Transferring and Seizing FSMO Roles

Transferring a FSMO role to another system is a rather painless process. Because all of the domain controllers within a domain have identical data within the Active Directory database, when you transfer a FSMO role, you are simply changing a flag that specifies that one domain controller can control the master operation and the other cannot.

Seizing a FSMO role has serious implications. If you are going to take this drastic step, you must commit yourself and make sure that the original role holder is never reintroduced onto the network. Reintroducing it could cause serious problems within your Active Directory infrastructure.

The following sections discuss the methods you can use to identify the systems that currently hold the master operations roles, and the methods you can use to make sure the domain controller identified as the standby server can take over a role.

Identifying the Current Role Holder

There are several ways to identify which domain controller is holding a FSMO role. With some of these options, you will be able to see all of the role holders at one time; with others, you are forced to view them separately.

Built-in Active Directory Tools

You can view which domain controllers host four of the five roles by using the Active Directory Users and Computers (ADUC) and Active Directory Domains and Trusts (ADDT) snap-ins. Using ADUC, you can identify the PDC Emulator, RID Master, and Infrastructure Master role holders. ADDT will allow you to identify the Domain Naming Master. To get to the screen shown in Figure 17.8, you need to open ADUC, right-click on the domain name, and select Operations Masters.

Figure 17.9 shows the Domain Naming Master when you choose the Operations Masters option from the context menu available when you right-click the Active Directory Domains and Trusts label within the ADDT snap-in.

Figure 17.8

FSMO roles listing in Active Directory Users and Computers

Images Default Fsmo

Figure 17.9

Domain Naming Master role as seen in Active Directory Domains and Trusts

Images Default Fsmo

Active Directory Schema The Active Directory Schema snap-in is listed separately because it is not available by default. To access this snap-in, you must register its associated dynamic link library (DLL). To do so, type regsvr32 schmmgmt.dll at the run line or at a command prompt. After you receive a message stating that the DLL is registered, you can add the snap-in to a Microsoft Management Console (MMC). You can view the Schema Master role holder, as shown in Figure 17.10, by right-clicking the Active Directory Schema container within the MMC and selecting Operations Master.

ReplMon This tool was discussed in Chapter 15, "Microsoft's Troubleshooting Methodology for Active Directory." In addition to the benefits that we introduced in that chapter, ReplMon has the ability to view the role holders within the domain. When you add a monitored server to the console, you can view its properties by right-clicking on the server and choosing Properties. As shown in Figure 17.11, you can view all five of the role holders from the FSMO Roles tab. Note the naming convention for the RID Master (Rid Pool) and Domain Naming Master (Domain Tree Operations).

Figure 17.10

Schema Master role as seen in Active Directory Schema snap-in

Figure 17.10

Schema Master role as seen in Active Directory Schema snap-in

Schema Master Role Holder

Command-Line Options

Some command-line utilities allow you to identify the role holders. The first, netdom, will show you all of the role holders at the same time. The second, dsquery, will allow you find individual roles when you ask for them. The DCDiag utility will show you all of the roles. The final utility is from the Windows Server resource kit, dumpfsmos.cmd.

netdom The netdom command syntax that will report the role holders is as follows:

netdom query fsmo /domain: zygort.lcl

Of course, you would replace zygort.ld with your domain name. This will return a list of all of the role holders.

Figure 17.11

Identifying the roles using RepIMon

Figure 17.11

Identifying the roles using RepIMon

Seizing Role Commands

dsquery To find individual role holders with the dsquery command, use the following commands:

♦ To find the Schema Master:

dsquery server -hasfsmo schema

♦ To find the Domain Naming Master: dsquery server -hasfsmo name

♦ To find the Infrastructure Master: dsquery server -hasfsmo infr

♦ To find the RID Master: dsquery server -hasfsmo rid

♦ To find the PDC Emulator: dsquery server -hasfsmo pdc

DCDiag The DCDiag utility is used as follows:

dcdiag /test:knowsofroleholders /v

Because the verbose switch (/v) is used, this command will return the role holders and give you information on each.

dumpfsmos.cmd The dumpfsmos.cmd utility from the Windows Server resource kit is a small script that actually starts NTDSUtil and issues the appropriate commands to return a list of the role holders. The syntax for this command is:

dumpfsmos.cmd zygort.lcl

Of course, you would want to replace zygort.ld with the name of the domain you are querying against.

