What if a domain controller fails? Operations Masters have special tasks which must be performed by Domain Controllers in an Active Directory domain. If a Domain Controller fails, this special role must be taken over by another Domain Controller. If the takeover does not take place, problems will arise sooner or later.
Forest Wide Roles
Domain Naming Master
There can only be one Domain Controller in the overall structure with the possibility to assign Domain names.
The schema master is contacted if you want to change the database schema. This happens, for example, when you install an Exchange Server. Or if you change the schema manually.
Domain Wide Roles
The server with this role assigns RIDs (Security Identifier) to other Domain Controllers (500 per DC). These RIDs can be used by other DC’s to create Active Directory objects. This ensures that RIDs in a domain are unique. There can only be one that keeps track of RIDs.
Changing passwords is replicated directly to the PDC emulator of the domain. The PDC emulator is also the domain time server and much more. A failure of the PDC master usually becomes noticable very quickly. The PDC Master could be faced with a heavy workload. So place this role to the server with the best hardware. More about FSMO placement at the end of this article.
The Infrastructure Master (ISM) is responsible for ensuring referential integrity between linked Active Directory objects to other domains. He contacts the GC of his own domain to detect changes of the object (for example group memberships) in other domains.
I have prepared a screenshot which illustrates this – but somewhat theoretical topic – in a graphical way. Note, that there are only 2 Domain Controllers which hold the Schema Master and Domain Naming Master. And there are 3 Domain Wide Roles per Domain.
Who owns the role?
Open dsa.msc (Active Directory Users and Computers). Right click on your domain name and select Operations Master… This will show you all Domain Wide Roles.
Open domain.msc (Active Directory Domains and Trusts). Right click Active Directory Domains and Trusts and select Operations Master…
Or use netdom query fsmo to show them all. Open Windows PowerShell and enter
netdom query fsmo
Get-ADForest show only the Forest Wide Roles.
Get-ADForest | Select Schema*,Domain*
Get-ADDomain shows all Domain Wide FSMO Roles.
Get-ADDomain | Select-Object RID*,PDC*,Infra*
Moving FSMO Roles
For this purpose, either Move-ADDirectoryServerOperationmasterRole or ntdsutil is your friend.
Move-ADDirectoryServerOperationMasterRole -OperationMasterRole RIDMaster -Identity dc01
ntdsutil roles connections connect to server dc01 quit transfer rid master
Restoring FMSO Roles
If a DC with an FSMO role is no longer functional and cannot be restored, this role is missing in the forest or domain. In this case, the role must be “violently” taken over by another DC. Important: The former DC must never contact the domain again. (otherwise: double FSMO roles in the Forest/Domain, Good luck!). 😉
Move-ADDirectoryServerOperationMasterRole -Force moves a Role.
Move-ADDirectoryServerOperationMasterRole -OperationMasterRole RIDMaster -Identity dc01 -Force
Alternatively, ntdsutil can be used. Use seize instead of transfer.
ntdsutil roles connect to server dc01 quit seize rid master
Deep Dive into FSMO Roles
Display schema master and schema version with Get-ADObject or dsquery.
Display Schema Master
Get-ADObject "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -Properties * | Select-Object FSMO*
Display Schema Version
Get-ADObject "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -Properties * | Select-Object Objectversion | Format-List
dsquery * "cn=Schema,cn=Configuration,dc=sid-500,dc=com" -scope base -attr objectversion -s dc01
Show RID Pool
Query the RID Pool on the RID Master.
dcdiag /TEST:RidManager /v | find /i "Available RID Pool for the Domain"
Show Time Server of the Domain (PDC Master)
Find out the PDC Master with w32tm /monitor.
If you prefer German then have a look at my German Article: Active Directory FSMO Rollen (Betriebsmaster)
This article describes the general recommendations for FSMO placement:
Have fun playing with Operation Masters!
Categories: Cyber Security, PowerShell, Windows Server
LikeLiked by 1 person