This is a continuation to my previous post on AD FSMO roles. I had to wrap that up in a hurry as I was distracted by other things.
Identifying the FSMO role holders
Easiest would be to use netdom
or dcdiag
:
1 2 3 4 5 6 7 |
C:\>netdom query fsmo Schema master WIN-DC01.rakhesh.local Domain naming master WIN-DC01.rakhesh.local PDC WIN-DC01.rakhesh.local RID pool manager WIN-DC01.rakhesh.local Infrastructure master WIN-DC01.rakhesh.local The command completed successfully. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\>dcdiag /test:KnowsOfRoleHolders /v /n:rakhesh.local ... Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,C N=Sites,CN=Configuration,DC=rakhesh,DC=local Role Domain Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,C N=Sites,CN=Configuration,DC=rakhesh,DC=local Role PDC Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=S ites,CN=Configuration,DC=rakhesh,DC=local Role Rid Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=S ites,CN=Configuration,DC=rakhesh,DC=local Role Infrastructure Update Owner = CN=NTDS Settings,CN=WIN-DC01,CN=Serv ers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local ......................... WIN-DC01 passed test KnowsOfRoleHolders ... |
You could also use ntdsutil
(if you can remember the long commands!)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
C:\>ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to domain rakhesh.local Binding to \\WIN-DC01.rakhesh.local ... Connected to \\WIN-DC01.rakhesh.local using credentials of locally logged on use r. server connections: quit fsmo maintenance: select operation target select operation target: list roles for connected server Server "\\WIN-DC01.rakhesh.local" knows about 5 roles Schema - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configura tion,DC=rakhesh,DC=local Naming Master - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Co nfiguration,DC=rakhesh,DC=local PDC - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local RID - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local Infrastructure - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=C onfiguration,DC=rakhesh,DC=local select operation target: quit fsmo maintenance: quit ntdsutil: quit |
The overall idea with all these commands is the same. You connect to a specified server or any sever in a specified domain. Then you query that server for the FSMO roles it knows of.
If PowerShell is your friend, then the Get-ADDomain
and Get-ADForest
cmdlets are your friends. The output of these cmdlets show you the current FSMO role holders:
1 2 3 4 5 6 7 8 9 10 11 12 |
PS> Get-ADForest | select *Master* DomainNamingMaster SchemaMaster ------------------ ------------ WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local PS> Get-ADDomain | select *Master*,*PDC* InfrastructureMaster RIDMaster PDCEmulator -------------------- --------- ----------- WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local WIN-DC01.rakhesh.local |
Finally, if a GUI is your weapon of choice, there’s three different places you will have to look:
- In AD Users and Computers, right click the domain and select “Operations Masters”. This will show the RID Master, PDC, and Infrastructure Master – the three domain specific FSMOs.
- In AD Domains and Trusts, right click on AD Domains and Trusts and select “Operations Masters”. This will show the Domain Naming Master.
- Open a command prompt or run window, type
regsvr32 schmmgmt.dll
, then open MMC, add a snap-in called AD Schema and open it, and then right click on AD Schema and select “Operations Masters”. This will show the Schema Master.
Transferring FSMO role holders
With a GUI transferring role holders is easy. In each of the screens above when you view the role holder there’s also an option to change it.
To transfer/ seize a role with ntdsutil
you first connect to the DC that will now hold the role, and issue a transfer/ seize command. As the names imply transfer is a “clean” way of moving the role, while seize is a seizing of the role. You seize roles when the DC that currently has the role is down/ unreachable and you can’t wait for a graceful transfer. For example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
C:\>ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server WIN-DC02.rakhesh.local Binding to \\WIN-DC02.rakhesh.local ... Connected to \\WIN-DC02.rakhesh.local using credentials of locally logged on use r. server connections: quit fsmo maintenance: seize pdc Attempting safe transfer of PDC FSMO before seizure. FSMO transferred successfully - seizure not required. Server "win-dc02" knows about 5 roles Schema - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configura tion,DC=rakhesh,DC=local Naming Master - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Co nfiguration,DC=rakhesh,DC=local PDC - CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configurat ion,DC=rakhesh,DC=local RID - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuratio n,DC=rakhesh,DC=local Infrastructure - CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=C onfiguration,DC=rakhesh,DC=local fsmo maintenance: |
When you attempt a seize, ntdsutil
attempts a transfer first and if that succeeds then a transfer is done instead of a seize.
Things are much easier with PowerShell. One cmdlet, and you are done:
1 2 3 4 5 |
PS> Move-ADDirectoryServerOperationMasterRole -Identity WIN-DC03 -OperationMasterRole RIDMaster Move Operation Master Role Do you want to move role 'RIDMaster' to server 'WIN-DC03.rakhesh.local' ? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): |
A neat thing about this cmdlet is that you don’t have to necessarily specify the role name. Each role has a number associated with it so you could simply specify the number instead of the role name as a parameter.
