Windows 2000 client domain (if they still exist), time synchronization will stop and some policies will not take effect if the password is entered incorrectly. In practice, the absence of a PDC emulator will be noticed the first time out of sync by more than 5 minutes, and this may happen sooner than you might think.
At the same time, as you can see, there is not a single FSMO role whose failure would lead to a significant loss of AD functionality, even if all FSMO roles fail, the infrastructure can work normally for several days, weeks or even months.
Therefore, if you are going to decommission a controller containing some or all of the roles for a while (for example, for maintenance), then there is no need to transfer them, your AD will live fine without them.
The transfer of roles is appropriate if you plan to withdraw given server out of service for a long time or transfer it to another department (for example, to another site), or planned operations may lead to its failure (for example, an upgrade of hardware).
In the event of a controller failure, do not rush to seize roles, you will always have time to do this, otherwise, when restoring and connecting to the network a server that previously contained FSMO roles, you will get a lot of unpleasant moments associated with USN Rollback and restoration of the normal functioning of the domain. If all the same, the roles were captured, and then you restored the old controller, then best solution will reinstall the system on it and re-enter the domain.
Also another non-obvious point if you have multiple domains and not all controllers are global catalogs do not host the infrastructure master on a controller with a global catalog. It is tantamount to his absence.
You can find out which controllers have FSMO roles with the command:
netdom query fsmo
To manage FSMO roles, run the utility ntdsutil on any domain controller:
Ntdsutil
Then let's move on to managing roles:
The next step is to connect to the domain controller to which we are going to transfer the roles, for this we will go to the server connection submenu:
Connections
and connect to the desired server:
Connect to server SERVERNAME
where SERVER NAME- the name of the domain controller we need. Then exit the submenu:
At the same time, it should be remembered that we can run the utility on any of the domain controllers and join any other DC to transfer or capture roles. In our example, we are physically located on the server SRV-DC01 connected to the server WIN2K8R2-SP1 and try to give him some kind of role.
The command is used to transfer roles. transfer whose argument is the name of the transferred role, for each of the roles the following names are used:
- naming master- domain naming master
- infrastructure master- Infrastructure manager
- PDC- PDC emulator
- RID master- RID master
- schema master- schema owner
Attention! On systems prior to Windows Server 2008 R2, for domain naming master name was used domain naming master.
For example, to transfer a role domain naming master let's execute the command:
Transfer naming master
A dialog box will appear that will ask us to confirm the action, we advise you to always carefully study its contents.
Having received an affirmative answer, the utility will transfer the selected role to another server.
Now imagine that the server WIN2K8R2-SP1 Irrevocably out of action and we need to take over the role naming master back. The command to capture roles is seize, which has a similar syntax.
To capture the role, run again ntdsutil and, having connected to the controller for which we will capture, we will execute the command:
Seize naming master
After we confirm the capture ntdsutil will try to transfer the role and only if it is impossible will take over.
This is done in order to avoid a situation where the role is captured from a healthy controller and two owners of the same role appear on the network.
Remember, that after the capture, include in the network the controller from which the role was captured it is forbidden!
As you can see, using the utility ntdsutil is not at all difficult and even more convenient than managing roles using MMC snap-ins. In addition, the possibilities ntdsutil are not limited to role management, but we will talk about this in the following materials.
There are several situations when you have to remember the roles FSMO- this is disaster recovery after a failure, migration, as well as job search (usually interviewers are very fond of asking questions like “What are the roles in AD for a domain controller, why are they needed?"). And although these situations are extremely rare, for common understanding work AD it is very useful to understand the purpose of roles FSMO.
FSMO, or Flexible single-master operations(single-executor operations) are operations performed by domain controllers Active Directory(AD), which require the server to be unique for each operation. Depending on the type of operation, uniqueness FSMO implied within a single domain or forest of domains. different types FSMO can run on one or more domain controllers. Performance FSMO the server is called role servers, and the servers themselves are the masters of operations.
Most transactions in AD can be done on any domain controller. Replication service AD will copy the changes to the rest of the domain controllers, ensuring the identity of the base AD on all controllers of one domain. The elimination of conflicts occurs as follows - the one who made the changes last is right.
However, there are several actions (for example, changing the schema AD) for which conflicts are not allowed. Therefore, there are servers with roles FSMO. Their task — avoid such conflicts. Thus the meaning of roles FSMO in the next one, each role can only run on one server at a time. And if necessary, it can be transferred at any time to another domain controller.
There are five roles in the forest in total FSMO. To begin with, I will give a brief description of them. :
- schema master ( Schema Master ) - responsible for making changes to the schema Active Directory. There can be only one for the entire forest of domains.
- Domain naming master ( Domain Naming Master) - is responsible for the uniqueness of names for the created domains and application partitions in the forest. There can be only one for the entire forest of domains.
- Infrastructure host ( Infrastructure Master) - stores data about users from other domains that are members of the local groups of their domain. There may be one for each domain in the forest.
- Master RID (RID Master) - is responsible for allocating unique relative identifiers ( RID) required when creating domain accounts. There may be one for each domain in the forest.
- emulator PDC (PDC Emulator) - responsible for compatibility with the domain NT4 and clients to Windows 2000. There may be one for each domain in the forest.
Now let's go through each role in more detail and find out how important they are for functioning. Active Directory.
Schema Master
Schema Master- is responsible for making changes to the schema, where the descriptions of all classes and attributes are located Active Directory. The schema is modified extremely rarely, for example, when changing the domain level, installing Exchange and sometimes other applications. This role can be located on any domain controller within the forest. When not available Schema Master change schema AD will be impossible.
Domain Naming Master
Domain Naming Master responsible for operations related to domain names AD, however, the list of his duties is somewhat longer :
- Adding and removing domains within a forest. Adding and deleting domains is allowed only to the controller with the role Domain Naming Master. It makes sure that the domain being added is unique within the forest NETBIOS-name. If Naming Master unavailable, you can't add or remove a domain in the forest.
- Creating and deleting partitions. Beginning with Windows 2003 it became possible to create separate sections - Application Directory Partitions, which are used to store AD arbitrary data. For example, storing data for DNS-servers in sections ForestDnsZones And DomainDnsZones. Partition management when unavailable Domain Naming Master impossible.
- Creating and deleting cross-references. Cross-references are used to search the directory when the server to which the client is connected does not contain the desired copy of the directory, and it is possible to refer to domains outside the forest, provided they are available. Cross-references are stored ( crossRef) in a container Partitions section Configuration, only Domain Naming Master has the right to change the contents of this container. When not available Domain Naming Master it will not be possible to create a new cross-reference, or delete an unnecessary one.
