Transferring the FSMO Roles (Part 1)


The five unique FSMO roles in an Active Directory Forest / Domain are:

  • Schema Master: this role is required to extend the schema attributes, run the adprep /forestprep command or raise the forest functional level. Forest-wide operation master role.
  • Domain Naming Master: this role is required to add / remove domains or application partitions to or from a forest or to promote a DC. Forest-wide operation master role.
  • RID Master: this role is required to allocate the RID pool so new or existing DCs can create user accounts, computer accounts or security groups. Domain-wide operation master role.
  • PDC Emulator: this role is required for the domain controller that sends database updates to Windows NT backup domain controllers, to raise the domain functional level, synchronize the time and reinforce domain policies. Also, the DC that owns this role will be targeted by certain administrative tools to update user and computer account passwords. Domain-wide operation master role.
  • Infrastructure Master: this role is required for domain controllers to successfully run the adprep /domainprep command and update SID and distinguished name attributes for objects that are referenced across domains. Also, group membership may be incomplete if the role can not be accessed in a multi domain environment that uses Universal Groups. Domain-wide operation master role.

The Active Directory Installation Wizard (dcpromo.exe) assigns all five FSMO roles to the first DC in the forest root domain. The first DC in each new child or tree domain only gets the 3 domain-wide roles.

Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

  • An administrator reassigns the role by using a GUI administrative tool (Transfer)
  • An administrator gracefully demotes a role-holding DC by using dcpromo and this wizard reassigns any locally-held role/s to another existing DC in the forest (1)
  • An administrator reassigns the role by using the ntdsutil /roles command (Seize)

(1) Demotions performed using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

Posted by Gabriel Maciel

No comments: