Optimizing Microsoft Active Directory FSMO roles

Posted on by

There are five Active Directory Flexible Single-Master (FSMO) roles in the domain and forest. The Active Directory Installation Wizard defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles (eg. www.A.com). The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

A forest with one domain (eg www.A.com) has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2). A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

Schema master – forest-wide A.COM
Domain naming master – forest-wide A.COM
PDC emulators (A.com, B.A.com, and C.B.A.com)
RID masters (A.com, B.A.com, and C.B.A.com)
Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

FSMO scenario:

  • In a Single domain with only one domain controller: holds all five FSMO roles.
  • If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent. You may select specific roles to specific domain controller and distribute it.
  • The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.
  • Where the standby domain controller is in a remote site, ensure that the connection is configured for continuous replication over a persistent link. (support tools> replmon.exe to check replication)

    • FSMO placement:

  • Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines. If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other. Example, I have four domain controllers and two of them holds FSMO roles. rest are stand by in case of failure I can move them.
  • Infrastructure master must not be a Global Catalog (GC). Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the “do not place the infrastructure master on a global catalog server” rule are:
  • Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
  • Multidomain forest where every domain controller in a domain holds the global catalog:  If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
  • the schema master and domain naming master roles should be placed on the same domain controller. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case. In a forest at the Forest Functional Level Windows Server 2003, you do not have to place the domain naming master on a global catalog.

    • You may use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

    Transfer FMSO Roles: It is recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

    • Log on to a Admin PC or domain controller that is located in the forest where FSMO roles are being transferred as a Enterprise Admin and Schema Admin rights. Microsoft recommend that you log on to the domain controller that you are assigning FSMO roles to. However, its not necessary if you know what you are doing.

  • Click Start, click Run, type ntdsutil.exe in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign/transfer the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax Example,

    • transfer rid master

    Transfer PDC

    Transfer Schema Master

    transfer domain naming master

    transfer infrastructure master

    At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    Seize FSMO roles: Seizing FSMO roles is a critical decision. Perform Seizure operation if you fail to demot a domain controller gracefully that holds FSMO roles or if one of domain controller (holds FSMo roles) is completely failed to communicate with another domain controller in a forest. In this case you have no option but to seize FSMO roles.

  • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, Syntax are:

    • seize rid master

    seize PDC

    seize Schema Master

    seize naming master

    seize infrastructure master

  • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

    • Global Catalog: Double check, schema master and naming master is a GC. To check whether a domain controller is also a global catalog server:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  • Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  • Open the Servers folder, and then click the domain controller.
  • In the domain controller’s folder, double-click NTDS Settings.
  • On the Action menu, click Properties.
  • On the General tab, view the Global Catalog check box to see if it is selected.

    • Metadata Clean up: Perform this operation if you fail to demot a DC from a forest otherwise not.

    1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
    2. At the command prompt, type ntdsutil, and then press ENTER.
    3. Type metadata cleanup, and then press ENTER.
    4. Type connections and press ENTER.
    5. Type connect to server servername, and then press ENTER.
    6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
    7. Type select operation target and press ENTER.
    8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
    9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
    10. Type list sites and press ENTER. A list of sites, each with an associated number, appears.
    11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
    12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
    13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server’s computer account you want to remove.
    14. Type quit and press ENTER. The Metadata Cleanup menu appears.
    15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory
    16. Type quit, and then press ENTER
    17. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete. Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.
    18. If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    • Click Start, click Run, type adsiedit.msc, and then click OK
    • Expand the Domain NC container.
    • Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
    • Expand CN=System.
    • Right-click the Trust Domain object, and then click Delete.

       19.  Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:

    • Start Active Directory Sites and Services.
    • Expand Sites. Expand the server’s site. The default site is Default-First-Site-Name.
    • Expand Server.  Right-click the domain controller, and then click Delete.

    Verifying Flexible Single Master Operations (FSMO)

    %Program File%>Windows Resource Kits>Tools>Replmon

    netdom command syntax 

     netdom query fsmo /domain:yourdomain.com.au

     dsquery command syntax

     dsquery server -hasfsmo schema

    dsquery server -hasfsmo name

    dsquery server -hasfsmo infr

    dsquery server -hasfsmo rid

    dsquery server -hasfsmo pdc

     DCDiag Command Syntax

     dcdiag /test:knowsofroleholders /v

     dumpfsmos.cmd Command  Syntax

     dumpfsmos.cmd yourdomain.com.au

    Further Study:

    Microsoft Active Directory

    Keywords: Microsoft Active Directory, FSMO roles.

    1 thought on “Optimizing Microsoft Active Directory FSMO roles

    Leave a comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.