- Domain rename approval. To rename a domain, use the utility random.exe. She writes a script with instructions to be executed during the renaming process. This script is placed in a container Partitions section Configuration. Since only the controller with the role Domain Naming Master, then it is he who is responsible for checking instructions and writing attributes.
This role can be located on any domain controller within the forest.
Infrastructure Master
If the server is not a global catalog ( GC), then its database does not contain data about users from other domains. However, we can add users from other domains to domain local groups. A group in the base AD must physically have links to all users. This problem was solved by creating a fictitious object - a phantom ( phantom). Phantom objects are a special type of internal database objects and cannot be viewed through ADSI or LDAP. It is the work with phantoms that the infrastructure master is engaged in.
Another feature of this role is correct operation in a multi-domain environment, the domain controller that acts as the infrastructure master should not be a global catalog server. If the role holder Infrastructure Master is also a server GC, dummy objects are not created or updated on this domain controller. This is because the global catalog already contains partial replicas all objects in Active Directory, and he does not need phantoms .
RID Master
Each account in the domain (user, computer, group) must have a unique security identifier ( SID), which uniquely identifies this account and serves to differentiate access rights. Looks SID in the following way:
S-1-5-Y1-Y2-Y3-Y4, where
- S-1 — SID revision 1. Only this revision is currently in use.
- 5 — Indicates who issued the SID. 5 means NT Authority. However, so-called "well-known identifiers" SID (well-known SID) may have 0, 1, and some other values in this part.
- Y1-Y2-Y3— ID of the domain to which the account belongs. Same for all objects security principal within the same domain.
- Y4— Relative identifier ( Relative ID, RID) associated with a particular account. Substituted from the pool of relative domain identifiers at the time of account creation.
Role domain controller RID Master is responsible for extracting a sequence of unique RID to each domain controller in its domain, as well as for the correct movement of objects from one domain to another. Domain controllers have a common pool of relative identities ( RID Pool), RID from which each controller is allocated in portions of 500 pieces. When their number comes to an end (becomes less than 100), the controller requests a new portion. If necessary, the number of issued RID and the request threshold can be changed.
Another area of responsibility RID Master— moving objects between domains. Exactly RID Master makes sure that you cannot move the same object to two different domains at the same time. Otherwise, a situation is possible when two domains contain two objects with the same GUID which is fraught with the most unexpected consequences.
If RID Master will not be available, then after the end of free RID it will become impossible to create a new account, and it will also not be possible to migrate objects from the current domain to another.
PDC Emulator
Initially, the main task Primary Domain Controller (PDC) Emulator was to ensure compatibility with previous versions Windows. In a mixed environment where clients meet Windows NT4.0/ 95/98 and domain controllers NT4, PDC Emulator performs (only for them) the following functions:
- Processing the “change password” operation for users and computers;
- Replicate updates to bdc (Backup Domain Controller);
- Network Explorer (search network resources).
Starting at the domain level Windows 2000 and older work he added. Role domain controller PDC Emulator performs the following functions:
- Responsible for changing passwords and monitors user lockouts for password errors. A password changed by any other domain controller is first replicated to PDC Emulator. If authentication on any other domain controller was not successful, the request is repeated on PDC Emulator. If the account is successfully authenticated immediately after an unsuccessful attempt, PDC Emulator it is notified and resets the counter failed attempts to zero. It is important to note that in case of unavailability PDC Emulator information about changing the password will still spread throughout the domain, it will just happen a little slower.
- Group Policy Editor connects to the server by default PDC Emulator, and policy changes occur on it. If PDC Emulator is not available, you will have to tell the editor which domain controller to connect to.
- By default it is PDC Emulator is a time server for clients in the domain. PDC Emulator root domain in the forest is the default time server for PDC Emulator in child domains.
- Namespace Changes Distributed File System (DFS) are made on a domain controller with the role PDC Emulator. Root servers DFS periodically request updated metadata from it, keeping them in their memory. inaccessibility PDC Emulator may result in incorrect operation. DFS.
- IN Active Directory there are so-called "Built-in Security System Participants" ( Well Known Security Principals). Accounts are examples. Everyone, Authenticated Users, System, Self And Creator Owner. All of them are managed by a domain controller with the role PDC Emulator. More precisely, with changes in AD PDC Emulator checks and updates the contents of the container " CN=WellKnown Security Principals, CN=Configuration, DC=
>”. - In every forest domain Active Directory there is an owner of administrative security descriptors − AdminSDHolder. It stores information about security settings for so-called protected groups ( protected groups). With a certain frequency, this mechanism requests a list of all members of these groups and exposes them to rights in accordance with its access control list. In this way AdminSDHolder protects administrative groups from changes. Performed AdminSDHolder on a domain controller with a role PDC Emulator.
That's probably all. I hope I was able to clarify the situation a little with the roles FSMO. And next time we will look at options for transferring roles to another domain controller, as well as forcing the assignment (seizure) of a role in case of unavailability of the domain controller that performs it.
Microsoft Windows Active Directory is the central repository for all enterprise objects and their corresponding attributes. This database is hierarchical, capable of supporting multiple hosts and holding millions of objects. Multi-leader support allows you to change the database from any domain controller within the enterprise, regardless of its network connectivity status.
Multi-master support model in Windows 2000
A multi-master database (such as Active Directory) accepts changes from any domain controller within the enterprise, potentially leading to conflicts when data is replicated to other computers. One of the methods for dealing with conflicting updates in Windows 2000 is the "Last Write Precedence" algorithm, which accepts the data value from the most recently modified domain controller and discards the values on other domain controllers. However, some conflicts are so complex that they cannot be resolved in this way. They are easier to prevent than to eliminate after the fact.
Some types of changes in Windows 2000 are handled in ways that prevent Active Directory update conflicts.
Single host support model in Windows 2000
To prevent conflicting updates from occurring, Active Directory updates specific objects using a single-leader model. Under this model, only one domain controller in the entire directory is authorized to make updates. This process similar to the role that was assigned to the primary domain controller (PDC) in the early Windows versions(for example, in Microsoft Windows NT 3.51 and 4.0) that the PDC is responsible for handling all updates in a particular domain.
