A quick introduction to Flexible Single Master Operation (FSMO)
Active Directory uses the multi- master model for replicating changes between domain controllers. This multi-master enabled database allows changes to occur on any domain controller within the enterprise. However, this model is not without shortcomings. By allowing changes to occur on any domain controller, there is a possibility of conflicts with respect to the updates. This is resolved by using the “last writer wins” approach. However, this approach is not successful for resolving all types of conflicts. Hence, the single-master model is employed to overcome these shortcomings.
In the single-master model, only one domain controller called the Primary Domain Controller (PDC) is responsible for processing updates. However, if the PDC encounters a failure, no updates or changes can be made to the other domain controllers. The single-master was thus modified to overcome these shortcomings by splitting the responsibilities of the single-master into separate roles. These roles can be distributed to any domain controller in the enterprise, based on the requirements. These single-master roles are called Flexible Single Master Operation (FSMO) roles and the domain controller is referred to as the FSMO or Operations Master.
FSMO Roles
There are five basic FSMO roles, of which two are forest-wide and the remaining three are domain-wide. While the forest-wide roles are supposed to be limited to one per forest, the domain-wide roles are limited to one per domain. The five FSMO roles are listed as follows.
- Schema Master
- Domain Naming Master
- RID Master
- PDC Emulator
- Infrastructure Master
The Schema Master and Domain Naming Master are forest-wide roles, whereas the RID Master, PDC Emulator and the Infrastructure Master are domain-wide roles.
Schema Master
The Schema Master role is assigned to one domain controller per forest. The schema partition is called the “schema naming context” and is located in CN=schema, CN=configuration, DC=<domain>. Only the Schema Master is allowed to update the directory schema and these changes are replicated to all the other domain controllers in the forest.
Domain Naming Master
The Domain Naming Master role is also assigned to only one domain controller per forest, similar to the Schema Master. The domain naming partition is called the “configuration naming context” and is located in CN=partitions, CN=configuration, DC=<domain>. The Domain Naming Master is the one that is responsible for changes in the domain name space throughout the forest. Only the domain controller holding this role is allowed to add or remove domains and cross references to domains in external directories.
RID Master
The RID Master role is assigned to one domain controller per domain and is responsible for processing RID Pool Requests from all the domain controllers within a domain.
In Active Directory, all the security principal objects are identified by their Security Ids (SIDs). Each SID is composed of a Domain SID and a Relative ID (RID). The Domain SID is the same for all objects within the domain, whereas the RID is unique for each object. The RIDs are allocated by the designated domain controller, from a pool of RIDs. The DC requests for additional RIDs from the RID Master, when the RID pool falls below the threshold. The function of the RID Master is to assign unallocated RIDs to the requesting domain controller. In addition to this, it also removes and replaces an object in different domains during an object move.
PDC Emulator
The PDC Emulator role is domain-wide and hence is assigned to only one domain controller per domain. It performs the following functions. It provides time service for synchronizing time in an enterprise. Password changes performed by other domain controllers are replicated to the PDC Emulator in a preferential manner. Authentication failures due to incorrect passwords are forwarded to the PDC Emulator. This is done before the user is given a password failure message. It also processes account lockouts. It handles all the functionality provided by an NT4-style PDC.
Infrastructure Master
The Infrastructure Master role is assigned to only one domain controller per domain. It handles tasks such as updating an object’s SID and domain name in a cross-domain object reference. The Infrastructure Master must be a domain controller which is not a Global Catalog Server (GC).
Transferring Vs Seizing FSMO Roles
The FSMO role held by one domain controller can be handed over to another domain controller. There are two scenarios for the same, namely transferring and seizing. Typically all the five FSMO roles are allocated to live domain controllers within the forest.
Transferring an FSMO role is basically a planned action as opposed to seizing. It is usually done when both the original FSMO role holder and the future FSMO role holder are online. While domain-wide roles can only be transferred to domain controllers within the same domain, forest-wide roles can be transferred to any suitable domain controller within the same forest. FSMO roles may be transferred under the following scenarios.
The new FSMO role holder is able to access the current role holder, which is operational. The FSMO roles need to be assigned to a different domain controller for a specific purpose. This can be done by gracefully demoting the current role holder.
The current role holder is taken offline for scheduled maintenance and hence the FSMO roles need to be transferred to a live domain controller.
As mentioned earlier, seizing is an unplanned action and occurs as a result of unforeseeable circumstances. This is done when the DC holding the FSMO roles crashes unexpectedly and cannot be recovered again. This is performed unknown to the current role holder. In other words, seizing is performed when the FSMO role holder crashes or experiences a failure before the roles can be transferred to another domain controller. This may be done under the following scenarios. The current role holder faces an operational error that prevents it from performing FSMO dependent operations. The operating system is reinstalled or does not exist on the computer holding a specific role. The current role holder is forcefully demoted.
How to Seize FSMO Roles from a Dead Domain Controller
FSMO roles can be seized from a dead domain controller by using Ntdsutil, PowerShell commands or by using the Active Directory Users and Computers Tool. Before seizing the FSMO roles, a new role holder has to be identified. It should be present within the same domain as the previous role holder and should possess the most recently replicated copy of the role partition.
Seizing FSMO roles using Ntdsutil
The FSMO roles can be seized using the Ntdsutil command-line tool by following the instructions as given below.
Find the current FSMo role holder. This can be done by typing Netdom query fsmo in the command prompt. Ensure that the domain controller from which the roles are to be seized is offline permanently.
Sign in to a domain controller which is inside the forest where the FSMO roles need to be transferred.
Open the Start menu --> Run.
Type ntdsutil and click OK.
In the ntdsutil prompt, type roles and press Enter.
Next, type connections and press Enter.
Type connect to server<servername> and press Enter. <servername> refers to the name of the DC to which the roles are assigned.
Type q at the server connections prompt and press Enter.
Type seize<role> and press Enter. <role> refers to the role being seized.
The commands to seize each of the five FSMO roles are given as follows.
seize naming master
seize infrastructure master
seize rid master
seize schema master
seize pdc
Type q at the fsmo maintenance prompt and press Enter.
Type q again at the ntdsutil prompt and press Enter to exit.
Seizing FSMO Roles using PowerShell
Import the Active Directory module into PowerShell using the following command.
Import-Module ActiveDirectory
The domain controller which holds the FSMO role can be identified using the following commands.
Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List
Get-ADForest | Select SchemaMaster, DomainNamingMaster | Format-List
The FSMO roles are seized using the following command.
Move-ADDirectoryServerOperationMasterRole -Identity dc02 –OperationMasterRole 0,1,2,3,4 -Force
Here, -identity specifies the target DC, -OperationMasterRole indicates the roles to be transferred and -Force specifies the parameter which is used for seizing the FSMO roles.
To accept the transfer of roles, type A and press Enter.
After seizing the roles, check for any errors and fix them using the following commands.
dcdiag /v /fix
netdiag /v /fix