Professional Documents
Culture Documents
SysVol Folde & FSMO Roles
SysVol Folde & FSMO Roles
SysVol Folde & FSMO Roles
SOP # 5
SysVol folder stores a domain's public files, which are replicated to each domain
controller. It is the repository for all of the active directory files. It stores the all the
important elements of the Active Directory group policy. It cannot be hidden or disabled.
Replication: The contents of the SYSVOL folder, including Group Policy Objects,
scripts, and other files, are replicated among all domain controllers in a domain. This
ensures that changes made to GPOs are distributed and available to all domain
controllers, which then propagate those changes to the client computers within the
domain.
Group Policy Objects (GPOs): The SYSVOL folder is primarily associated with Group
Policy Objects. GPOs are sets of policies and configurations that are applied to user and
computer objects within an Active Directory domain. These policies define various
settings, such as security policies, software installation rules, and desktop configurations.
The SYSVOL folder stores the GPO templates and related files.
File Structure: Within the SYSVOL folder, there are several subfolders and files.
Policies: This folder contains the GPOs and their associated files. Each GPO has a
unique folder named with a Globally Unique Identifier (GUID).
Scripts: This folder stores logon and logoff scripts that are executed when users log in or
log off from their computers.
Staging: This folder is used during the replication process to temporarily store changes
before they are applied to the SYSVOL folder.
Domain: This folder contains domain-specific information, including scripts and other
files related to the domain's functionality.
SysVol Replication.
The overall purpose of the SYSVOL folder is that it is replicated to all domain controllers
throughout the domain. Two replication technologies are applied to replicate the
SYSVOL folder, File Replication Service (FRS) and DFS.
File Replication Service (FRS):
File replication service is a multi-master, multi-threaded replication technology.
Although FSR still works with Microsoft windows server 2008 R2 and later operating
systems.
DFSR functions in nearly the same way as FRS. Also, Microsoft puts some auto-
heling functions in place to remedy some of the issues that FRS was prone to. The major
difference between DFS-R and FRS is that instead of replicating the whole files, DFSR
only replaces the chunks of data that have changed, which is achieved by creating a
Message Digest version 4 (MD4) hash of the file. That makes DFS-R a much more
efficient replication protocol than FRS. The use of the inbound and outbound logs isn’t
required in DFSR as replication partners exchange version vectors to identify which files
have to be replicated between them.
PDC Emulator: The PDC Emulator role is crucial for backward compatibility with
earlier versions of Windows NT. It provides consistent time synchronization, acts as the
primary domain controller for password changes and authentication, and handles certain
types of legacy authentication requests.
RID Master: The RID Master role is responsible for assigning unique security identifiers
(SIDs) to objects, such as users, groups, and computers, within a domain. Each object's
SID is a combination of a domain SID and a RID, and the RID Master ensures the
uniqueness of RIDs across the domain.
Infrastructure Master: The Infrastructure Master role tracks object references within a
domain and between domains in a multi-domain environment. It ensures that object
references are kept up to date when objects are renamed or moved across domains.
Domain Naming Master: The Domain Naming Master role manages the addition or
removal of domains in a forest. It ensures that domain names within a forest remain
unique and prevents conflicts when new domains are added or removed.
Schema Master: The Schema Master role controls updates to the Active Directory
schema. The schema defines the structure and attributes of objects stored in the directory.
The Schema Master role is responsible for accepting and replicating schema changes
across the entire forest.
To identify the DSs that own FSMO roles, you can enter the following at the command
prompt.
Command Prompt
PowerShell
One method of transferring a FSMO role is to simply demote the DC that owns the role,
but this is not an optimal strategy. When a DC is demoted, it will attempt to transfer any
FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be
transferred only to DCs in the same domain, but enterprise-level roles can be transferred
to any suitable DC in the forest. While there are rules that govern how the DC being
demoted will decide where to transfer its FSMO roles, there is no way to directly control
where its FSMO roles will be transferred. The ideal method of moving an FSMO role is
to actively transfer it using either the Management Console, PowerShell or ntdsutil.exe.
During a manual transfer, the source DC will synchronize with the target DC before
transferring the role.
Privileges Required.
PDCE, RID master or infrastructure Domain admins in the domain where the
master role is being transferred
The Schema Master role can be transferred using the Active Directory Schema
Management snap-in as explained below.
Prerequisite: If this snap-in is not among the available Management Console snap-ins, it
will need to be registered. To do so, open an elevated command prompt and enter the
following command:
regsvr32 schmmgmt.dll
1. Run the Management Console as a user who is a member of the Schema Admins
group, and add the Active Directory Schema snap-in to the Management Console.
2. Right-click the Active Directory Schema node and select Change Active Directory
Domain Controller. Choose the DC that the Schema Master FSMO role will be
transferred to and click OK to bind the Active Directory Schema snap-in to that DC.
(A warning may appear explaining that the snap-in will not be able to make changes
to the schema because it is not connected to the Schema Master.)
3. Right-click the Active Directory Schema node again and select Operations Master.
Then click the Change button to begin the transfer of the Schema Master role to the
specified DC:
The Domain Naming Master role can be transferred using the Active Directory
Domains and Trusts Management Console snap-in.
2. Right-click the Active Directory Domains and Trusts node and select Change
Active Directory Domain Controller. Choose the DC that the Domain Naming
Master FSMO role will be transferred to, and click OK to bind the Active
Directory Domains and Trusts snap-in to that DC.
3. Right-click the Active Directory Domains and Trusts node again and
select Operations Master. Click the Change button to begin the transfer of the
Domain Naming Master role to the selected DC.
The RID Master, Infrastructure Master and PDC Emulator roles can all be
transferred using the Active Directory Users and Computers Management Console
snap-in as follows.
1. Run the Management Console as a user who is a member of the Domain Admins
group in the domain where the FSMO role is being transferred, and add the Active
Directory Users and Computers snap-in to the Management Console.
2. Right-click either the Domain node or the Active Directory Users and Computers
node and select Change Active Directory Domain Controller. Choose the domain
controller that the FSMO role will be transferred to and click OK to bind the Active
Directory Users and Computers snap-in to that DC.
3. Right-click the Active Directory Users and Computers node and click Operations
Masters. Select the appropriate tab and click Change to begin the transfer of the
FSMO role to the selected DC.
You can transfer FSMO roles using the following PowerShell cmdlet.
Forest-wide FSMO (Flexible Single Master Operation) roles are specific roles in the
Active Directory infrastructure that are responsible for performing critical functions at
the forest level. These roles are unique within the entire forest and are not specific to any
individual domain.
Domain-specific FSMO (Flexible Single Master Operation) roles are specific roles in the
Active Directory infrastructure that are responsible for performing critical functions at
the domain level. Unlike the forest-wide FSMO roles, these roles are specific to
individual domains within the Active Directory forest.