SOP of SysVol Folder & FSMO Roles.

SOP # 5

SysVol Folder & FSMO Roles Revision # 5

Page # 1 to 9
Title SysVol Folder & FSMO Roles Reviewed Date
SOP Owner Nishan Approval Date

Standard Operating Procedure

SysVol Folder…
Is a shared folder that store the group policies information along with login script
as or we can say its contain the public files of domain controllers and every domain users
has rights to access the SysVol folder and its contents in read only mode. It store the
group policy templates that means group policy related information store in this folder.

SysVol folder stores a domain's public files, which are replicated to each domain
controller. It is the repository for all of the active directory files. It stores the all the
important elements of the Active Directory group policy. It cannot be hidden or disabled.

Here's an explanation of the SYSVOL folder and its purpose:

Location: The SYSVOL folder is typically located in the following directory on a

domain controller: C:\Windows\SYSVOL. It is shared as a network share, allowing other
domain controllers and clients to access its contents.

Replication: The contents of the SYSVOL folder, including Group Policy Objects,
scripts, and other files, are replicated among all domain controllers in a domain. This
ensures that changes made to GPOs are distributed and available to all domain
controllers, which then propagate those changes to the client computers within the
domain.

1|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Group Policy Objects (GPOs): The SYSVOL folder is primarily associated with Group
Policy Objects. GPOs are sets of policies and configurations that are applied to user and
computer objects within an Active Directory domain. These policies define various
settings, such as security policies, software installation rules, and desktop configurations.
The SYSVOL folder stores the GPO templates and related files.

File Structure: Within the SYSVOL folder, there are several subfolders and files.

Policies: This folder contains the GPOs and their associated files. Each GPO has a
unique folder named with a Globally Unique Identifier (GUID).

Scripts: This folder stores logon and logoff scripts that are executed when users log in or
log off from their computers.

Staging: This folder is used during the replication process to temporarily store changes
before they are applied to the SYSVOL folder.

Domain: This folder contains domain-specific information, including scripts and other
files related to the domain's functionality.

SysVol Replication.
The overall purpose of the SYSVOL folder is that it is replicated to all domain controllers
throughout the domain. Two replication technologies are applied to replicate the
SYSVOL folder, File Replication Service (FRS) and DFS.
File Replication Service (FRS):
File replication service is a multi-master, multi-threaded replication technology.
Although FSR still works with Microsoft windows server 2008 R2 and later operating
systems.

Distributed File System;

A brand-new domain built upon Windows 2008 or higher will take advantage of
DFS-R to replace its SysVol automatically.

File Replication Service vs. Distributed File System.

DFSR functions in nearly the same way as FRS. Also, Microsoft puts some auto-
heling functions in place to remedy some of the issues that FRS was prone to. The major
difference between DFS-R and FRS is that instead of replicating the whole files, DFSR
only replaces the chunks of data that have changed, which is achieved by creating a
Message Digest version 4 (MD4) hash of the file. That makes DFS-R a much more
efficient replication protocol than FRS. The use of the inbound and outbound logs isn’t
required in DFSR as replication partners exchange version vectors to identify which files
have to be replicated between them.

2|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

FSMO Folder (Flexible Single Master Operation)

FSMO (Flexible Single Master Operations) roles, also known as operations

master roles, are specific roles assigned to domain controllers in a Microsoft Active
Directory (AD) environment. These roles are responsible for performing unique and
critical functions within the AD infrastructure.
Active Directory allows object creations, updates and deletions to be committed
to any authoritative domain controller (DC). This is possible because every DC (except
read-only DCs) maintains a writable copy of its own domain’s partition. Once a change is
committed, it is replicated automatically to other DCs through a process called multi-
master replication.
However, certain Active Directory operations are so sensitive that their execution is
restricted to a specific DC. Active Directory addresses these situations through a special
set of roles that are assigned to DCs. Microsoft now calls them “operations master roles,”
but they are more commonly referred to by their original name: flexible single-master
operator (FSMO) roles.

Purpose of FSMO Roles;

Despite several enhancements and upgrades, Active Directory had certain flaws. With
multiple domain controllers, there was an overlap in managing changes, as DCs would
fight over which DC gets to make changes. That meant there was a high chance of
change requests being overlooked.

3|Page Texiio pvt ltd

 SOP of SysVol Folder & FSMO Roles.

Five FSMO roles is AD;

 Relative ID (RID) Master (domain level)

 Primary Domain Controller (PDC) Emulator (domain level)
 Infrastructure Master (domain level)
 Domain Naming Master (forest level)
 Schema Master (forest level)

PDC Emulator: The PDC Emulator role is crucial for backward compatibility with
earlier versions of Windows NT. It provides consistent time synchronization, acts as the
primary domain controller for password changes and authentication, and handles certain
types of legacy authentication requests.

RID Master: The RID Master role is responsible for assigning unique security identifiers
(SIDs) to objects, such as users, groups, and computers, within a domain. Each object's
SID is a combination of a domain SID and a RID, and the RID Master ensures the
uniqueness of RIDs across the domain.

4|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Infrastructure Master: The Infrastructure Master role tracks object references within a
domain and between domains in a multi-domain environment. It ensures that object
references are kept up to date when objects are renamed or moved across domains.

