Site icon RDR-IT

FSMO roles

Presentation of FSMO roles

In an Active Directory environment, there are 5 Flexible Single Master Operation (FSMO) roles, two roles are unique in the forest and the other three are unique in a domain.

A domain controller can have none or more FSMO roles.

Domain Naming Master

It is unique in the forest, it is responsible for adding and removing domains in the forest.

Schema Master

It is unique in the forest, it manages the Active Directory schema which contains the set of objects that can be created and the attributes. He is the only one who can modify the diagram.

Example: when adding the Exchange service to your organization, it is this role which modifies the attributes during the preparation of the AD.

RID Master

It is unique within the domain, it distributes an RID pool to each domain controller to ensure that each SID delivered by a DC will be unique

Primary Domain Controller (PDC) Emulator

It is unique within the domain, it takes care of the synchronization of the time between the various servers and computers and the modification of passwords as well as the locks of accounts.

Infrastructure master

It is unique within the domain, its role is to manage inter-domain references.

Show FSMO

To display FSMO roles, several commands are available:

netdom query fsmo

In PowerShell, you must use the Get-ADForest and Get-ADDomain cmdlet.

From the consoles:

Open the Active Directory Users and Computer console to access the domain’s FSMO role, right-click on the domain and click on Operation masters.

The Domain and Active Directory Trust console provides access to the FSMO Operation Master role for naming. Right click on the console name and click on Operation Master.

The Active Directory Schema console provides access to the Schema Master FSMO role. Right click on the name of the console and click on Operation Master.

The Active Directory Schema MMC is not available natively, it must be declared.

Transfer FSMO roles

For several reasons, you may need to transfer roles from one controller to another. There are two methods:

Normal: use this method preferably if you can, this requires that all the controllers are available.

Seize: use if you want to transfer a role from an offline controller.

The transfer can be carried out using the ntdsutil tool, in PowerShell with Move-ADDirectoryServerOperationMasterRole or using the various administration consoles.

For a forced transfer, it is not possible to do it by graphic consoles.

NTDSUTIL

Normal

Open a command window in “Administrator” mode and enter the following command:

ntdsutil

Enter FSMO roles maintenance mode:

roles

Enter the following commands to connect to the server that will receive the role (s):

connections
connect to server nom_du_dc
q

The commands to make the transfer (s):

# Maitre d'attribution
transfer naming master
# Contrôleur de schéma
transfer schema master
# Maitre RID
transfer RID master
# Emulateur PDC
transfer pdc
# Maitre infrastructure
transfer infrastructure master

At each transfer request, you will have to confirm your action through a dialog box.

Exit ntdsutil by entering q.

Example of transfer:

Seize

Open a command window in “Administrator” mode and enter the following command:

ntdsutil

Enter FSMO roles maintenance mode:

roles

Enter the following commands to connect to the server that will receive the role (s):

connections
connect to server nom_du_dc
q

The commands to make the transfer (s):

# Maitre d'attribution
seize naming master
# Contrôleur de schéma
seize schema master
# Maitre RID
seize RID master
# Emulateur PDC
seize pdc
# Maitre infrastructure
seize infrastructure master

At each transfer request, you will have to confirm your action through a dialog box.

Exit ntdsutil by entering q.

Example :

PowerShell: Move-ADDirectoryServerOperationMasterRole

The transfer in PowerShell is simpler, the same command allows to make the two types of transfer. It is also possible to transfer several roles in the same order.

Example of normal transfer:

Move-ADDirectoryServerOperationMasterRole -Identity "LAB-DC2" -OperationMasterRole PDCEmulator

Example of seize :

Move-ADDirectoryServerOperationMasterRole -Identity "LAB-DC2" -OperationMasterRole InfrastructureMaster -Force

Example of transfer of several FSMO roles

Move-ADDirectoryServerOperationMasterRole -Identity "LAB-DC1" -OperationMasterRole PDCEmulator, InfrastructureMaster 

In value for the -OperationMasterRole parameter, it is possible to indicate a number which corresponds to the role.

IdentifiantRôle FSMO
0PDC Emulator
1RID master
2Infrastructure master
3Schema master
4Domain naming master

Example of transfer using the identifier:

Move-ADDirectoryServerOperationMasterRole -Identity "LAB-DC2" -OperationMasterRole 0,2
Exit mobile version