There are five Active Directory Flexible Single-Master (FSMO) roles in the domain and forest. The Active Directory Installation Wizard defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles (eg. www.A.com). The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.
A forest with one domain (eg www.A.com) has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2). A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:
Schema master – forest-wide A.COM
Domain naming master – forest-wide A.COM
PDC emulators (A.com, B.A.com, and C.B.A.com)
RID masters (A.com, B.A.com, and C.B.A.com)
Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)
You may use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.
Transfer FMSO Roles: It is recommend that you transfer FSMO roles in the following scenarios:
Log on to a Admin PC or domain controller that is located in the forest where FSMO roles are being transferred as a Enterprise Admin and Schema Admin rights. Microsoft recommend that you log on to the domain controller that you are assigning FSMO roles to. However, its not necessary if you know what you are doing.
transfer rid master
Transfer Schema Master
transfer domain naming master
transfer infrastructure master
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Seize FSMO roles: Seizing FSMO roles is a critical decision. Perform Seizure operation if you fail to demot a domain controller gracefully that holds FSMO roles or if one of domain controller (holds FSMo roles) is completely failed to communicate with another domain controller in a forest. In this case you have no option but to seize FSMO roles.
seize rid master
seize Schema Master
seize naming master
seize infrastructure master
Global Catalog: Double check, schema master and naming master is a GC. To check whether a domain controller is also a global catalog server:
Metadata Clean up: Perform this operation if you fail to demot a DC from a forest otherwise not.
Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type ntdsutil, and then press ENTER.
Type metadata cleanup, and then press ENTER.
Type connections and press ENTER.
Type connect to server servername, and then press ENTER.
Type quit, and then press ENTER. The Metadata Cleanup menu appears.
Type select operation target and press ENTER.
Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.
Type list sites and press ENTER. A list of sites, each with an associated number, appears.
Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.
Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server’s computer account you want to remove.
Type quit and press ENTER. The Metadata Cleanup menu appears.
Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory
Type quit, and then press ENTER
In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and then click Delete. Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.
- If the deleted computer is the last domain controller in a child domain, and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
Click Start, click Run, type adsiedit.msc, and then click OK
Expand the Domain NC container.
Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
Right-click the Trust Domain object, and then click Delete.
19. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
Start Active Directory Sites and Services.
Expand Sites. Expand the server’s site. The default site is Default-First-Site-Name.
Expand Server. Right-click the domain controller, and then click Delete.
Verifying Flexible Single Master Operations (FSMO)
%Program File%>Windows Resource Kits>Tools>Replmon
netdom command syntax
netdom query fsmo /domain:yourdomain.com.au
dsquery command syntax
dsquery server -hasfsmo schema
dsquery server -hasfsmo name
dsquery server -hasfsmo infr
dsquery server -hasfsmo rid
dsquery server -hasfsmo pdc
DCDiag Command Syntax
dcdiag /test:knowsofroleholders /v
dumpfsmos.cmd Command Syntax
Keywords: Microsoft Active Directory, FSMO roles.