Cyber Security

Active Directory Flexible Single-Master (FSMO) in Action

By on ( 1 Comment )

What if a domain controller fails? Operations Masters have special tasks which must be performed by Domain Controllers in an Active Directory domain. If a Domain Controller fails, this special role must be taken over by another Domain Controller. If the takeover does not take place, problems will arise sooner or later.

Forest Wide Roles

Domain Naming Master 

There can only be one Domain Controller in the overall structure with the possibility to assign Domain names.

Schema Master

The schema master is contacted if you want to change the database schema. This happens, for example, when you install an Exchange Server. Or if you change the schema manually.

Domain Wide Roles

RID Master

The server with this role assigns RIDs (Security Identifier) to other Domain Controllers (500 per DC). These RIDs can be used by other DC’s to create Active Directory objects. This ensures that RIDs in a domain are unique. There can only be one that keeps track of RIDs.

PDC Emulator

Changing passwords is replicated directly to the PDC emulator of the domain. The PDC emulator is also the domain time server and much more. A failure of the PDC master usually becomes noticable very quickly. The PDC Master could be faced with a heavy workload. So place this role to the server with the best hardware. More about FSMO placement at the end of this article.

Infrastructure Master

The Infrastructure Master (ISM) is responsible for ensuring referential integrity between linked Active Directory objects to other domains. He contacts the GC of his own domain to detect changes of the object (for example group memberships) in other domains.

Interim Conclusion

I have prepared a screenshot which illustrates this – but somewhat theoretical topic – in a graphical way. Note, that there are only 2 Domain Controllers which hold the Schema Master and Domain Naming Master. And there are 3 Domain Wide Roles per Domain.

Unbenannt.PNG

Who owns the role?

Open dsa.msc (Active Directory Users and Computers). Right click on your domain name and select Operations Master… This will show you all Domain Wide Roles.

1.PNG

Open domain.msc (Active Directory Domains and Trusts). Right click Active Directory Domains and Trusts and select Operations Master…

2.PNG

Or use netdom query fsmo to show them all. Open Windows PowerShell and enter

netdom query fsmo

3.PNG

Get-ADForest show only the Forest Wide Roles.

Get-ADForest | Select Schema*,Domain*

4.PNG

Get-ADDomain shows all Domain Wide FSMO Roles.

Get-ADDomain | Select-Object RID*,PDC*,Infra*

5.PNG

Moving FSMO Roles

For this purpose, either Move-ADDirectoryServerOperationmasterRole or ntdsutil is your friend.

Move-ADDirectoryServerOperationMasterRole -OperationMasterRole RIDMaster -Identity dc01

Unbenannt.PNG

ntdsutil
roles
connections
connect to server dc01
quit
transfer rid master

Restoring FMSO Roles

If a DC with an FSMO role is no longer functional and cannot be restored, this role is missing in the forest or domain. In this case, the role must be “violently” taken over by another DC. Important: The former DC must never contact the domain again. (otherwise: double FSMO roles in the Forest/Domain, Good luck!). 😉

Move-ADDirectoryServerOperationMasterRole -Force moves a Role.

Move-ADDirectoryServerOperationMasterRole -OperationMasterRole RIDMaster -Identity dc01 -Force

Unbenannt.PNG

Alternatively, ntdsutil can be used. Use seize instead of transfer.

ntdsutil
roles
connect to server dc01
quit
seize rid master

Deep Dive into FSMO Roles

Display schema master and schema version with Get-ADObject or dsquery.

Display Schema Master

Get-ADObject "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -Properties * | Select-Object FSMO*

Unbenannt.PNG

Display Schema Version

Get-ADObject "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -Properties * | Select-Object Objectversion | Format-List

Unbenannt.PNG

dsquery * "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -scope base -attr objectversion -s dc01

Unbenannt.PNG

Show RID Pool

Query the RID Pool on the RID Master.

dcdiag /TEST:RidManager /v | find /i "Available RID Pool for the Domain"

Unbenannt.PNG

Show Time Server of the Domain (PDC Master)

Find out the PDC Master with w32tm /monitor.

w32tm /monitor

Unbenannt.PNG

See also

If you prefer German then have a look at my German Article: Active Directory FSMO Rollen (Betriebsmaster)

This article describes the general recommendations for FSMO placement:

https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers

Have fun playing with Operation Masters!

Categories: Cyber Security, PowerShell, Windows Server

Tagged as: , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2023], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.