Active Directory

Flexible Single Master Operation

Flexible Single Master Operation
Active Directory is the central repository in which all objects in an
enterprise and their respective attributes are stored.

It's a hierarchical, multi-master enabled database that can store

millions of objects.

Changes to the database can be processed at any given domain

controller (DC) in the enterprise, regardless of whether the DC is
connected or disconnected from the network.

A multi-master enabled database, such as the Active Directory,

provides the flexibility of allowing changes to occur at any DC in
the enterprise.

But it also introduces the possibility of conflicts that can potentially

lead to problems once the data is replicated to the rest of the
Flexible Single Master Operation
One-way Windows deals with conflicting updates is by having a
conflict resolution algorithm handle discrepancies in values.

It's done by resolving to the DC to which changes were written last,

which is the last writer wins.

The changes in all other DCs are discarded.

Although this method may be acceptable in some cases, there are

times when conflicts are too difficult to resolve using the last writer
wins approach.

In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact.
Flexible Single Master Operation
For certain types of changes, Windows incorporates methods to
prevent conflicting Active Directory updates from occurring.

To prevent conflicting updates in Windows, the Active Directory

performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is

allowed to process updates.

Active Directory extends the single-master model found in earlier

versions of Windows to include multiple roles, and the ability to
transfer roles to any DC in the enterprise.

Because an Active Directory role isn't bound to a single DC, it's

referred to as an FSMO role
Flexible Single Master Operation
Currently in Windows there are five FSMO roles:

1.Schema master

2.Domain naming master

3.RID master

4.PDC emulator

5.Infrastructure master.
Flexible Single Master Operation
Schema master FSMO role

The schema master FSMO role holder is the DC responsible for

performing updates to the directory schema, that is, the schema
naming context or
LDAP://cn=schema,cn=configuration,dc=<domain>.

This DC is the only one that can process updates to the directory
schema.

Once the Schema update is complete, it's replicated from the

schema master to all other DCs in the directory.

There's only one schema master per directory (i.e. entire Forest).
Flexible Single Master Operation
Domain naming master FSMO role

The domain naming master FSMO role holder is the DC

responsible for making changes to the forest-wide domain name
space of the directory, that is, the Partitions\Configuration naming
context or LDAP://CN=Partitions, CN=Configuration,
DC=<domain>.

This DC is the only one that can add or remove a domain from the
directory.

It can also add or remove cross references to domains in external

directories.

Only one DC in the entire forest can aquire this role.

Flexible Single Master Operation
RID master FSMO role

The RID master FSMO role holder is the single DC responsible for
processing RID Pool requests from all DCs within a given domain.

It's also responsible for removing an object from its domain and
putting it in another domain during an object move.

When a DC creates a security principal object, such as a user or

group, it attaches a unique Security ID (SID) to the object. This SID
consists of:

A domain SID that's the same for all SIDs created in a domain.
A relative ID (RID) that's unique for each security principal SID
created in a domain.
Flexible Single Master Operation
Each Windows DC in a domain is allocated a pool of RIDs that it's
allowed to assign to the security principals it creates.

When a DC's allocated RID pool falls below a threshold, that DC

issues a request for additional RIDs to the domain's RID master.

The domain RID master responds to the request by retrieving RIDs

from the domain's unallocated RID pool, and assigns them to the
pool of the requesting DC.

There's one RID master per domain in a directory.

Flexible Single Master Operation
PDC emulator FSMO role

The PDC emulator is necessary to synchronize time in an

enterprise.

Windows includes the W32Time (Windows Time) time service that

is required by the Kerberos authentication protocol.

All Windows-based computers within an enterprise use a common

time.

The purpose of the time service is to ensure that the Windows

Time service uses a hierarchical relationship that controls
authority.

It doesn't permit loops to ensure appropriate common time usage.

Flexible Single Master Operation
The PDC emulator of a domain is authoritative for the domain.

The PDC emulator at the root of the forest becomes authoritative for
the enterprise, and should be configured to gather the time from an
external source.

All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the

following functions:

Password changes done by other DCs in the domain are replicated

preferentially to the PDC emulator.
Flexible Single Master Operation
When authentication failures occur at a given DC because of an
incorrect password, the failures are forwarded to the PDC emulator
before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

The PDC emulator performs all of the functionality that a Windows NT

4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-
based or earlier clients.

This part of the PDC emulator role becomes unnecessary under the
following situation:

All workstations, member servers, and domain controllers (DCs) that

are running Windows NT 4.0 or earlier are all upgraded to Windows
2000.
Flexible Single Master Operation
Infrastructure master FSMO role

When an object in one domain is referenced by another object in

another domain, it represents the reference by:

The GUID
The SID (for references to security principals)
The DN of the object being referenced

The infrastructure FSMO role holder is the DC responsible for

updating an object's SID and distinguished name in a cross-
domain object reference.
Flexible Single Master Operation
If all the DCs in a domain also host the global catalog, all the DCs
have the current data. It isn't important which DC holds the
infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is

responsible to update its cross-domain object references when the
referenced object is moved, renamed, or deleted.

In this case, there are no tasks associated with the Infrastructure

FSMO role. And it isn't important which domain controller owns the
Infrastructure Master role.
Flexible Single Master Operation
The Infrastructure Master (IM) role should be held by a DC that is
not a Global Catalog server(GC).

If the Infrastructure Master runs on a Global Catalog server it will

stop updating object information because it does not contain any
references to objects that it does not hold.

This is because a Global Catalog server holds a partial replica of

every object in the forest.