Windows 2000 Active Directory extends the single-master model used in earlier versions of Windows to include support for multiple roles and the ability to transfer roles to other controllers within the enterprise. Because the Active Directory role is not strictly tied to a single domain controller, it is called the FSMO (Flexible Single Master Operation) role. There are five FSMO roles in Windows 2000:
- schema master
- domain naming master
- RID host
- PDC emulator
- infrastructure daemon
The role of the FSMO Schema Master
The schema master domain controller is responsible for updating the directory schema (i.e. schema naming context or LDAP://cn=schema,cn=configuration,dc=
FSMO Role "Domain Naming Master"
The domain controller acting as the domain naming master is responsible for changing the domain namespace of the directory within the forest (i.e., the partitions\configuration naming context or LDAP://CN=Partitions, CN=configuration, DC=
FSMO Role "RID Master"
The domain controller acting as the RID master is responsible for handling RID pool requests from other controllers within a particular domain, and for deleting objects from a domain and placing them in another domain.
When a domain controller creates a primary security principal object (such as a user or group), it assigns a security identifier (SID) to it. This identifier consists of a domain SID (same for all security identifiers created in the same domain) and a relative identifier (RID) (unique for each security principal created in the same domain).
Each Windows 2000 domain controller in a domain has a pool of relative identifiers (RIDs) that it can assign to newly created security principals. When the number of RIDs in a domain controller's pool falls below a threshold, it queries the RID master for new identities. The RID master retrieves the IDs from the unallocated domain pool and assigns them to the requesting domain controller's pool. There is only one RID master per directory domain.
Role of FSMO "PDC Emulator"
The PDC emulator is required for time synchronization across the enterprise. Windows 2000 includes the W32Time (Windows Time) time service used by the Kerberos authentication protocol. All computers under Windows control 2000 within the same enterprise use the total time. To ensure correct time synchronization, the Windows Time service must use a hierarchical relationship structure that controls permissions and prevents "loops" in control.
The domain PDC emulator acts as the master domain emulator. The PDC emulator at the forest root becomes the master emulator within the enterprise. It should be configured to receive the time value from an internal source. PDC emulator FSMO role holders follow the domain hierarchy when choosing a time source.
In a Windows 2000 domain, the PDC Emulator role holder retains the following features: Password changes made by other domain controllers are first replicated to the PDC Emulator.
Password changes made by other domain controllers are first replicated to the PDC emulator.
Before the user receives the appropriate error message, authentication failures on a specific domain controller caused by an incorrect password are reported to the PDC emulator.
Account lockouts are handled on the PDC emulator.
The PDC emulator performs all the functions of the PDC server emulator for Microsoft Windows NT 4.0, previous versions emulators on Windows based NT 4.0 or earlier clients.
You do not need to use this part of the PDC Emulator role if all workstations, servers, and domain controllers running Windows NT 4.0 or earlier are upgraded to the Windows 2000 level. The PDC Emulator performs all the same functions as in a Windows 2000 environment.
The following describes the changes that occur during the upgrade process: Windows 2000 clients (workstations, servers) and earlier clients that have the Distributed Services Client Package installed do not give preference to the domain controller when performing directory writes (such as password changes) , which declared itself a PDC, but use any domain controller for this.
After you upgrade to Windows 2000, Backup Controllers (BDCs) in domains lower level the PDC emulator stops receiving replication requests from the lower layer.
Windows 2000 clients (workstations, servers) and earlier clients that have the Distributed Services Client Package installed use Active Directory to find network resources. They do not require the Windows NT Browser service.
Role of FSMO "Infrastructure"
A reference to an object in one domain in an object in another domain is determined by the GUID, SID (for security principals), and distinguished name (DN) of the object. The domain controller acting as the infrastructure master is responsible for updating security identifiers and object distinguished names in cross-domain object references.
Note.
The infrastructure master (IM) role should not be filled by a domain controller that is a global catalog server. Otherwise, the infrastructure master will not update object information because it does not contain references to objects that it does not store. The reason for this behavior is that the global catalog server maintains partial replicas of all objects in the forest. As a result, cross-domain object links in this domain will not be updated, and a warning will appear in the event log of this domain controller.
If controllers in a separate domain also store the global catalog, all domain controllers will have up-to-date information, no matter which domain controller holds the Infrastructure Master role.
No related posts...
Transferring FSMO. The purpose of our event is to transfer FSMO from one domain controller to another. Just in case, I'll look at several ways to migrate roles, including the case when the current FSMO master is not available.
First, some theory:
FSMO (Flexible single-master operations - “operations with one executor”) - types performed by controllers Active domain Directory operations that require the mandatory uniqueness of the server performing them.
That is, all domain controllers are equal, but one (or several) is more equal than others, insofar as they perform these same operations with one executor. Depending on the type of operation, FSMO uniqueness is implied within either a domain forest or a domain.
In total, the small-soft corporation has given us 5 roles:
- Schema master - one server with this role for the entire forest. The role is needed to extend the schema Forests Active Directory, this operation is usually performed by adprep /forestprep
- The owner of domain names (Domain naming master) - one for the entire forest. A server with this role must ensure unique names for all domains and application partitions that are created in the AD forest.
- Relative identifiers owner (PDC emulator) - one server per domain. Performs several functions: is the main browser in Windows networks, keeps track of user locks when the password is entered incorrectly, is the main NTP server in the domain, designed to support clients with operating systems previous to Windows 2000.
- Primary Domain Controller Emulator (Infrastructure Master) - one server per domain. A server with this role is required for the successful completion of the adprep /domainprep command. Responsible for updating security identifiers (GUIDs, SIDs) and object distinguished names in cross-domain object references.
- Domain Infrastructure Owner (RID Master) - one server per domain. The server distributes RIDs (500 each) to other domain controllers to create unique SIDs.
To manage the Schema master role, you must be in the "Schema admins" group.
To manage the Domain naming master role, you must be a member of the Enterprise admins group.
To manage the PDC emulator, Infrastructure Master and RID Master roles, you must have domain administrator rights "Domain Admins"
The need to transfer roles can arise for various reasons, as well as in large networks these roles can be performed by different servers, although in our case all roles are performed by one server. It is important that each role is performed in your domain, if any role is not assigned to any server, then many unpleasant surprises can await you, both immediately and after a long time, depending on the AD structure.
When a domain is created, by default, all roles are assigned to the first domain controller in the forest. Role reassignment is rarely required. Microsoft recommends using FSMO role transfer in the following cases:
- Planned downgrading of the role of a domain controller that is the owner of FSMO roles, for example, in order to decommission the server (this is just my case);
- Temporarily shutting down a domain controller, for example, to perform preventive work. This is especially important when disabling the PDC emulator. Temporarily disabling other operations masters has less impact on AD.
