Saturday, November 13, 2010

Impact of the FSMO roles on Acitve Directory and how to manipulate them

How is the loosing of FSMO's will reflect to usability of your domain?
Here is some consideration:
Schema role - if you loose this particular role, you can't change the schema. However, it's rarely necessary (for example, switching from Windows Server 2003 to Windows Server 2003 R2).
Domain Naming role - you won't be able to create new domains in the forest. In most cases, single domain is the only thing that should be sufficient.
RID role - if you don't create a lot of objects in AD you won't miss this role very soon.
Infrastructure role - if you only have a single domain, the chances are that everything will be OK.
PDC emulator - this role is critical. You will notice the problem very soon. There will be no time synchronization, the problem with managing group policies and user passwords will also exist.

By default, all FSMO roles are placed on first DC in the forest.

We can check which DC are currently holding the role by following next steps:
1. Download Support Tools form Windows Server 2003 CD, under ./Support/Tools
2. Under command prompt (new cmd form suptools) type "dumpfsmos"
That's an easy way to do this. There is also command line option from any Windows 2003 member server in a domain, however I'll skip this part.

We can move the roles between domain controllers or even restore them if one of the role holders DC are went down.

How to move or seize roles in AD:

Transferring/seizing PDC, Infrastructure and RID roles (GUI version):
  1. Connect to desired DC with AD user and computers snapshot;
  2. On domain object right click and select "operations master";
  3. Click "change"...bla bla bla...always agree;
Transferring Schema FSMO (the user must be in the Schema Admins group):
  1. Run "cmd" and then "regsvr32 schmmgmt.dll"
  2. Run "mmc /a" and add "Active Directory Schema"
  3. Click on object named "Active Directory Schema" and select "Operations master"
Transferring Domain Naming FSMO (the user must be in the Enterprise Admins group):
  1. Open Active Directory Domains and Trusts
  2. Right-click the "Active Directory Domains and Trusts" and select "Operations Master"
  3. Select "Change"

Seizing master roles:
  1. In cmd run "ntdsutil"
  2. Type "Roles"
  3. In "fsmo maintenance" type "Connections"
  4. In "server connections" type "Connect to server /servername/"
  5. Type "Quit" and you will return to "fsmo maintenance" prompt
  6. Type "Seize /fsmo_name/ master (rid, domain naming, schema, infrastructure, pdc)
  7. Type "Quit" untill you exit
The server first tries to transfer the particular role from the current master and if it's not succeeded, then it starts to creating the new role holder. Of course, if current master is offline (crashed?), then the process will hang for some period of time and show some number of errors, but eventually the new master will be created without any notification of success.