Saturday, November 13, 2010

Impact of the FSMO roles on Acitve Directory and how to manipulate them

How is the loosing of FSMO's will reflect to usability of your domain?
Here is some consideration:
Schema role - if you loose this particular role, you can't change the schema. However, it's rarely necessary (for example, switching from Windows Server 2003 to Windows Server 2003 R2).
Domain Naming role - you won't be able to create new domains in the forest. In most cases, single domain is the only thing that should be sufficient.
RID role - if you don't create a lot of objects in AD you won't miss this role very soon.
Infrastructure role - if you only have a single domain, the chances are that everything will be OK.
PDC emulator - this role is critical. You will notice the problem very soon. There will be no time synchronization, the problem with managing group policies and user passwords will also exist.

By default, all FSMO roles are placed on first DC in the forest.

We can check which DC are currently holding the role by following next steps:
1. Download Support Tools form Windows Server 2003 CD, under ./Support/Tools
2. Under command prompt (new cmd form suptools) type "dumpfsmos"
That's an easy way to do this. There is also command line option from any Windows 2003 member server in a domain, however I'll skip this part.

We can move the roles between domain controllers or even restore them if one of the role holders DC are went down.

How to move or seize roles in AD:

Transferring/seizing PDC, Infrastructure and RID roles (GUI version):
  1. Connect to desired DC with AD user and computers snapshot;
  2. On domain object right click and select "operations master";
  3. Click "change"...bla bla bla...always agree;
Transferring Schema FSMO (the user must be in the Schema Admins group):
  1. Run "cmd" and then "regsvr32 schmmgmt.dll"
  2. Run "mmc /a" and add "Active Directory Schema"
  3. Click on object named "Active Directory Schema" and select "Operations master"
Transferring Domain Naming FSMO (the user must be in the Enterprise Admins group):
  1. Open Active Directory Domains and Trusts
  2. Right-click the "Active Directory Domains and Trusts" and select "Operations Master"
  3. Select "Change"

Seizing master roles:
  1. In cmd run "ntdsutil"
  2. Type "Roles"
  3. In "fsmo maintenance" type "Connections"
  4. In "server connections" type "Connect to server /servername/"
  5. Type "Quit" and you will return to "fsmo maintenance" prompt
  6. Type "Seize /fsmo_name/ master (rid, domain naming, schema, infrastructure, pdc)
  7. Type "Quit" untill you exit
The server first tries to transfer the particular role from the current master and if it's not succeeded, then it starts to creating the new role holder. Of course, if current master is offline (crashed?), then the process will hang for some period of time and show some number of errors, but eventually the new master will be created without any notification of success.

Thursday, November 11, 2010

Understanding FSMO roles in Window Server 2003 Active Directory environment

There are number of functions that AD performs including authentication, user rights assignments, defining permissions to the shared resource etc. However, there are number of functions which stay in the shadow. These functions called Flexible Single Master Operation roles and they are playing very important part in AD.
There are 5 FSMO roles in AD:
Schema master role
Schema is like a class in programming, it defines all the properties of the objects. Implying to the AD, it would be properties like a name and surname of a user. Schema master DC controls all operations with schema and replicates any changes to other DC's. Only one schema master DC can exist in the whole forest.
Domain naming master role
The domain naming master DC controls the addition or removal of domains in the forest. Only the holder of this master role can add or remove domains from the forest. Only one domain naming master DC can exist in the whole forest.
RID master role
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.  Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC emulator role
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) service that is required by the Kerberos authentication protocol.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
There is only one PDC emulator DC for each domain.
Infrastructure role
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

P.S. Tomorrow I would like to speak about how to manipulate the roles and why they are so critical in AD environment.

P.S.Thanks for this for saving me some typing time.