Seizure of FSMO roles will have to be done in the following cases:
- If the current holder of the FSMO role has experienced failures that prevent the successful performance of the functions inherent in this role and prevent the transfer of the role;
- On the domain controller that was the owner of the FSMO role, the operating system is reinstalled or does not boot;
- A domain controller that held the FSMO role was forcibly demoted using the dcpromo /forceremoval command.
So the first thing we need is to find out which server is the master of FSMO. The easiest way to do this is with the netdom utility. By typing in the console:
> netdom query fsmo
We will get a list of all five roles with the FQDN of the hosts. The same utility can be used after the transfer of roles to verify the success of the operation.
Now you can proceed directly to the transfer of FSMO:
The first method is the simplest and the most pleasant to me - transferring FSMO roles using the ntdsutil utility:
ntdsutil.exe is a command-line utility for maintaining the Active Directory. It provides many AD management features, including transferring and seizing FSMO roles.
To transfer roles, go to any domain controller (This does not have to be the current or future FSMO master) located in the forest in which you want to transfer roles. We recommend that you log on to a domain controller that is assigned FSMO roles. Launch the console and enter:
>ntdsutil
After that, the utility starts in interactive mode and can accept commands. Our first command indicates that we want to work with FSMO
>roles
In response, the prompt will change to fsmo maintenance: Then, to call the connection "menu", enter
>connections
And the prompt changes to server connections: Now you can specify which server we want to connect to (<Имя_сервера>is the name of the domain controller to which you want to transfer the FSMO role.)
>connect to server<Имя_сервера>
to exit the connection menu, enter
>q
and press Enter. Now, having received the fsmo maintenance: prompt again, we can proceed with the transfer of roles. This is what the transfer command is for:
>transfer<имя_роли>
As<имя_роли>you need to specify the role you want to transfer:
- naming master - transferring the role of the owner of domain names;
- infrastructure master - transfer of the infrastructure master role;
- RID master - transfer of the RID master role;
- schema master - transferring the schema master role;
- PDC - transfer the role of the PDC emulator.
In versions of Windows prior to Windows Server 2008R2, the domain naming master is called the domain naming master. As is customary in Windows systems, case does not matter.
After entering each transfer command, a dialog box appears asking for confirmation (you could also ask for confirmation in the console, otherwise it’s “non-console” as it turns out), press “OK” each time, unless of course you typed all the previous commands by accident. :)
To exit Ntdsutil, type the q command and press Enter.
Forcing fsmo roles with Ntdsutil
But what do we do if the role owner is unavailable, damaged and there is no hope of returning it to service in the near future? And here ntdsutil.exe will help us again:
Forced assignment (capture) of roles is performed only in case of a complete failure of the server, with the impossibility of its recovery. If possible, it is best to bring the failed FSMO master back online. The capture procedure itself is similar to that described above. We go to the domain controller to which we want to transfer roles and do the same as was written in the previous paragraph by typing:
>ntdsutil
>roles
>connections
>connect to server<имя_сервера>
>q
The only difference is that instead of the transfer command, the command is used to force the seizure of the role. seize
>seize<имя_роли>
Where<имя_роли>as before
- naming master - domain name master (before Windows Server 2008R2 - domain naming master);
- infrastructure master - infrastructure master;
- rid master - RID master;
- schema master - schema master;
- pdc is a PDC emulator.
Remember to try to transfer the role using the transfer command before seizing the role, and only if it fails, use seize.
If possible, do not assign the Infrastructure Master role to a domain controller that is a global catalog server, because then it will not update object information. The reason for this behavior is that the global catalog server maintains partial replicas of all objects in the forest.
Under no circumstances should a domain controller that previously performed FSMO roles be brought back into service if the roles it occupied were seized by the seize command. when it appears on the network, a conflict will arise, which can cause big trouble. It must be removed from Active Directory. On Windows Server 2008 and older, this can be done by simply deleting the server object in the Active Directory Users and Computers snap-in, and on Windows Server 2003 using the Ntdsutil program using the ntdsutil -metadata cleanup command.
The second option - Voluntary transfer of FSMO roles using Active Directory management snap-ins, is strange and inconvenient, but this is just my subjective opinion, the method itself works great.
You can transfer domain-level roles (RID Master, PDC Emulator, and Infrastructure Master) using the Active Directory Users and Computers snap-in. To do this, go to the domain controller to which we want to transfer roles, launch the snap-in and click right key click on the desired domain, select the item "Masters of Operations".
In the window that opens, select the role we need and click the "Change" button. Then we confirm the transfer of the role and look at the result. The name of the host of operations should change to the name of the current server.
To migrate the Domain Naming Master role, you will need the Domains and Trust Active Directory snap-in. We launch the snap-in, if necessary, connect to the desired domain controller, right-click in the root of the snap-in and select the "Operations Master" menu item.
A window opens in which you need to click the "Change" button, and then confirm the changes in the same way as in the previous case.
To transfer the Schema Master role, you will have to do some more complex manipulations. First, you must register the Active Directory Schema Management Library on the system. This can be done with the command
> regsvr32 schmmgmt.dll
Then open the MMC console and add the Active Directory Schema snap-in to it.
Now you can go to the snap-in and change the owner of the Schema Master role, as in the previous examples, by right-clicking on the schema and selecting the "Operations master ..." item.
Hooray! All roles have been transferred. And again, never leave your domain without assigned FSMO role masters. Never! :)
- Back
Comments
New articles:
-
Network discovery does not turn on in Windows 7/8/2008/2012
The essence of the problem is that the user in the Windows 7 system does not turn on network discovery in the network settings. More precisely, it turns on, but if you close it and ...
-
Error: This application failed to start because it could not find or load the Qt platform plugin "windows".
So, after installing by directly copying the application written in C ++ using the Qt library, we get the following error: This application failed to start...
hb860 November 25, 2011 at 02:02 pm
Everything You Wanted to Know About Operations Masters but Were Afraid to Ask
- System administration
Most system administrators in their corporate environment to provide a system for identifying and accessing their users to resources, enterprises use domain Active services Directory, which can be safely called the heart of the entire enterprise infrastructure. As many of you know, the structure of Domain Services in organizations can include either single or multiple forests (a set of domains that include a network configuration description and a single directory instance), depending on factors such as scope constraints. trusting relationship, complete separation of network data, obtaining administrative isolation. In turn, each large forest should be divided into domains to simplify administration and data replication. In each domain to manage domain services and perform tasks such as authentication, service startup "Kerberos Key Distribution Center" and access control are used by domain controllers. And for management network traffic websites are being developed between offices.
