Flexible Single Master Operation

Roles
20170103 – v1.2 – Arjan op ‘t Hof

Introduction
This document is written to give an overview about Flexible Single Master Operation Roles and how
to manage them.

FSMOs
Certain operations can be performed only by a specific role, on a specific domain controller. A
domain controller that holds one of these roles is called an operations master (also known as a
flexible single master operations (FSMO) role).

There are five operations master roles, and all five can be located on a single domain controller or
they can be spread across several domain controllers. By default the first domain control installed in
a forest contains all five roles; however, these roles can be moved once more domain controllers are
built. By allowing changes only on a single domain controller* the operations master roles help
prevent conflicts in AD DS caused by replication latency. When making changes to data held on one
of the operations master roles you must connect to the domain controller that holds the role.

The five operations master roles are distributed as follows:

- Each forest has one schema master and one domain naming master.
- Each AD DS domain has one RID master, one infrastructure master, and one primary domain
controller (PDC) emulator.

When a domain controller is broken and unrecoverable and it holds an FSMO then you have to seize
this role on a functional domain controller. Seizing means that all the available information about
that specific role is gathered and then recreated on the domain controller of choice.

*So far the HA principles of AD DS…

Forest Operations Masters

The following are single master roles found in a forest:

Domain naming master:

This is the domain controller that must be contacted when you add or remove a domain, or when
you make domain name changes.

If the domain naming master is unavailable, you will not be able to add additional domains to the
forest.

Schema master:
This is the domain controller in which you make all schema changes. To make changes you typically
sign in to the schema master as a member of both the Schema Admins and Enterprise Admins
groups. A user who is a member of both of these groups and who has the appropriate permissions
can also edit the schema by using a script.
If the schema master is unavailable, you will be unable to make changes to the schema; this prevents
installation of applications that require schema changes, such as Microsoft Exchange Server.

Domain Operations Masters

The following are single master roles found in a domain:

Relative ID (RID) master:

Whenever an object is created in AD DS, the domain controller where the object is created assigns
the object a unique identifying number known as a SID. To ensure that no two domain controllers
assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain
controller within the domain to use when building the SID.

If the RID master is unavailable, you can experience difficulties adding new objects to the domain. As
domain controllers use their existing RID’s they will eventually run out of RID’s and be unable to
create new objects.

Infrastructure master:
This role maintains inter-domain object references, such as when a group in one domain contains a
member from another domain. In this situation, the infrastructure master is responsible for
maintaining the integrity of this reference. For example, when you look at the security tab of an
object, the system looks up the SIDs that are listed and translates them into names. In a multi-
domain forest, the infrastructure master looks up SIDs from other domains.

If the infrastructure master is unavailable, domain controllers that are not global catalogs are unable
to check universal group memberships and are unable to authenticate users.

The infrastructure role should not reside on a global catalog server, unless you have a single-domain
forest. The exception is when you follow best practices and make every domain controller a global
catalog. In that case, the infrastructure role is not required because every domain controller knows
about every object in the forest.

PDC emulator master:

The domain controller that holds the PDC emulator is the time source for the domain. The PDC
emulators in each domain in a forest synchronize their time with the PDC emulator in the forest root
domain. You set the PDC emulator in the forest root domain to synchronize with a reliable external
time source.

The PDC emulator is also the domain controller that receives urgent password changes. If a user’s
password is changed, the information is sent immediately to the domain controller holding the PDC
emulator. This means that if the user tries to sign in, even if the user had been authenticated by a
domain controller in a different location that had not yet received the new password information,
the domain controller in the user’s current location will contact the domain controller holding the
PDC emulator to check for recent changes.

If the PDC emulator is unavailable, users may have trouble signing in until their password change has
replicated to all the domain controllers.

The PDC emulator also is used when editing GPOs. When a GPO other than a local GPO is opened for
editing, the edited copy is stored on the PDC emulator. This is done to prevent conflicts if two
administrators attempt to edit the same GPO at the same time on different domain controllers.
However, you can choose to use a specific domain controller to edit GPOs. This is especially useful
when editing GPOs in a remote office with a slow connection to the PDC emulator.

Note: The global catalog is not one of the operations master roles.

Moving FSMO roles

To move an operation master from one server to another, there are several options using the GUI,
PowerShell and Cmd tools.

GUI
These MMC’s should by default be opened on the server where you want to move the role to.

Schema operations master:

To get the Snap-in “Active Directory Schema”, you’ll have to register the Schema management DLL:
Regsvr32 Schmmgmt.dll

And add the Snap-in to your MMC:

After adding, right-clicking on the Snap-in:

Domain naming operations master:

Open “Active Directory Domains and Trusts” and right-click:

Infrastructure, PDC emulator and RID operations master:

Open “Active Directory Users and Computers and right-click:

PowerShell
You’ll need to start a PowerShell session with elevated rights. Also the ActiveDirectory module must
be loaded (this happens automatically on PowerShell v3 or higher).

To find where which role is:

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster,
PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

or
Get-ADDomainController -Filter * | Select-Object Name, Domain,
Forest, OperationMasterRoles | Where-Object
{$_.OperationMasterRoles} | Format-Table -AutoSize
Transfering all roles in one commandlet, this should be run on the domain controller where the
FSMOs currently resides:
Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC"
-OperationMasterRole SchemaMaster, RIDMaster, InfrastructureMaster,
DomainNamingMaster, PDCEmulator

To seize a role, which of course is also available on a domain controller with no FSMO(s), add the
option -Force

Ntdsutil
NTDSUtil.exe is a legacy command-line tool that provides management facilities for Active Directory
Domain Services.
ntdsutil
roles
connections
connect to server <domain controller>
q
transfer <infrastructure master/naming master/pdc/rid master/schema
master>
q
q

Explanation

<domain controller> is the server where the role(s) need to be transferred to.

q is for quitting the current context.

Instead of using transfer, it is also possible to use the command seize <infrastructure
master/naming master/pdc/rid master/schema master>

CMD Tooling
For a quick view where the roles are at:
netdom /query fsmo

For a quick AD DS sync between all domain controllers:

repadmin /syncall

Extra reading
FSMO-roles explained:

https://support.microsoft.com/en-us/kb/197132
http://blogs.msmvps.com/acefekay/2011/01/16/active-directory-fsmo-roles-explained/
https://www.petri.com/fsmo-roles-in-server-2008-active-directory

Powershell:
https://social.technet.microsoft.com/wiki/contents/articles/6736.move-transfering-or-seizing-fsmo-
roles-with-ad-powershell-command-to-another-domain-controller.aspx
https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/28/powertip-use-powershell-to-get-
list-of-fsmo-role-holders/