View and transfer FSMO roles in Active Dirtectory

FSMO roles are tasks that domain controllers have to do in an Active Directory environment, they control the proper operation of the network. Each role can be held by only one server. These are ways to check who currently holds different FSMO roles and transfer them from one server to another, taken from various KB articles, condensed here for future reference, as well as a short explanation of what those roles are.

FSMO description

View role holders

- command line

- GUI

- script

Change roles

- command line

- GUI

The roles

There are five of them, three domain-wide roles and two forest-wide:

Domain roles

  • PDC Emulator: Where account information is most up-to-date. If a login fails on some other domain controller it gets forwarded to this computer before rejecting. All other computers syncronize their clocks with the PDC, so this one should sync with and external time source. Also acts as legacy PDC for older NT servers.

  • Relative IDentifier Master: Basically assigns pools of IDs (think MACs) to other domain controllers that they use to create new objects (user accounts, groups, etc.). If the pools get depleted and this server is unavailable no new objects can be created.

  • Infrastructure Master: Deals with mapping objects cross-domains. If you give access to this domain to a user from another domain, the infrastructure master comes into play. As this rarely happens, it usually doesn’t see much use. Also see Global Catalog below.

Forest roles

  • Schema Master: What is says. The schema determines the types of objects permitted in the forest and the attributes of those objects.

  • Domain Naming Master: Handles domains in the forest.

There’s one more role tha’s not part of the five above, but interacts with some of them, any domain controller can have it.

  • Global Catalog: Stores a replica of all the objects in it’s domain and a partial replica of objects in other domains in the forest.

So, in case of problems with logging in with a new password, clock out of sync, password changing or account lockout, check the PDC. Can’t create new users or groups, check the RID master. Inter-domain mapping of users and such, the infrastructure master. Adding/removing domains in a forest or promoting/demoting DCs, domain naming master. Schema problems, obvious.

Splitting roles between servers

Assuming multiple servers, obviously, but in a AD network there should be at least two in order to provide some redundancy.

PDC and RID master on the same server. This shouldn’t be a Global Catalog, unless all servers hold that role.

The Infrastructure Master should run on a server that isn’t a Global catalog unless there is a single domain in the forest and all controllers are global catalogs. Unless both these conditions are met, the two roles should be kept on separate computers. Note that there can be only one Infrastructure Master per domain, but multiple catalogs.

Schema Master and Domain Naming Master should be on the same machine, which should also be a Global Catalog.

So given a simple network with two domain controllers, the best hardware should be PDC, RID master and Infrastructure Master, while the other one should be a Schema Master, Domain Naming Master and Global Catalog. Or both of them can be GCs.

Checking who holds the roles

Command line

  1. netdom – included in Windows 2008, download for Windows 2003

    > netdom query fsmo
  2. ntdsutil

    > ntdsutil
    ntdsutil: domain management
    domain management: connections
    server connections: connect to server PDC
    Binding to PDC ...
    Connected to PDC using credentials of locally logged on user.
    server connections: quit
    domain management: select operation target
    select operation target: list roles for connected server
    Server "PDC" knows about 5 roles
    Schema - CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
    CN=Configuration,DC=domain,DC=local
    Domain - CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
    CN=Configuration,DC=domain,DC=local
    PDC - CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
    Configuration,DC=domain,DC=local
    RID - CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
    Configuration,DC=domain,DC=local
    Infrastructure - CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site
    -Name,CN=Sites,CN=Configuration,DC=domain,DC=local
    select operation target: quit
    domain management: quit
    ntdsutil: quit
    Disconnecting from PDC...
        

    PDC is the server name, it’s the primary domain controller. BDC is the backup, domain.local is the name of the domain. Basically you ask a certain server what it knows about the roles.

  3. dcdiag

    > dcdiag /test:Knowsofroleholders /v

GUI

  1. see transferring section

  2. see transferring section

  3. see transferring section

  4. replmon.exe – all roles, does the same thing as ntdsutil above, asks a domain controller what it knows about it

Start -> Run -> replmon.exe -> Add Monitored Server (CTRL+A) -> Search directory -> Next -> Select server -> Finish -> Right click server -> Properties -> Switch to FSMO Roles tab

Script

Taken verbatim from KB235617

Option Explicit
Dim WSHNetwork, objArgs, ADOconnObj, bstrADOQueryString, RootDom, RSObj
Dim FSMOobj,CompNTDS, Computer, Path, HelpText


Set WSHNetwork = CreateObject("WScript.Network")
Set objArgs = WScript.Arguments

HelpText = "This script will find the FSMO role owners for your domain." & Chr(13) &_
           Chr(10) & "The syntax is as follows:" & Chr(13) & Chr(10) &_
           "find_fsmo DC=MYDOM,DC=COM" & Chr(13) & Chr(10) &_
           """Where MYDOM.COM is your domain name.""" & Chr(13) & Chr(10) & "OR:" &_
           Chr(13) & Chr(10) & "find_fsmo MYDCNAME " & Chr(13) & Chr(10) &_
           """Where MYDCNAME is the name of a Windows 2000 Domain Controller"""