- PDCEmulator is 0
- RIDMaster is 1
- InfrastructureMaster is 2
- SchemaMaster is 3
- DomainNamingMaster is 4
This is quite convenient when you want to specify multiple roles to be moved. Much easier typing -OperationMasterRole 1,2,3
than -OperationMasterRole RIDMaster,InfrastructureMaster,SchemaMaster
.
I prefer ntdsutil
over PowerShell as it gives confirmation and so I know the transfer/ seize has succeeded.
The fsMORoleOwner
attribute
The commands above show how to view and/ or transfer FSMO roles. But where exactly is the information on various roles stored in AD? Many places actually …
There is an attribute called fsMORoleOwner
. Different locations have this attribute present, and the value of this attribute at these locations indicate which DC holds a particular role. (The attribute can be viewed using ADSI Edit or PowerShell).
- In the domain partition, the
DC=domainName
container has this attribute. The value there points to the DC with the PDC Emulator role.
12345678PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : rakheshObjectClass : domainDNSObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf - In the domain partition, the
CN=Infrastructure,DC=domainName
container has this attribute. The value there points to the DC with the Infrastructure Master role.
12345678PS> Get-ADObject "CN=Infrastructure,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Infrastructure,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : InfrastructureObjectClass : infrastructureUpdateObjectGUID : 79233b08-2c94-4d16-9ab6-d419ddf5d033 - In the domain partition, the
CN=RID Manager$,CN=System,DC=domainName
container has this attribute. The value there points to the DC with the RID Master role.
12345678PS> Get-ADObject "CN=RID Manager$,CN=System,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=RID Manager$,CN=System,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC03,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : RID Manager$ObjectClass : rIDManagerObjectGUID : 5279fa8b-b5cb-47dd-be2e-8c6fc6247624 - In the configuration partition, the
CN=Schema,CN=Configuration,DC=forestRootDomain
container has this attribute. The value there points to the DC with the Schema Master role.
12345678PS> Get-ADObject "CN=Schema,CN=Configuration,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Schema,CN=Configuration,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : SchemaObjectClass : dMDObjectGUID : 520b243c-0506-48f8-a5d1-e24253cfbd18 - Lastly, in the configuration partition, the
CN=Partitions,CN=Configuration,DC=forestRootDomain
container has this attribute. The value there points to the DC with the Domain Naming Master role.
12345678PS> Get-ADObject "CN=Partitions,CN=Configuration,DC=rakhesh,DC=local" -Properties fsMORoleOwnerDistinguishedName : CN=Partitions,CN=Configuration,DC=rakhesh,DC=localfsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=localName : PartitionsObjectClass : crossRefContainerObjectGUID : 16e5e9d7-fdb8-4dd6-9b09-7a32fcb9ee04
What this means is that you can change this attribute and effectively transfer the FSMO role from one DC to another. For instance:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# Note the current role holder PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwner DistinguishedName : DC=rakhesh,DC=local fsMORoleOwner : CN=NTDS Settings,CN=WIN-DC02,CN=Servers,CN=KOTTAYAM,CN=Sites,CN=Configuration,DC=rakhesh,DC=local Name : rakhesh ObjectClass : domainDNS ObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf # Change the attribute PS> Set-ADObject "DC=rakhesh,DC=local" -Replace @{fsMORoleOwner="CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local"} # Confirm attribute change PS> Get-ADObject "DC=rakhesh,DC=local" -Properties fsMORoleOwner DistinguishedName : DC=rakhesh,DC=local fsMORoleOwner : CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local Name : rakhesh ObjectClass : domainDNS ObjectGUID : 6583a216-68d3-48f4-8145-01162042ccdf # Double check via netdom C:\> netdom query fsmo Schema master WIN-DC01.rakhesh.local Domain naming master WIN-DC01.rakhesh.local PDC WIN-DC01.rakhesh.local RID pool manager WIN-DC03.rakhesh.local Infrastructure master WIN-DC01.rakhesh.local The command completed successfully. |
That said I wouldn’t generally transfer/ seize roles this way. For one, I am not sure whether ntdsutil
and/ or PowerShell does anything else behind the scenes (maybe replicate the change with priority?). For another, occasionally I have got errors like “The role owner attribute could not be read
” when trying to change the attribute. These errors seem to be related to corrupt DC entries in FSMO roles, so don’t push your luck. (Or maybe I wasn’t connecting to the DC currently holding that role – not sure. You have to be connected to the DC holding the role to change this attribute).
Another thing to keep in mind is that after you transfer/ seize a role the change has to update through out the domain. Once you think of it in terms of the attributes above that makes sense. When a change is made the attribute is updated and that update as to replicate throughout the domain for other DCs to know.
Lastly, I hadn’t realized this before, but FSMO roles apply to each application partition too. They are not only for the domain partitions (as I had previously thought). To transfer/ seize FSMO roles of application partitions one must update the attribute directly as above.
That’s all for now!
Update: When a DC holding one of the FSMO roles comes online after a reboot it will do an initial sync with its partners before advertising itself as a DC. During this initial sync it will check the fsMORoleOwner
attribute to verify that it is still the FSMO role holder. If it still it, it will start advertising its services; if not, it will stop advertising that role. More here …