All information about forests, domains, and sites, of course, must be consistent even when designing AD DS, according to such corporate requirements as: business requirements, functional requirements, legal, security requirements, as well as design restrictions on documentation. Often, all these points are carefully planned by the IT department of the company itself or by the enterprise infrastructure project team before the deployment of domain services and written into a special service level agreement that determines the expected level of performance and quality of the service provided.
Information obtained after design or, more often, after the deployment of AD DS should be carefully documented. Such documentation should include information about the logical and physical structure of Domain Services itself, administrative models, name resolution infrastructure, any planned changes to the organization's environment, and additional infrastructure components such as the introduction of mail servers. Microsoft Exchange, System Center servers, and more. In most cases, the organization's IT staff ignores the documentation process, and when IT staff changes, it can take some time for new administrators to fully orient themselves with the organization's current infrastructure.
You also need to understand that in the directory service, almost all domain controllers are equal (in this context, we do not take into account read-only domain controllers, RODCs), that is, all domain controllers have the right to write to the database and can replicate this data to others controllers. This topology handles most of the trivial Active Directory operations just fine and is called multi-peer replication(Multimaster). But, nevertheless, there are some operations that must be performed on an authorized server designated directly for such operations. In other words, domain controllers that perform certain operations or roles in their domain are called operations masters (or masters). Knowing and understanding the purpose of all roles of operations masters is necessary, because in the case of disaster recovery, upgrades or migrations, it is the domain controllers that act as masters of operations that can play one of the most important roles. Accordingly, it is about the masters of operations that will be discussed in this article.
From this article you will learn:
- About what would happen if there were no masters of operations;
- About forest level operations master roles;
- About the roles of domain-level operations masters;
- How you can determine which controller has the FSMO role;
- About captures and transfer of roles of masters of operations;
- About the correct placement of operations masters on domain controllers.
- Planning and Documenting Domain Controllers with Operations Master Roles. This is a separate topic that includes understanding the nuances of AD DS planning and is outside the scope of this article;
- Global catalog servers. Many system administrators equate global catalog servers with operations master roles. Actually, this is a false assertion. The global catalog is a distributed data repository that stores information about each object and allows users and applications to find objects in any domain in the current forest by looking up attributes included in the global catalog that are identified in the schema as a private set of attributes. The global catalog itself resides on domain controllers designated as global catalog servers and is in turn replicated through Multimaster replication. Although the global catalog contains full list all objects in the forest, and global catalog servers can respond to all requests without having to refer to other domain controllers, the global catalog is not a role of operations masters. For global catalog servers, you can read the following article: "Global Catalog Servers" ;
- Interaction of Operations Wizards with Read-Only Domain Controllers. Read Only Domain Controllers are a special, relatively new type domain controllers, which it is advisable to deploy in the branches of the organization that are not provided with an adequate level of security and qualified IT personnel. As with scheduling operations wizards and global catalog servers, read-only domain controllers are a separate, large topic that does not make any sense to cover in this article. The first thing to note, though, is that RODCs cannot act as a domain controller with an operations master role;
- Troubleshooting and Errors with Operations Wizards. An interesting and rather voluminous topic, which will not be considered, due to the fact that the current article deals with the general concepts of the roles of operations masters.
What would happen if there were no masters of operations
Before imagining the situation with Active Directory domain controllers, where there would be no distinction between domain controllers that perform specific operations and other domain controllers, let's consider the advantages of domain controllers equipped with the roles of masters of operation.First of all, as already mentioned in the introductory section of this article, operations masters Domain controllers are called domain controllers that perform a special role in Active Directory designed to ensure integrity and avoid conflicts. It is for this purpose that a special role is assigned to such domain controllers, and since such roles do not have a hard connection to a single domain controller, such roles are called Operations Masters (Flexible Single Master Operation, FSMO, which is pronounced fizz-mo). In fact, other domain controllers can perform these roles, but each role should be assigned to only one domain controller, and in one domain, actions that should be performed on the domain controllers of the operations masters cannot be performed at the same time.
I think it will be useful to know what protocols the operations wizards use. Operation Wizards use three protocols:
- Lightweight Directory Access Protocol (LDAP);
- SMTP.
Now, imagine for a moment what would happen if there were no operations wizards in Active Directory Domain Services, that is, if all domain controllers could perform the same actions at the same time.
Let's say we have an organization with one forest and five domains. In each of the domains, system administrators decided to simultaneously install mail Microsoft server Exchange, and, in one domain, the administrator installs the 2007 version of this mail server, in the second - 2000, and in the third Microsoft Exchange Server 2010 SP1. All changes in the domain schema and, accordingly, the entire forest are written to the domain controller to which the administrators were connected, and after some time, all changes made to the Active Directory schema are replicated to each domain controller in the organization's forest.
If someone wants to rename their domain using the Rendom.exe system utility as another domain is already named, and there is no corresponding FSMO role in the enterprise, when accessing which the administrator would see a warning message, saying, “What are you doing- then? Such a domain already exists, do you want to break everything in the world? and the domain will be renamed, after replication it would simply be impossible to avoid fatal problems.
Let's take another example... Again, there are no masters of operations in nature. On client machines, time can go astray, users can change their own time, as it were, by chance, but all clients in the domain by default must synchronize time with the nearest domain controllers. In this case, if there is no specific domain controller, the so-called master time source, then the time for each user in the entire domain may differ, which may be critical for some business applications.
Actually, there are endless examples of corporate apocalypse due to the lack of masters of operations. There is only one essence, the masters of operations simply must be, must be available and must perform only those operations that are intended for them.
In total, Active Directory Domain Services includes five different roles of operations masters. Namely, two roles are used at the forest level: domain name master And circuit master, moreover, in each forest there can be no more than one domain controller, with the assignments of each role. Each domain has only three operations master roles: relative RID master, infrastructure master, as well as PDC Primary Domain Controller Emulator. That is, when the very first domain controller in the forest is installed, it is simultaneously assigned all five operations master roles, and when a new Active Directory domain is created in an existing forest, the new domain controller is assigned three domain-level roles. The FSMO in the forest and the number of potential holders of these roles can be calculated using the formula "(number of domains * 3) + 2".
For example, if you have an Active Directory forest with four domains where one of the primary domains has a child and grandchild domain, then that forest will contain 14 FSMO roles. That is: one schema master, one domain naming master, four PDC emulators (one role for two primary, child, and grandchild domains), four RID masters for each domain, and four infrastructure masters for each domain.
