Scribd Logo
Upload

Welcome to Scribd!

  • Flexibility Schema Operations Master (FSMO) Roles in 2008 Server

    Uploaded by

    Jinu Varghese
    27 views18 pages
    The document discusses Flexible Single Master Operations (FSMO) roles in Active Directory. There are 5 FSMO roles that maintain directory health: Schema Master, Domain Naming Master, Infrastructure Master, Relative ID (RID) Master, and PDC Emulator. The roles can be transferred between domain controllers using tools like NTDSUtil, Active Directory Schema, and Active Directory Users and Computers snap-ins in case of controller failure.

    Original Description:

    Original Title

    mb

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses Flexible Single Master Operations (FSMO) roles in Active Directory. There are 5 FSMO roles that maintain directory health: Schema Master, Domain Naming Master, Infrastructure Master, Relative ID (RID) Master, and PDC Emulator. The roles can be transferred between domain controllers using tools like NTDSUtil, Active Directory Schema, and Active Directory Users and Computers snap-ins in case of controller failure.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    27 views18 pages

    Flexibility Schema Operations Master (FSMO) Roles in 2008 Server

    Uploaded by

    Jinu Varghese
    The document discusses Flexible Single Master Operations (FSMO) roles in Active Directory. There are 5 FSMO roles that maintain directory health: Schema Master, Domain Naming Master, Infrastructure Master, Relative ID (RID) Master, and PDC Emulator. The roles can be transferred between domain controllers using tools like NTDSUtil, Active Directory Schema, and Active Directory Users and Computers snap-ins in case of controller failure.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 18

    Lot of applications now-a-days use Active Directory.

    If you associate your application with username that is part of a domain environment, or the computer where you have installed your application is the member of domain, it can be used for authentication or for many other purposes. Hence, it's somewhere linked with your Windows AD. If you are using Windows AD in your environment it's essential to understand FSMO roles that maintains Active Directory health. So to understand the importance, in this article you will learn what are the roles, its features, and how to seize them in case of any failures.

    Flexibility Schema Operations Master (FSMO) Roles in 2008 Server


    As we are all aware that certain tasks needs to be performed by single one, so as far AD 2008 goes some tasks are performed by single domain controller and they jointly called as FSMO roles. There are five roles: They are further classified in two

    1. Forest Roles
    Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure. Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.

    2. Domain Roles
    Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller. RID Master - This role is responsible for making sure each security principle has a different identifier. PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain

    Where these roles are configured?


    1. Domain wide roles are configured in Active Directory users and computers. Right click and select domain and here option is operations master. 2. Forest roles Domain Naming master is configured in active directory domain and trust right click and select operations master. It will let you know the roles. 3. (c)Forest roles Schema Master is not accessible from any tool as they want to prevent this. Editing schema can create serious problem in active directory environment. To gain access you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.

    Seizing of Roles
    In case of failures of any server you need to seize the roles. This is how it can be done:

    For Schema Master:


    Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance.

    2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize schema master. After you have Seize the role, type quit to exit NTDSUtil.

    For Domain Naming Master:


    Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize domain naming master. After you have Seize the role, type quit to exit NTDSUtil.

    For Infrastructure Master Role:


    Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize infrastructure master. After you have Seize the role, type quit to exit NTDSUtil.

    For RID Master Role:


    Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance. 5. Fsmo maintenance: prompt, type seize RID master. After you have Seize the role, type quit to exit NTDSUtil.

    For PDC Emulator Role:


    Go to cmd prompt and type ntdsutil 1. Ntdsutil: prompt type roles to enter fsmo maintenance. 2. Fsmo maintenance: prompt type connections to enter server connections. 3. Server connections: prompt, type connect to server domain controller, where Domain controller is the name of the domain controller to which you are going to transfer the role 4. Server connections: prompt, type quit to enter fsmo maintenance.

