FSMO roles

Presentation of FSMO roles

In an Active Directory environment, there are 5 Flexible Single Master Operation (FSMO) roles, two roles are unique in the forest and the other three are unique in a domain.

A domain controller can have none or more FSMO roles.

Domain Naming Master

It is unique in the forest, it is responsible for adding and removing domains in the forest.

Schema Master

It is unique in the forest, it manages the Active Directory schema which contains the set of objects that can be created and the attributes. He is the only one who can modify the diagram.

Example: when adding the Exchange service to your organization, it is this role which modifies the attributes during the preparation of the AD.

RID Master

It is unique within the domain, it distributes an RID pool to each domain controller to ensure that each SID delivered by a DC will be unique

Primary Domain Controller (PDC) Emulator

It is unique within the domain, it takes care of the synchronization of the time between the various servers and computers and the modification of passwords as well as the locks of accounts.

Infrastructure master

It is unique within the domain, its role is to manage inter-domain references.

Show FSMO

To display FSMO roles, several commands are available:

In PowerShell, you must use the Get-ADForest and Get-ADDomain cmdlet.

From the consoles:

Open the Active Directory Users and Computer console to access the domain’s FSMO role, right-click on the domain and click on Operation masters.

The Domain and Active Directory Trust console provides access to the FSMO Operation Master role for naming. Right click on the console name and click on Operation Master.

The Active Directory Schema console provides access to the Schema Master FSMO role. Right click on the name of the console and click on Operation Master.

The Active Directory Schema MMC is not available natively, it must be declared.

Transfer FSMO roles

For several reasons, you may need to transfer roles from one controller to another. There are two methods:

Normal: use this method preferably if you can, this requires that all the controllers are available.

Seize: use if you want to transfer a role from an offline controller.

The transfer can be carried out using the ntdsutil tool, in PowerShell with Move-ADDirectoryServerOperationMasterRole or using the various administration consoles.

For a forced transfer, it is not possible to do it by graphic consoles.

NTDSUTIL

Normal

Open a command window in “Administrator” mode and enter the following command:

Enter FSMO roles maintenance mode:

Enter the following commands to connect to the server that will receive the role (s):

The commands to make the transfer (s):

At each transfer request, you will have to confirm your action through a dialog box.

Exit ntdsutil by entering q.

Example of transfer:

Transfer with ntdsutil

Seize

Open a command window in “Administrator” mode and enter the following command:

Enter FSMO roles maintenance mode:

Enter the following commands to connect to the server that will receive the role (s):

The commands to make the transfer (s):

At each transfer request, you will have to confirm your action through a dialog box.

Exit ntdsutil by entering q.

Example :

seize fsmo

PowerShell: Move-ADDirectoryServerOperationMasterRole

The transfer in PowerShell is simpler, the same command allows to make the two types of transfer. It is also possible to transfer several roles in the same order.

Example of normal transfer:

Example of seize :

Example of transfer of several FSMO roles

In value for the -OperationMasterRole parameter, it is possible to indicate a number which corresponds to the role.

IdentifiantRôle FSMO
0PDC Emulator
1RID master
2Infrastructure master
3Schema master
4Domain naming master

Example of transfer using the identifier:





Related Posts


GPO: Folder Redirection – Advanced Settings

Table Of ContentsIntroductionPreparation of the environmentCreating Group Policy for Folder RedirectionGroup Policy Test Introduction In a previous tutorial: GPO: User Folder Redirection, I explained

GPO: Managing Windows Firewall Rules

SummaryPresentationConfiguring Group Policy (GPO)Conclusion Presentation In this tutorial, we will see how to add rules to the Windows Firewall using Group Policy. For information, the Windows Firewal

Active Directory: trust relationship between two forests / domains

PresentationPrerequisitesConfigure the trust relationshipTest the trust relationshipLog on to a post in another domainJoin a group in the trusted domain Presentation The trust relationship between two