5|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Domain Naming Master: The Domain Naming Master role manages the addition or
removal of domains in a forest. It ensures that domain names within a forest remain
unique and prevents conflicts when new domains are added or removed.

Schema Master: The Schema Master role controls updates to the Active Directory
schema. The schema defines the structure and attributes of objects stored in the directory.
The Schema Master role is responsible for accepting and replicating schema changes
across the entire forest.

6|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Identifying FSMO Role Owners.

To identify the DSs that own FSMO roles, you can enter the following at the command
prompt.

Command Prompt

PowerShell

Transferring FSMO Roles.

FSMO roles often remain assigned to their original domain controllers. However, it can
be desirable or even necessary to transfer FSMO roles from one domain controller to
another. Note that transferring an FSMO role requires that both the source domain
controller and the target domain controller be online and functional. If the DC that owns a
role you want to reassign is unavailable, the FSMO roles will need to be seized rather
than transferred, as described later in this document.

One method of transferring a FSMO role is to simply demote the DC that owns the role,
but this is not an optimal strategy. When a DC is demoted, it will attempt to transfer any
FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be
transferred only to DCs in the same domain, but enterprise-level roles can be transferred
to any suitable DC in the forest. While there are rules that govern how the DC being
demoted will decide where to transfer its FSMO roles, there is no way to directly control
where its FSMO roles will be transferred. The ideal method of moving an FSMO role is
to actively transfer it using either the Management Console, PowerShell or ntdsutil.exe.
During a manual transfer, the source DC will synchronize with the target DC before
transferring the role.

7|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Privileges Required.

To transfer an FSMO role, an account must have the following privileges.

To transfer this FSMO role The account must be a member of

Schema Master Schema admins and enterprise admins

Domain naming master Enterprise admins

PDCE, RID master or infrastructure Domain admins in the domain where the
master role is being transferred

How to transfer FSMO roles using the management console.

Transferring the schema master role.

The Schema Master role can be transferred using the Active Directory Schema
Management snap-in as explained below.

Prerequisite: If this snap-in is not among the available Management Console snap-ins, it
will need to be registered. To do so, open an elevated command prompt and enter the
following command:

regsvr32 schmmgmt.dll

To transfer the Schema Master role:

1. Run the Management Console as a user who is a member of the Schema Admins
group, and add the Active Directory Schema snap-in to the Management Console.

8|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

2. Right-click the Active Directory Schema node and select Change Active Directory
Domain Controller. Choose the DC that the Schema Master FSMO role will be
transferred to and click OK to bind the Active Directory Schema snap-in to that DC.
(A warning may appear explaining that the snap-in will not be able to make changes
to the schema because it is not connected to the Schema Master.)

3. Right-click the Active Directory Schema node again and select Operations Master.
Then click the Change button to begin the transfer of the Schema Master role to the
specified DC:

9|Page Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Transferring the Domain Naming Master Role.

The Domain Naming Master role can be transferred using the Active Directory
Domains and Trusts Management Console snap-in.

1. Run the Management Console as a user who is a member of the Enterprise

Admins group, and add the Active Directory Domains and Trusts snap-in to the
Management Console.

2. Right-click the Active Directory Domains and Trusts node and select Change
Active Directory Domain Controller. Choose the DC that the Domain Naming
Master FSMO role will be transferred to, and click OK to bind the Active
Directory Domains and Trusts snap-in to that DC.

10 | P a g e Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

3. Right-click the Active Directory Domains and Trusts node again and
select Operations Master. Click the Change button to begin the transfer of the
Domain Naming Master role to the selected DC.

11 | P a g e Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Transferring RID master, Infrastructure master or PDC emulator

role.

The RID Master, Infrastructure Master and PDC Emulator roles can all be
transferred using the Active Directory Users and Computers Management Console
snap-in as follows.

1. Run the Management Console as a user who is a member of the Domain Admins
group in the domain where the FSMO role is being transferred, and add the Active
Directory Users and Computers snap-in to the Management Console.

2. Right-click either the Domain node or the Active Directory Users and Computers
node and select Change Active Directory Domain Controller. Choose the domain
controller that the FSMO role will be transferred to and click OK to bind the Active
Directory Users and Computers snap-in to that DC.

12 | P a g e Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

3. Right-click the Active Directory Users and Computers node and click Operations
Masters. Select the appropriate tab and click Change to begin the transfer of the
FSMO role to the selected DC.

How to transfer FSMO roles using PowerShell.

You can transfer FSMO roles using the following PowerShell cmdlet.

13 | P a g e Texiio pvt ltd

SOP of SysVol Folder & FSMO Roles.

Forest Wide FSMO Roles.

Forest-wide FSMO (Flexible Single Master Operation) roles are specific roles in the
Active Directory infrastructure that are responsible for performing critical functions at
the forest level. These roles are unique within the entire forest and are not specific to any
individual domain.

Domain Specific FSMO Roles.

Domain-specific FSMO (Flexible Single Master Operation) roles are specific roles in the
Active Directory infrastructure that are responsible for performing critical functions at
the domain level. Unlike the forest-wide FSMO roles, these roles are specific to
individual domains within the Active Directory forest.

14 | P a g e Texiio pvt ltd