    5. Fsmo maintenance: prompt, type seize PDC. After you have Seize the role, type quit to exit NTDSUtil.

    The five FSMO roles are: 1. 2. 3. 4. 5. Schema Master Domain Naming Master Infrastructure Master Relative ID (RID) Master PDC Emulator

    The FSMO roles are going to be transferred, using the following three MMC snap-ins : Active Directory Schema snap-in : Will be used to transfer the Schema Master role Active Directory Domains and Trusts snap-in : Will be used to transfer the Domain Naming Master role Active Directory Users and Computers snap-in : Will be used to transfer the RID Master, PDC Emulator, and Infrastructure Master roles

    Note: The following steps are done on the Windows Server 2008 machine that I intend to set as the roles holder ( transfer the roles to it ) Lets start transferring the FSMO roles. Using Active Directory Schema snap-in to transfer the Schema Master role You have to register schmmgmt.dll in order to be able to use the Active Directory Schema snap-in

    1. Click Start > Run

    2. Type regsvr32 schmmgmt.dll

    3. Click OK

    A popup message will confirm that schmmgmt.dll was successfully registered. Click OK 4. Click Start > Run, type mmc, then click OK

    5. Click File > then click Add/Remove Snap-in...

    6. From the left side, under Available Snap-ins, click on Active Directory Schema, then click Add > and then click OK

    7. Right click Active Directory Schema, then click Change Active Directory Domain Controller...

    8. From the listed Domain Controllers, click on the domain controller that you want to be the schema master role holder and then click on OK

    You will receive a message box stating that the schema snap-in is not connected to a schema operations master. That is for sure, as we have not yet set this Windows Server 2008 domain controller as a Schema Master role holder. This will be done in the next step. Click OK

    9. In the console tree, right click Active Directory Schema [DomainController.DomainName], and then click Operations Master...

    10. On the Change Schema Master page, the current schema master role holder will be displayed ( ex. ELMAJ-DC.ELMAJDAL.NET) and the targeted schema holder as well (ex. ELMAJDC2K8.ELMAJDAL.NET). Once you click Change, the schema master holder will become ELMAJ-DC2K8.ELMAJDAL.NET , click Change

    Click Yes to confirm the role transfer

    The role will be transferred and a confirmation message will be displayed. Click OK

    Then click Close, as you can see in the below snapshot, the current schema master is ELMAJDC2K8.ELMAJDAL.NET

    Using Active Directory Domains and Trusts snap-in to transfer the Domain Naming Master Role

    1. Click Start > Administrative Tools > then click Active Directory Domains and Trusts

    2. Right click Active Directory Domains and Trusts, then click Change Active Directory Domain Controller...

    3. From the listed Domain Controllers, click on the domain controller that you want to be the Domain Naming master role holder and then click on OK

    4. Right click Active Directory Domains and Trusts, then click Operations Master...

    5. On the Operations Master page, we are going to change the Domain Naming role holder from ELMAJ-DC.ELMAJDAL.NET to ELMAJ-DC2K8.ELMAJDAL.NET, Click Change

    Click YES to confirm the transfer of the Domain Naming role

    The role will be transferred and a confirmation message will be displayed. Click OK , then click Close

    Till now, we have successfully transferred two FSMO roles, the Schema Master role and the Domain Naming role. The last three roles can be transferred using a single Snap-in. Using Active Directory Users and Computers snap-in to transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

    1. Click Start > Administrative Tools > then click Active Directory Users and Computers

    2. Right click Active Directory Users and Computers, then click All Tasks > Operations Master...

    3. You will have three Tabs, representing three FSMO roles (RID, PDC, Infrastructure). Click the Change button under each of these three tabs to transfer the roles.

    Click Yes to confirm the role transfer

    The role will be transferred and a confirmation message will be displayed. Click OK

    As for the Infrastructure role, once you click on the Change button you will receive the below message

    By default, when you first install your first Domain Controller, it holds the five roles and beside that it is a Global Catalog. If your environment is a multi-domain/forest, then you should think about structuring your FSMO roles and transfer the Infrastructure role to a none Global Catalog domain controller. Else if you have small number of domain controllers ( ex. two domain controllers) then you should not worry about this. Click Yes

    4. The Tabs should now look like this:

    That's it, by now, you have successfully transferred the five FSMO roles to the Windows Server 2008 Domain Controller. Summary There are five FSMO roles in a forest, to transfer any of these roles you have to use the appropriate Active Directory snap-in. In my next article, I will be showing you the complete steps required to successfully migrate/upgrade your domain controller to a new hardware server.

    You might also like