At this point, I think it's time to look at each forest-level and domain-level operations master role.
Roles of Forest-Level Operations Wizards
As I wrote above, there are two operations master roles for the Active Directory forest level, namely:- Schema Master;
- Domain Name Wizard
Schema Master Role
Before I say a few words about the role of the master of the scheme, I think it makes sense, in a nutshell, to tell what is generally "Active Directory Schema".- Do you see the gopher?
- Not.
- And I don't see it. And he is!
K.F. "DMB"
For many novice administrators, the Active Directory schema can be associated with the famous movie expression written above. It seems to be, as there is such a thing as a circuit, but what it is for, what it is, and in general, what it is, no one knows and is in no hurry to find out about it.
According to the terminology, the schema contains the definitions of each attribute and class that are created and stored in the Active Directory forest. I think it will hardly be news to anyone that Active Directory Domain Services also store in right time extract necessary information many enterprise applications. This is done so that, if necessary, applications do not access various components of the enterprise infrastructure, but use Active Directory Domain Services, information about which will be replicated to all domain controllers. Note that there is only one schema per Active Directory forest that can replicate to every domain controller in the forest. Therefore, if an organization needs to deploy multiple applications that could create conflicts in the Active Directory schema, it makes sense to deploy and maintain two separate forests.
The schema itself consists of the classSchema and attributeSchema objects that are requested when defining the required object in Domain Services. The classes themselves are some kind of definitions located in the schema, which, in turn, define groups of attributes. It must be remembered that each class can use many attributes. And finally, for every attribute located in AD DS, the schema specifies the data type as the syntax for the attribute itself. And, of course, the value of each attribute included in an instance of the class must conform to the syntax requirements of the current attribute.
Since a detailed discussion of the Active Directory schema is beyond the scope of this article, I think the above definition is more than enough. More details about the Active Directory schema will be discussed in one of the following articles. Now let's look at what the role of the schema master is.
The domain controller, which is the schema master, is responsible for all changes that are made to the schema of the Active Directory forest. It must be remembered that the domain controller responsible for this role must be the only one in the entire forest, and all other domain controllers will contain only read-only forest schema replicas. That is, when making any manual changes to the Active Directory schema, or when installing applications that change the schema, the administrator needs to make the changes on the domain controller that manages the role. To make changes, the administrator must connect to the schema master and must be a member of the security group Schema Admins. After the schema is updated, it replicates from the schema master to all other domain controllers. If you try to modify the schema on a non-schema master domain controller, the action usually fails and you need to forward the changes to the schema master domain controller after you make the schema changes. Accordingly, this role is critical, because if you try to modify the Active Directory schema with the schema master disabled, you will always run into errors. In turn, the Schema Master role can reside on any designated domain controller in the forest.
By default, the schema master role is assigned to the first domain controller that is installed in the forest, and it is recommended that this role be placed along with the domain naming master role, which will be discussed below, on the same domain controller. Despite the recommendations, you can move this role to any domain controller at any time using the "Active Directory Schema" or via command line utility Ntdsutil. You can also learn about transferring roles to other domain controllers in this article. Identified by the schema master by the value of the attribute fSMORoleOwner the root object of the schema section.
The Role of the Domain Name Master
The next role to be covered is called the domain naming master. This Operations Master role, and therefore the only domain controller in the forest that can hold this role, is primarily used to add and remove domains and all directory partitions in the forest hierarchy. A domain controller that has the domain naming master role is designed to perform the following four operations:
- Adding and removing domains. When performing such an operation as adding or removing a child domain using the Active Directory Setup Wizard or a command line utility, the Setup Wizard refers to the Domain Naming Wizard and requests the right to add or, accordingly, delete the latter. The Domain Naming Wizard is also responsible for ensuring that domains in a forest have unique NETBIOS names within the entire forest. Naturally, for obvious reasons, if the Domain Naming Wizard is not available, you will not be able to add or remove domains in the forest;
- Adding and Removing Cross References. As you already know, when you create the first domain controller in the forest, schema, configuration, and domain directory partitions are created in the forest. At this time, for each directory partition in the Partitions container of the configuration partition (CN=partitions,CN=configuration,DC=forestRootDomain), a cross-reference object (crossRef class) is created. The cross-reference object defines the name and location of the servers that store each directory partition in the forest. When creating each subsequent domain or application directory partition, the creation of a cross-reference object in the Partitions container is initiated.
- Adding and Removing Application Directory Partitions. Application directory partitions are special partitions that you can create on Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain controllers to provide dynamic LDAP application data storage. If your forest works on Windows level Server 2000, then in such a forest, all non-domain data is limited to configuration and schema data, which is replicated to all domain controllers in the forest. In a Windows Server 2003/2008 and 2008R2 forest, application directory partitions store domain controller-specific application data that can be replayed on any domain controller in the forest.
- Confirmation of domain rename instructions. The last action performed by the Domain Name Wizard is to validate the domain rename instructions. It is customary to rename domains using a special command line utility. So, when using the Rendom.exe utility, which is designed to rename domains, in order to rename a domain, the utility must have access to the domain naming wizard. In addition to the above capabilities, the domain naming wizard is also responsible for validating domain rename instructions. When this tool is run, on a domain controller with the Domain Naming Wizard role, an XML script is written to the msDS-UpdateScript attribute of the Partitions (CN=partitions,CN=configuration,DC=forestRootDomain) container object of the Configuration directory partition that contains instructions for renaming domains. It's worth remembering that the Partitions container can only be upgraded on a domain controller that holds the Domain Name Master role. In addition to the value of the msDS-UpdateScript attribute, the Rendom.exe utility writes the new DNS name of each renamed domain to the msDS-DnsRootAlias attribute of the cross-reference object (crossRef class) corresponding to that domain. Again, because the cross-reference object is stored in the Partitrions container, this object can only be updated on a domain controller with the domain naming master role. Changed msDS-UpdateScript and msDS-DnsRootAlias attribute data is replicated to all domain controllers in the forest.
As with the previous action wizard, if you try to perform any of the above operations when the action wizard is not available, your steps will fail. But since all these actions are performed almost once over a long period of time, you can find out that the domain naming master is in an unusable state in a critical important point, so periodically check the availability of the forest operations wizards.