As a result, cross-domain object references in that domain will not

be updated and a warning to that effect will be logged on that DC's
event log.
Flexible Single Master Operation
Determine when to transfer or seize roles

Under typical conditions, all five roles must be assigned to "live"

DCs in the forest.

When you create an Active Directory forest, the Active Directory

Installation Wizard assigns all five FSMO roles to the first DC that
it creates in the forest root domain.

When you create a child or tree domain, AD installation wizard

assigns the three domain-wide roles to the first DC in the domain.

DCs continue to own FSMO roles until they are reassigned by

using one of the following methods:

An administrator reassigns the role by using a GUI administrative

Flexible Single Master Operation
An administrator reassigns the role by using the ntdsutil /roles
command.

An administrator gracefully demotes a role-holding DC by using

the Active Directory Installation Wizard.

This wizard reassigns any locally held roles to an existing DC in

the forest.

An administrator demotes a role-holding DC by using the dcpromo

/forceremoval command.

The DC shuts down and restarts. When the DC restarts, it receives

inbound replication information that indicates that another DC is
the role holder. In this case, the newly started DC relinquishes the
role (as described previously).
Flexible Single Master Operation
If an FSMO role holder experiences a failure or is otherwise taken
out of service before its roles are transferred, you must seize and
transfer all roles to an appropriate and healthy DC.

Microsoft recommends that you transfer FSMO roles in the

following scenarios:

The current role holder is operational and can be accessed on the

network by the new FSMO owner.

You are gracefully demoting a DC that currently owns FSMO roles

that you want to assign to a specific DC in your Active Directory
forest.

The DC that currently owns FSMO roles is being taken offline for
scheduled maintenance, and you have to assign specific FSMO
Flexible Single Master Operation
You may have to transfer roles to perform operations that affect the
FSMO owner.

This is especially true for the PDC Emulator role.

This is a less important issue for the RID master role, the Domain
naming master role, and the Schema master roles.

Microsoft recommends that you seize FSMO roles in the following

scenarios:

The current role holder is experiencing an operational error that

prevents an FSMO-dependent operation from completing
successfully, and you cannot transfer the role.

You use the dcpromo /forceremoval command to force-demote a

Flexible Single Master Operation
The operating system on the computer that originally owned a
specific role no longer exists or has been reinstalled.

The dcpromo /forceremoval command leaves FSMO roles in an

invalid state until they are reassigned by an administrator.

Microsoft recommends that you only seize all roles when the previous
role holder is not returning to the domain.

The best candidate for the new role holder is a DC that meets the
following criteria:
It resides in the same domain as the previous role holder.
It has the most recent replicated writable copy of the role partition.

The best candidate for a new role holder is a DC that also resides in
the forest root domain, and in the same Active Directory site as the
To transfer FSMO roles using GUI
To check who has the FSMO roles, go to command promt and type

 netdom query fsmo

You can see all the roles are assigned to dcsrv.demo.lab

1) To transfer schema master role:

Search for Run or Press Win + R key together

Open the RUN menu prompt.

Type this command

 Regsvr32 schmmgmt.dll

You will get the successful message.

Now type mmc in the RUN and press enter.

 mmc
You will see this window

Click on File -> Add/Remove Snap-in…

You will see this window

Click on Active Directory Schema -> Add -> OK

You will see this window

Right click on Active Directory Schema -> Change Active Directory Domain Controller…
You will see this window, click on the server you want to transfer the roles, and click ok.

You will see the old server name above and new server name below as shown in the
following window. Click on change
Click Yes

You will get the successful message.

Now go to command prompt and check the roles has changed or not.

You can see the schema master role has been transferred to newdcsrv.demo.lab
2) To transfer Domain naming master role:

Now search for mmc and press enter.

 mmc

You will see this window

Click on File -> Add/Remove Snap-in…
You will see this window

Click on Active Directory Domains and Trusts -> Add -> OK

Right click on Active Directory Domains and Trusts -> Change Active Directory Domain
Controller.
You will see this window, click on the server you want to transfer the roles, and click ok.

Right click on Active Directory Domains and Trusts -> Operations master, you will see this
window. You will see the old server name and new server name.
Click on change, Doming naming master role will be transferred to newdcsrv.demo.lab

Now go to command promt and check the roles has changed or not.
 netdom query fsmo

You can see the Domain naming master role has been transferred to newdcsrv.demo.lab

3) To transfer RID, PDC, Infrastruture role:

Go to server manager -> tools -> Active Directory Users and Computers
Right click on demo.lab -> Change domain controller…

Click on the sever you want to transfer the PDC role and click OK.
Right click on demo.lab -> Operations Masters…

Here you can change RID, PDC, Infrastructure Role.

To check go to command promt and type

 netdom query fsmo

Thank You
This document provides steps to transfer FSMO roles using CLI. It will use ntdsutil tool to
perform the FSMO role transfer.

Go to the Domain Controller machine

Open Command promt, enter a command

 netdom query fsmo

You can see, newdcsrv has then all roles, to transfer the rules on command line
On command prompt give the following command and enter.

 ntdsutil
On the ntdsutil prompt type -
 roles

 connections

Syntax: connect to server <domain name>

 connect to server dcsrv.demo.lab

  quit

Give question mark to see the commands in the fsmo maintenance

 ?

To transfer the schema master role

 transfer schema master

Click -> Yes

You will see this screen, that means your roles has been transferred.

To transfer the domain naming master role

 transfer naming master

To transfer the RID master role

 transfer rid master

To transfer the PDC role

 transfer pdc

To transfer Infrastructure role

 transfer infrastructure master

after all transfer type command

 quit
 quit
and type a command to check roles are transferred or not

 netdom query fsmo

This is how you transfer FSMO roles using ntdsutil utlity using CLI.