Select Case objArgs.Count
    Case 0
        Path = InputBox("Enter your DC name or the DN for your domain"&_
                        " 'DC=MYDOM,DC=COM':","Enter path",WSHNetwork.ComputerName)
    Case 1
        Select Case UCase(objArgs(0))
            Case "?"
                WScript.Echo HelpText
                WScript.Quit
            Case "/?"
                WScript.Echo HelpText
                WScript.Quit
            Case "HELP"
                WScript.Echo HelpText
                WScript.Quit
            Case Else
                Path = objArgs(0)
        End Select
    Case Else
        WScript.Echo HelpText
        WScript.Quit
End Select




Set ADOconnObj = CreateObject("ADODB.Connection")

ADOconnObj.Provider = "ADSDSOObject"
ADOconnObj.Open "ADs Provider"


'PDC FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=domainDNS)(fSMORoleOwner=*));adspath;subtree"
Set RootDom = GetObject("LDAP://RootDSE")
Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The PDC FSMO is: " & Computer.dnsHostName


'Rid FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=rIDManager)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The RID FSMO is: " & Computer.dnsHostName


'Infrastructure FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=infrastructureUpdate)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Infrastructure FSMO is: " & Computer.dnsHostName


'Schema FSMO
bstrADOQueryString = "<LDAP://"&RootDom.Get("schemaNamingContext")&_
                     ">;(&(objectClass=dMD)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Schema FSMO is: " & Computer.dnsHostName


'Domain Naming FSMO
bstrADOQueryString = "<LDAP://"&RootDom.Get("configurationNamingContext")&_
                     ">;(&(objectClass=crossRefContainer)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Domain Naming FSMO is: " & Computer.dnsHostName

Transferring roles

Important note, there are two ways to assign roles to a new controller. One is transferring, the other is seizing. Transferring is done when the original server is still online. Seizing should be done only when the original server crashed and it will never again be brought back online on the network. If brought back the original server doesn’t know that his role changed and will try to resume operation as usual, conflicts will probably occur. If the server is about to fail but can still be accessed, dcpromo should be used to demote it from domain controller status.

Command line

> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server PRIMARY
Binding to PRIMARY ...
Connected to PRIMARY using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?

  ?                             - Show this help information
  Connections                   - Connect to a specific domain controller
  Help                          - Show this help information
  Quit                          - Return to the prior menu
  Seize domain naming master    - Overwrite domain role on connected server
  Seize infrastructure master   - Overwrite infrastructure role on connected server
  Seize PDC                     - Overwrite PDC role on connected server
  Seize RID master              - Overwrite RID role on connected server
  Seize schema master           - Overwrite schema role on connected server
  Select operation target       - Select sites, servers, domains, roles and
                                  naming contexts
  Transfer domain naming master - Make connected server the domain naming master
  Transfer infrastructure master - Make connected server the infrastructure master
  Transfer PDC                  - Make connected server the PDC
  Transfer RID master           - Make connected server the RID master
  Transfer schema master        - Make connected server the schema master

fsmo maintenance: transfer pdc
  Server "PRIMARY" knows about 5 roles
  Schema - CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=domname,DC=local
  Domain - CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=domname,DC=local
  PDC - CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First-Site-Name,CN=Si
  tes,CN=Configuration,DC=domname,DC=local
  RID - CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
  Configuration,DC=domname,DC=local
  Infrastructure - CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First-Site
  -Name,CN=Sites,CN=Configuration,DC=domname,DC=local
fsmo maintenance: transfer rid master
  Server "PRIMARY" knows about 5 roles
  Schema - CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=domname,DC=local
  Domain - CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=domname,DC=local
  PDC - CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First-Site-Name,CN=Si
  tes,CN=Configuration,DC=domname,DC=local
  RID - CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First-Site-Name,CN=Si
  tes,CN=Configuration,DC=domname,DC=local
  Infrastructure - CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First-Site
  -Name,CN=Sites,CN=Configuration,DC=domname,DC=local
fsmo maintenance: q
ntdsutil: q
Disconnecting from PRIMARY...

In the example above the roles of PDC and RID master are being transferred from ‘BACKUP’ to ‘PRIMARY’ on domain ‘domname.local’. Forced transfer is done the same way, only instead of transfer <role>, it’s seize <role>.

GUI

  1. Active Directory Users and Computers – only domain roles (PDC/RID/Infrastructure)

    Control Panel -> Administrative Tools -> Active Directory Users and Computers -> All Tasks -> Operations Master…

  2. Active Directory Domains and Trusts – only Domain Naming Master

    Control Panel -> Administrative Tools -> Active Directory Domains and Trusts -> Operations Master…

  3. Active Directory Schema – Schema master

    First, register schmmgmt.dll:

    > regsvr32 schmmgmt.dll

    then check the snap-in in mmc:

    mmc.exe -> File -> Add/Remove Snap-In -> Add -> Active Directory Schema -> Add -> Close -> OK -> Active Directory Schema -> Right click -> Operations Master