Roles of Domain-Level Operations Wizards
Unlike the forest level, each Active Directory domain has the following three operations master roles:- Relative RID Wizard
- PDC Primary Domain Controller Emulator
- Infrastructure Master
Master RID
The first wizard for the domain level described in this article is the Relative Identifier (RID) wizard. The RID Wizard is used to manage the RID pool to generate security identifiers (SIDs) for security principals such as users, groups, and computers, and to move objects from one domain to another. The SID of a security principal must be unique across the entire domain, so each security principal is assigned a unique SID that contains the domain ID and a relative RID that is unique for each security principal. All SIDs have four various element. For example, according to the Microsoft documentation, the elements of the identifier S1-5-Y1-Y2-Y3-Y4 are provided in the following table:
Table 1. Structure of the identifier element
Because any domain controller can create security principals, a mechanism is needed to ensure that the SIDs generated by a domain controller are unique, and so the RID master ensures that two domain controllers do not assign the same RID. The RID Wizard assigns a block of relative RIDs, called the RID pool, to each domain controller. In other words, the RID Operations Wizard is responsible for maintaining a pool of relative identities to use the domain controllers in the domain and providing groups of relative identities for each domain controller. When a new domain controller is added to a domain, the RID wizard assigns a pool of 500 relative RID requests to that domain controller. Each time a new security principal is created on a domain controller to assign an identity to a new object, the domain controller assigns a relative identity from its pool. When the number of relative RIDs in that RID pool on any DC drops below 100, in other words, approaches zero, the RID master requests another RID block. After the query is completed, the RID master assigns another pool of 500 relative RIDs to the domain controller.
To be even more precise, the RID master does not keep a count of pool numbers, but serves highest value the last selected range. When a new request is received, the value of the new pool is incremented by one and 499 new values. The two values are then sent to the requested DC to use the new relative RIDs. If a domain controller's local RID pool is empty or the RID master is unavailable for some time, the account creation process on some domain controllers may fail and event ID 16645 will be logged in that domain controller's event log. This error code indicates that the maximum identifier account out of allocated per domain controller and the domain controller was unable to obtain a new pool of identities from the RID master. Similarly, when a new object is added to the domain, event ID 16650 will be raised indicating that the object cannot be created because the directory service was unable to allocate a relative identifier. The mechanism for requesting a new block of RIDs is designed to prevent such aborts because the request is made before all available RIDs in the pool are exhausted. To enable the account creation process again, you must either bring the domain controller that manages the RID master role online or move the role to another domain controller.
Also, when migrating Active Directory objects between domains, the presence of a RID master is required, that is, an object will be able to migrate only if the RID master is available in the domain. Having an active current operations wizard prevents two objects with identical identifiers from being created in different Active Directory domains. When migrating objects from one domain to another, Microsoft recommends using the Acrive Directory Migration Tool. By default, the first domain controller installed in the forest gets the RID master role. You can move this role at any time using a snap-in or utility Ntdsutil.exe. The RID master is identified by an attribute value fSMORoleOwner in the rIDManager class object in the Domain section.
PDC emulator
Domain controller with assigned operations master PDC emulator(primary domain controller) functions as a primary domain controller to ensure backward compatibility with operating systems below Windows 2000. In the days of member servers and client Windows computers NT 4.0, only master PDCs could make changes to the directory. Legacy tools, clients, and utilities that support Windows NT 4.0 are not designed to allow all Active Directory domain controllers to write to the directory, and so these applications require a connection to the PDC. A domain controller with the PDC emulator role registers itself as a PDC master domain controller, specifically so that various low-level applications can localize the writing domain controller. Despite the fact that nowadays servers and client computers almost impossible to meet with operating systems below Windows 2000, the PDC emulator still remains the most important role of operations masters. In addition to being backward compatible with applications running under Windows NT 4.0, the PDC emulator performs the following important functions:
- Participation in domain password update replication. When a user's password is changed or reset, the domain controller making the change replicates the change to the PDC emulator via urgent replication. This replication ensures that domain controllers quickly learn the changed password. In the event that a user tries to log on immediately after changing the password, the domain controller responding to this request may not yet know New password. Before denying a logon attempt, this domain controller sends an authentication request to the PDC emulator, which verifies that the new password is correct and instructs the domain controller to accept the logon request. This means that every time a user enters an incorrect password, authentication is sent to the PDC emulator for a final decision;
- Manage Group Policy Updates in a Domain. As you know, Group Policies are used to control most of the settings in the configuration of computers and users in your organization. In the event that a GPO is modified on two domain controllers at approximately the same time, then later conflicts between the two versions may occur that are not resolved when GPOs are replicated. To avoid such conflicts, the PDC emulator operates as follows: when a GPO is opened, the Group Policy Management Editor snap-in binds to the domain controller acting as the PDC, and all changes to the default GPOs are made to the PDC emulator;
- Acting as a Domain Central Browser. Clients use Active Directory to discover network resources. When opening a window "Net" the operating system displays a list of workgroups and domains. After the user opens the specified working group or domain he will be able to see the list of computers. These lists are generated by a browser service, and on each network segment, the master browser creates a browse list with the workgroups, domains, and servers of that segment. The central browser then aggregates the lists of all the leading browsers so that the client machines can view the entire browsing list. I think that of all the functions of the PDC emulator, you may have questions related directly to the central browser of the domain, therefore, this topic will be discussed in detail in a separate article;
- Securing a master domain time source. Since Active Directory, Kerberos, DFS-R, and the FRS file replication service use time stamps, time synchronization is required on all domain systems. The PDC emulator in the forest root domain serves as the lead time source for the entire forest. The rest of the domain controllers synchronize time with the PDC emulator, and the client computers synchronize with their domain controllers. The hierarchical synchronization service, which is implemented in the Win32Time service, is responsible for time consistency.
Infrastructure Master
In multi-domain organizations, objects in one domain often refer to objects in others. Infrastructure Master is like a device that keeps track of group members from domains. The Infrastructure Master is responsible for updating group-to-user links between domains, thereby ensuring that object name changes are reflected in the membership information for groups localized in the domain. The Infrastructure Wizard maintains an up-to-date list of such links and then replicates this information to all controllers in the domain. You should be aware that when a member of another domain is added to a group in the target domain, the distinguished name of the new member is added to the member attribute, and if the domain controller of a member of such a group is unavailable, then a phantom object is created in Domain Services, which actually represents a member of such a group. Such an object can only contain the member's SID, the distinguished name (DN), and the object's GUID. If the Infrastructure Wizard is not available, group-to-user links between domains will not be updated. Periodically, the Infrastructure Wizard scans domain accounts and checks group memberships. If the user account is moved to new domain, the infrastructure wizard identifies the new user account domain and updates the groups accordingly.