Transferring the Role to Another Domain Controller

If you are demoting a role holder, be sure to transfer the role to another domain controller, preferably the domain controller you have designated as the standby role holder. Doing so will guarantee that you are transferring the role to the appropriate domain controller instead of allowing dcpromo to choose another domain controller on its own. Remember: it is always better to have control over these things than to allow chance to control your organization. (If you are taking a domain controller offline permanently, whether it is a role holder or not, you should demote it so that the references to the domain controller are removed from Active Directory.)

Transferring the role to another domain controller is a very simple process. Using the snap-ins that we discussed in the "Identifying the Current Role Holder" section, you can simply connect to the domain controller that you want to be the new role holder, choose the Operations Master option to view the role holder, and click Change. Look back at Figure 17.8 and note that the snap-in is currently connected to the domain controller rosebud.zygort.lcl. The RID Master role is currently held by milquetoast.zygort.lcl. When you click the Change button, the role will be transferred to milquetoast.zygort.lcl.

You can also use NTDSUtil to transfer the roles. To do so, start a command prompt and enter the ntdsutil command. Once the ntdsutil: prompt appears, enter the following commands:

1. At the ntdsutil: prompt, type roles to enter fsmo maintenance.

2. At the fsmo maintenance: prompt, type connections to enter server connections.

3. At the server connections: prompt, type connect to server domain_controller, where domain_controller is the name of the domain controller to which you are going to transfer the role.

4. At the server connections: prompt, type quit to enter fsmo maintenance.

5. At the fsmo maintenance: prompt, type one of the following to transfer the appropriate role:

♦ To transfer the Schema Master:

transfer schema master

♦ To transfer the Domain Naming Master: transfer domain naming master

♦ To transfer the Infrastructure Master: transfer infrastructure master

♦ To transfer the RID Master: transfer rid master

♦ To transfer the PDC Emulator: transfer PDC

After you have transferred the role, type quit twice to exit NTDSUtil. You can then use one of the aforementioned utilities to verify that the role was transferred to the appropriate domain controller.

Seizing the Role on the Standby Domain Controller

You should have already designated another domain controller as the standby server in case a role holder becomes unavailable. If you have configured the original role holder and the standby as replication partners, there is a very good chance they are completely synchronized with one another. If the original role holder becomes unavailable and you deem it necessary to have the standby server become the role holder, you can seize the role on the standby server. Again, this is a drastic measure and should be performed only if you are certain the original role holder is not going to be reintro-duced on the network.

To seize a role, follow steps 1 through 4 as outlined in the preceding section, "Transferring the Role to Another Domain Controller." Once you have connected to the domain controller that will become the role holder, use one of the following commands from the NTDSUtil fsmo maintenance: prompt:

♦ To seize the Schema Master: seize schema master

♦ To seize the Domain Naming Master: seize domain naming master

♦ To seize the Infrastructure Master: seize infrastructure master

♦ To seize the RID Master: seize rid master

♦ To seize the PDC Emulator: seize PDC

Now that the role has been seized, type quit twice to exit NTDSUtil. Verify that the role has been taken over by the new role holder. If the original system is repaired and could be used again, make sure you reformat the system and reinstall the operating system. This will guarantee that you will not introduce problems within Active Directory by having a rogue role holder in place.

The PDC Emulator and Infrastructure roles are designed for "graceful seizure." This means that the old role holders can be brought back online after a seizure with no ill effects. If a domain controller does go offline and you are not going to reintroduce it to the network, be sure to remove all references to the domain controller within Active Directory. See Chapter 14 for information on removing orphaned objects.

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

  • Kerstin
    What is the correct syntax which will list the FSMO role holders?
    8 years ago
  • ida
    How to transfer RID role from windows server 2008?
    8 years ago
  • liisi
    How to seize infrastructure master role server 2008 using gui?
    8 years ago
  • giusy
    What is schema master and domain master?
    6 years ago
  • bellina
    How can i show Schema master?
    6 years ago
  • Tyyne
    Which utility allows to check fsmo roles?
    3 years ago
  • Aatos Savonheimo
    What is siezing a fsmo role?
    10 months ago

Post a comment