This is a continuation to my previous post on AD FSMO roles. I had to wrap that up in a hurry as I was distracted by other things.
Identifying the FSMO role holders
Easiest would be to use netdom or dcdiag:
|
1 2 3 4 5 6 7 |
C:\>netdom query fsmo Schema master WIN-DC01.rakhesh.local Domain naming master WIN-DC01.rakhesh.local PDC WIN-DC01.rakhesh.local RID pool manager WIN-DC01.rakhesh.local Infrastructure master WIN-DC01.rakhesh.local The command completed successfully. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\>dcdiag /test:KnowsOfRoleHolders /v /n:rakhesh.local ... Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,C N=Sites,CN=Configuration,DC=rakhesh,DC=local Role Domain Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,C N=Sites,CN=Configuration,DC=rakhesh,DC=local Role PDC Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=S ites,CN=Configuration,DC=rakhesh,DC=local Role Rid Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=S ites,CN=Configuration,DC=rakhesh,DC=local Role Infrastructure Update Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Serv ers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local ......................... WIN-DC01 passed test KnowsOfRoleHolders ... |
You could also use ntdsutil (if you can remember the long commands!)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
C:\>ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to domain rakhesh.local Binding to \\WIN-DC01.rakhesh.local ... Connected to \\WIN-DC01.rakhesh.local using credentials of locally logged on use r. server connections: quit fsmo maintenance: select operation target select operation target: list roles for connected server Server "\\WIN-DC01.rakhesh.local" knows about 5 roles Schema - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configura tion,DC=rakhesh,DC=local Naming Master - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Co nfiguration,DC=rakhesh,DC=local PDC - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local RID - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local Infrastructure - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=C onfiguration,DC=rakhesh,DC=local select operation target: quit fsmo maintenance: quit ntdsutil: quit |
The overall idea with all these commands is the same. You connect to a specified server or any sever in a specified domain. Then you query that server for the FSMO roles it knows of.
If PowerShell is your friend, then the Get-ADDomain and Get-ADForest cmdlets are your friends. The output of these cmdlets show you the current FSMO role holders:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
PS> Get-ADForest | select *Master* DomainNamingMaster SchemaMaster ------------------ ------------ WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local PS> Get-ADDomain | select *Master*,*PDC* InfrastructureMaster RIDMaster PDCEmulator -------------------- --------- ----------- WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local |
Finally, if a GUI is your weapon of choice, there’s three different places you will have to look:
- In AD Users and Computers, right click the domain and select “Operations Masters”. This will show the RID Master, PDC, and Infrastructure Master – the three domain specific FSMOs.
- In AD Domains and Trusts, right click on AD Domains and Trusts and select “Operations Masters”. This will show the Domain Naming Master.
- Open a command prompt or run window, type
regsvr32 schmmgmt.dll, then open MMC, add a snap-in called AD Schema and open it, and then right click on AD Schema and select “Operations Masters”. This will show the Schema Master.
Transferring FSMO role holders
With a GUI transferring role holders is easy. In each of the screens above when you view the role holder there’s also an option to change it.
To transfer/ seize a role with ntdsutil you first connect to the DC that will now hold the role, and issue a transfer/ seize command. As the names imply transfer is a “clean” way of moving the role, while seize is a seizing of the role. You seize roles when the DC that currently has the role is down/ unreachable and you can’t wait for a graceful transfer. For example:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
C:\>ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server WIN-DC02.rakhesh.local Binding to \\WIN-DC02.rakhesh.local ... Connected to \\WIN-DC02.rakhesh.local using credentials of locally logged on use r. server connections: quit fsmo maintenance: seize pdc Attempting safe transfer of PDC FSMO before seizure. FSMO transferred successfully - seizure not required. Server "win-dc02" knows about 5 roles Schema - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configura tion,DC=rakhesh,DC=local Naming Master - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Co nfiguration,DC=rakhesh,DC=local PDC - CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configurat ion,DC=rakhesh,DC=local RID - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local Infrastructure - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=C onfiguration,DC=rakhesh,DC=local fsmo maintenance: |
When you attempt a seize, ntdsutil attempts a transfer first and if that succeeds then a transfer is done instead of a seize.
Things are much easier with PowerShell. One cmdlet, and you are done:
|
1 2 3 4 5 |
PS> Move-ADDirectoryServerOperationMasterRole -Identity WIN-DC03 -OperationMasterRole RIDMaster Move Operation Master Role Do you want to move role 'RIDMaster' to server 'WIN-DC03.rakhesh.local' ? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): |
A neat thing about this cmdlet is that you don’t have to necessarily specify the role name. Each role has a number associated with it so you could simply specify the number instead of the role name as a parameter.