Note that the infrastructure master role should not be performed by a domain controller that is a global catalog server. Otherwise, the Infrastructure Wizard will not update object information because it does not contain object references that it does not store. This is because the global catalog server maintains partial replicas of all objects in the forest. As a result, cross-domain object links in this domain will not be updated, and a warning will appear in the event log of this domain controller. By default, the first domain controller installed in the forest gets the infrastructure master role. You can move this role at any time using the snap Active Directory Users and Computers or utility tools Ntdsutil.exe. The infrastructure master is identified by the value of the attribute fSMORoleOwner in the Infrastructure container under the Domain section.
How can I determine which domain controller has the FSMO role
In principle, we have already dealt with the theoretical part, and now it would be nice to do practice. Although your organization may have only one domain, there may be a large number of domain controllers installed, and it may not always be possible for administrators to know which domain controllers are assigned the roles of operations masters. For example, if you are restructuring your domain, you will need to know which domain controller is assigned which role. Each role can be defined using a graphical interface or command line tools. Let's consider both methods.Defining Operations Master Role Holders Using the GUI
The first thing to remember is that Active Directory Domain Services uses various administrative snap-ins to identify operations wizards. The hardest part is identifying the schema master. Let's start with him. To find out which domain controller has the schema master role, follow these steps:
You need to perform significantly less steps to identify the rest of the action wizards. To find which domain controller has Domain Name Operations Wizard rights, you need to:
And to identify the remaining three domain-level roles, you need to perform the least action. In other words, all remaining operations master roles can be found in one dialog box. To do this, open the tool Active Directory Users and Computers, right click on your domain and from context menu select a team "Masters of Operations". In the dialog box that appears, on the appropriate tabs, you can view the names of the domain controllers that are assigned the current roles. Dialog window "Masters of Operations" can be seen in the following illustration:
Rice. 4. Operations masters for the domain level
Determining Operations Master Role Owners Using the Command Line
As with most of the features provided by Windows operating systems, you can define all the holders of the operations master roles using a special command line utility. Active Directory Domain Services uses a command-line utility to control certain changes Ntdsutil. To view all domain controllers equipped with operations master roles using this utility, follow these steps:
Also, to view FSMO roles, you can use the utility dcdiag with the team /test:Knowsofroleholders /v . You can see part of the output of this command below:
Rice. 6. Determination of FSMO roles using the Dcdiag utility
Capturing and Transferring Operations Master Roles
In Active Directory, there are such concepts as transferring and seizing (also known as revoking) the roles of operations masters. First of all, you should find out what it is and what is the difference between these concepts.As noted above, all five operations master roles are initially installed on the first domain controller in the forest. It is common to deploy several additional domain controllers within the same domain to improve performance and fault tolerance in an organization. And, accordingly, in order to avoid conflicts in the future, it is recommended to immediately distribute the roles of masters of operations to different domain controllers. Also, if you need to disable or decommission a domain controller acting as a master of operations, you should transfer all FSMO roles from it to other domain controllers.
In turn, role capture is necessary in the event that a domain controller endowed with specific roles of masters of operations has failed, and you did not manage to transfer the roles from this DC in time. The risks you might be exposed to if domain controllers holding the operations master roles fail were discussed a little earlier in this article. In this case, you have no option to transfer the FSMO role using the preferred role transfer method. Therefore, one only has to capture the operation token by revoking the role. But it is worth remembering that role capture is the most radical method and should only be run when the Operations Master role holder has failed. When the Operations Master role capture process is performed, the fsmoRoleOwner attribute of the object, which is the data root, is changed on the existing computer without performing any data synchronization. Other domain controllers naturally become aware of the new FSMO role holder as the changes are replicated.
Consider the process of transferring and capturing the roles of masters of operations.
To transfer an FSMO role, do the following:
The process of capturing the roles of operations masters is a little more complicated than transferring, since it requires using the utility Ntdsutil, which was discussed in the previous section. To seize a role from a failed domain controller, follow these steps:
- open command line and in it go to the utility ntdsutil;
- Navigate to NTDS role management using the command roles;
- You need to establish a connection to a domain controller that will act as the owner of the operations master in the future. To do this, run the command connections;
- In line server connections enter connect to server and specify the required domain controller;
- Navigate back to fsmo management using the command quit;
- Now in line fsmo management specify command seize and click on Enter;
- In this last step, you need to select the FSMO role that will be captured from the idle domain controller.
But in the event that the role of the schema master, domain naming or relative RID identifiers was captured, then you will need to perform the following steps:
- Physically disconnect such a domain controller from the network;
- Demote a domain controller to a member server using the command Dcpromo /forceremoval;
- Clear metadata for the current domain controller. You can clean metadata using the utility Ntdsutil with the team Metadata Cleanup;
- After removing the metadata, you need to bring the server online, join the domain, and then promote the server to a domain controller;
- In the last step, simply transfer the role to this domain controller.
Placing Operations Wizards on Domain Controllers
In this section, I'll talk a bit about best practices for placing all operations master roles on domain controllers. As such, there are not many such recommendations, so I will try to simplify this section as soon as possible.
First of all, if you have one forest, one domain, and one domain controller, then all five operations master roles will be placed on this domain controller, but it is recommended to transfer roles to other domain controllers for load balancing purposes.
The main recommendations for placing FSMO roles are as follows:
- Place the RID master and PDC emulator roles on the same domain controller. These operations master roles are co-located for load balancing considerations. Since these roles are direct replication partners, by placing these roles on separate domain controllers, you will have to establish a fast connection for the respective two systems and create explicit objects for them in Active Directory. In addition, if you have servers in your organization that play the role of backup masters of operations, on such servers these roles must also be direct partners;
- Host schema and domain naming master roles on the same domain controller. Generally, it is recommended that the schema master and domain naming master roles be hosted on the same domain controller that serves as the global catalog server. The domain naming wizard role must also be a global catalog server because when adding a new domain, the wizard must ensure that there is no object in the forest with the same name as the newly added domain. However, if a domain controller with the Domain Naming Wizard role is not a global catalog server, operations such as creating grandchild domains may fail. Because these roles are the least used, you should ensure that the domain controller that manages them is as secure as possible;
- The Infrastructure Master role must be hosted on a domain controller that is not serving as a global catalog server. Typically, the Infrastructure Wizard should be deployed on a domain controller that is not serving as a global catalog server, but has an object direct connection to one of the global catalogs in the forest. Because the global catalog server stores partial replicas of all objects in the forest, the infrastructure master hosted on the global catalog server will not perform updates because it does not contain references to objects that it does not store.
