Configuring FSMO Roles

If you’ve designed and built your own domain or forest you’ll know which servers host the various Master Operations. If you’ve inherited the administration of an existing structure, find out where these things are  straight away, before they go wrong.

Use the buttons below to navigate through the lesson

Changing FSMO Roles

The Single Master Operations fall into three groups according to the ways in which they can be changed. Questions about these ways would be a good way to have your familiarity with the subject tested. In an exam, for instance. RID Master, Infrastructure Master and PDC Emulator are assigned from “Active Directory Users and Computers”. The Domain Name Master is configured within “Active Directory Domains and Trusts”. The Schema Master is determined from within the “Active Directory Schema” snap-in.

Transferring the RID Master, PDC Emulator or Infrastructure Master is accomplished through the Active Directory Users and Computers snap-in:

Click Start. Click Administrative Tools. Click Active Directory Users and Computers. To change an Operations  Master, you must first connect to the server you wish to take the role. Click Connect to Domain Controller. This sets the focus for transfers with this snap-in. Right-click on the domain. Select Operations Masters. Note that this tab lets you access all three Operations Masters. The Change effects the transfer to a new server to take on the designated role. For the following examples everything is being transferred onto admin2.es-net.co.uk. The RID role currently resides with admin1.es-net.co.uk. Click “Change…”. Very sensibly there is a check to see if you’ve clicked here by accident. Click “Yes”. Click OK. The role now resides with admin2.es-net.co.uk. The PDC and Infrastructure Master roles can be transferred the same way but to transfer the Domain Naming Master the Active Directory Domains and Trusts snap-in must be opened:

Right click Active Directory Domains and Trusts. Click Operations Master. The role currently resides with admin1.es-net.co.uk. Click Change. Click Yes. Click OK. The role now resides with admin2.es-net.co.uk. And finally, the Schema Master is controlled through the Active Directory Schema snap-in.

Right-click Active Directory Schema. To change the schema master, you must first connect to the server you wish to take the role. Click Change Domain Controller. Click Specify Name. Type the DNS name of the server you wish to take over the role… …and click OK. Now the transfer can be completed in the same way as the others.

Right click Active Directory Schema. Click Operations Master. The role currently resides with admin1.es-net.co.uk. Click Change. Click Yes. Click OK. The role now resides with admin2.es-net.co.uk. All the roles are now performed by the admin2.es-net.co.uk domain controller.

Changing FSMO Roles

The previous methods assume that both the existing controller and the new controller are available at the same time. If the original controller has failed for whatever reason, the role must be seized i.e. established from scratch on a new controller.

Do you REALLY need to seize the role? How long is the other domain controller likely to be offline? Is it ever going to be brought back online?

Apart from the PDC Emulator and Infrastructure Master, failure of a single operations master will produce no immediate effect upon the network. Therefore, if the server can be recovered within a few days, or even a week, you should NOT seize the role from it. If it takes longer than this, you must seize the role. You should, however, realise that the original server must NEVER be put online again. It must have a complete reinstall of Windows Server 2003.

To summarise:

If the PDC Emulator or Infrastructure Master go offline, your users will notice the effects almost immediately. You should try to recover these servers from backups as a first priority, however, if this is unfeasible (possibly due to lack of backups, or hardware failure where replacement parts are not available), you should seize the role to a replacement server.

If any other operations master goes offline, and you can recover the system within a day or two then there is no need to seize the role to a replacement server. If you CANNOT recover the server within a reasonable time period, you should consider seizing the role. However, you MUST ensure that the original server never connects to the network again.

If the administrator suspects a crucial operations master failure, he should immediately try to transfer the role to a different server:

Right click Active Directory Users and Computers. Click Operations Masters. The Operations Master is currently offline. To seize this role click Change. Click Yes.

The administrator’s fears are confirmed. The role could not be transferred because the domain controller currently handling this task is unavailable!

To transfer this role, you must use NTDSUTIL. (more about this, later). Click OK to close this window. Click PDC. Click Change. Click Yes. Click Yes. Because the server currently handling this role is unavailable, you are asked if you would like to attempt to forcefully seize this role. Click Yes. Click OK. The role has been successfully transferred.

The same route is taken in transferring the Infrastructure Master. To seize any other roles, however, you must use NTDSUTIL.

Only the PDC Emulator and the Infrastructure Master can be seized using the same method as transferring roles. To seize the other Operations Masters, the “NTDSUTIL” utility is used. Seizing roles other than the PDC emulator and the Infrastructure Master are heavyweight measures, so a different utility altogether is used. You should only seize the other roles when a server has gone offline, and it WILL NOT be coming back!

Click Start. Click Run. Type NTDSUTIL. Click OK. Type “roles” and press return. Type “connect to server”, then the name of the server you wish to transfer the role to and press return. Type “quit” and press return. Type “seize RID master” and press return. Click Yes.

Firstly, NTDSUTIL attempts to transfer the role “safely” (as if you had clicked the ‘change’ button within ‘Active Directory Users and Computers’). Type “quit” and press return. Type “quit” again and press return. The Active Directory Users and Computers snap-in, shows admin1.es-net.co.uk as the new RID master.