- PDCEmulator is 0
- RIDMaster is 1
- InfrastructureMaster is 2
- SchemaMaster is 3
- DomainNamingMaster is 4
This is quite convenient when you want to specify multiple roles to be moved. Much easier typing -OperationMasterRole 1,2,3 than -OperationMasterRole RIDMaster,InfrastructureMaster,SchemaMaster.
I prefer ntdsutil over PowerShell as it gives confirmation and so I know the transfer/ seize has succeeded.
The fsMORoleOwner attribute
The commands above show how to view and/ or transfer FSMO roles. But where exactly is the information on various roles stored in AD? Many places actually …
There is an attribute called fsMORoleOwner. Different locations have this attribute present, and the value of this attribute at these locations indicate which DC holds a particular role. (The attribute can be viewed using ADSI Edit or PowerShell).
- In the domain partition, the
DC=domainNamecontainer has this attribute. The value there points to the DC with the PDC Emulator role.
12345678PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : rakheshObjectClass : domainDNSObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf - In the domain partition, the
CN=Infrastructure,DC=domainNamecontainer has this attribute. The value there points to the DC with the Infrastructure Master role.
12345678PS> Get-ADObject "CN=Infrastructure,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Infrastructure,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : InfrastructureObjectClass : infrastructureUpdateObjectGUID : 79233b08-2c94-4d16-9ab6-d419ddf5d033 - In the domain partition, the
CN=RID Manager$,CN=System,DC=domainNamecontainer has this attribute. The value there points to the DC with the RID Master role.
12345678PS> Get-ADObject "CN=RID Manager$,CN=System,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=RID Manager$,CN=System,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC03,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : RID Manager$ObjectClass : rIDManagerObjectGUID : 5279fa8b-b5cb-47dd-be2e-8c6fc6247624 - In the configuration partition, the
CN=Schema,CN=Configuration,DC=forestRootDomaincontainer has this attribute. The value there points to the DC with the Schema Master role.
12345678PS> Get-ADObject "CN=Schema,CN=Configuration,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Schema,CN=Configuration,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : SchemaObjectClass : dMDObjectGUID : 520b243c-0506-48f8-a5d1-e24253cfbd18 - Lastly, in the configuration partition, the
CN=Partitions,CN=Configuration,DC=forestRootDomaincontainer has this attribute. The value there points to the DC with the Domain Naming Master role.
12345678PS> Get-ADObject "CN=Partitions,CN=Configuration,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Partitions,CN=Configuration,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : PartitionsObjectClass : crossRefContainerObjectGUID : 16e5e9d7-fdb8-4dd6-9b09-7a32fcb9ee04
What this means is that you can change this attribute and effectively transfer the FSMO role from one DC to another. For instance:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# Note the current role holder PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwner DistinguishedName : DC=rakhesh,DC=local fsMORoleOwner : CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configuration,DC=rakhesh,DC=local Name : rakhesh ObjectClass : domainDNS ObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf # Change the attribute PS> Set-ADObject "DC=rakhesh,DC=local" -Replace @{fsMORoleOwner="CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local"} # Confirm attribute change PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwner DistinguishedName : DC=rakhesh,DC=local fsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local Name : rakhesh ObjectClass : domainDNS ObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf # Double check via netdom C:\> netdom query fsmo Schema master WIN-DC01.rakhesh.local Domain naming master WIN-DC01.rakhesh.local PDC WIN-DC01.rakhesh.local RID pool manager WIN-DC03.rakhesh.local Infrastructure master WIN-DC01.rakhesh.local The command completed successfully. |
That said I wouldn’t generally transfer/ seize roles this way. For one, I am not sure whether ntdsutil and/ or PowerShell does anything else behind the scenes (maybe replicate the change with priority?). For another, occasionally I have got errors like “The role owner attribute could not be read” when trying to change the attribute. These errors seem to be related to corrupt DC entries in FSMO roles, so don’t push your luck. (Or maybe I wasn’t connecting to the DC currently holding that role – not sure. You have to be connected to the DC holding the role to change this attribute).
Another thing to keep in mind is that after you transfer/ seize a role the change has to update through out the domain. Once you think of it in terms of the attributes above that makes sense. When a change is made the attribute is updated and that update as to replicate throughout the domain for other DCs to know.
Lastly, I hadn’t realized this before, but FSMO roles apply to each application partition too. They are not only for the domain partitions (as I had previously thought). To transfer/ seize FSMO roles of application partitions one must update the attribute directly as above.
That’s all for now!
Update: When a DC holding one of the FSMO roles comes online after a reboot it will do an initial sync with its partners before advertising itself as a DC. During this initial sync it will check the fsMORoleOwner attribute to verify that it is still the FSMO role holder. If it still it, it will start advertising its services; if not, it will stop advertising that role. More here …