FSMO (Flexible Single Master Operation) Roles

Flexible Single Master Operation (FSMO) roles are used for special tasks in Active Directory that the multiple master model could create a conflict.  This is similar to an atomic or transaction write in SQL.  In Windows NT the primary domain controller did all FSMO operations.  This was a weakness and the roles were split starting with Windows 2000.

There are five roles

• PDC Emulator
• Domain Naming Master
• RID Master
• Infrastructure Master
• Schema Master

Using ADPREP

Prior to Windows Server 2012R2 you need to prepare Active Directory before upgrading it.  ADPREP is found in the \SUPPORT directory of the Windows Server (2003/2008/2008R2/2012) source files.

1. Copy the support files to the PDC, in a multi domain setup copy them to each PDC
2. Open a console windows with admin privileges
3. Prepare the forest first using the following command
   adprep \forestprep
   This needs to be done once in each forest at the top level domain’s PDC
4. Prepare each domain using the following command
   adprep \domainprep 
   This needs to be done once per domain in the forest.  Start with the top-level PDC.

Find out or verify which servers have FSMO roles

1. Open a console windows with admin privileges
2. Type in the following command and press ENTER
   NETDOM query fsmo
3. You should see 5 roles

Migrate the FSMO roles to a new Domain Controller

Using the GUI to transfer PDC, RID and Infrastructure Roles

1. Log in to the server you want to transfer the role to as a domain administrator
2. Open “Active Directory Users and Computers” MMC
3. Right click on the domain name
4. Click on Operation Masters. In next window it will show the three FSMO roles on separate tabs. Repeat steps 5-7 for each FSMO role you want to transfer.
5. Each tab shows the current FSMO role holder (it should be the old server) and what server will hold the role if you click change, which is the server you logged into.
6. Click change and then click Yes to continue.
7. Once done the new holder should appear in both places.
8. Verify using NETDOM

Using the GUI to transfer the Domain Naming Master

1. Open “Active Directory Domains and Trusts” MMC
2. Right click on “Active Directory Domains and Trusts”
3. Click on “Operations Master…”.  A new window will open showing the current holder of the Domain Naming Operations Master and which DC will be the holder if you click change.
4. Click change and then click Yes to continue.
5. Once done the new holder should appear in both places.
6. Verify using NETDOM

Using the GUI to transfer the Schema MAster

1. Open a console windows with admin privileges
2. Register the Schema MMC using the following command and press enter
   regsvr32 schmmgmt.dll
3. You should see a dialog box saying the registration was a success, press OK
4. Open a blank mmc using the following command and press enter
   mmc
5. Click on File
6. Click on “Add-Remove Snap-in…”
7. Select Active Directory Schema and click on the Add button
8. Click OK to continue
9. On the left side console tree, right click “Active Directory Schema”
10. Click Change “Active Directory Domain Controller”
11. Select the DC you want to transfer the role to and click OK
12. Click OK to dismiss the warning box
13. On the left side console tree, right click “Active Directory Schema”
14. Click on “Operation Master…”.A new window will open showing the current holder of the Domain Naming Operations Master and which DC will be the holder if you click change.
15. Click change and then click Yes to continue.
16. Once done the new holder should appear in both places.
17. Verify using NETDOM

Using PowerShell to work on FSMO Roles

To use PowerShell on FSMO roles you will need

• At least one domain controller with a Windows Server 2008 R2 or higher
• PowerShell v3.0 or newer
• Active Directory module v2.0 or newer
• Import the AD PowerShell module using if using Win2008R2 using

Import-Module ActiveDirectory

Listing out the roles

There are several ways to get which server has which role

Similar to the NETDOM command

Get-ADDomainController -Filter * |Select-Object Name, Domain, Forest, OperationMasterRoles |Where-Object {$_.OperationMasterRoles} |Format-Table -AutoSize

Just Domain level FSMO

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator

Just the Forest level FSMO

Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

You can also find the Global catalog servers

Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs

Transfer or move a FSMO role

If the current holder is offline and will never be reconnected to the network you can add -force to the command to seize the role.  Remember once a role has been seized the old FSMO holder cannot be restored and cannot be brought online.

The roles can be represented by numbers

• PDCEmulator = 0
• RIDMaster = 1
• InfrastructureMaster = 2
• SchemaMaster = 3
• DomainNamingMaster = 4

The identity parameter should use the FQDN (Fully Qualified Domain Name) of the DC you want to transfer too.

To transfer only one role

Move-ADDirectoryServerOperationMasterRole -Identity <FQDN> <Role>

To transfer one more roles you can use either command they are equivalent

Using words

Move-ADDirectoryServerOperationMasterRole -Identity <FQDN> -OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

Using numbers

Move-ADDirectoryServerOperationMasterRole -Identity  –OperationMasterRole 0,1,2,3,4

Seizing FSMO roles

When an AD server is unavailable to gracefully transfer a role, you will need to seize the role. You can use either PowerShell or NTDSUTIL

Using NTDSUTIL

1. Open a elevated command shell
2. type each command in order

To start the utility type
   ntdsutil

At the ntdsutil: prompt
   roles

At the FSMO maintenance: prompt
   connections

At the server connections: prompt, where ServerFQDN is the fully qualified domain name of the server that will host the FSMO role
   Connect to server ServerFQDN

At the server connections: prompt
   quit

You can now seize the role.
   For the Schema Master role, type and press Enter
      seize schema master
   For the Domain Naming Master role, type and press Enter

      seize naming master
   For the RID Master role, type and press Enter
      seize rid master
   For the PDC Emulator role, type and press Enter
      seize pdc
   For the Infrastructure Master role, type and press Enter
      seize infrastructure master

Once done type quit to exit the NTDSUtil

Verify the changes where successful
   Netdom Query FSMO

Using PowerShell

The Move-ADDirectoryServerOperationMasterRole cmdlet moves one or more operation master roles to a directory server. You can move operation master roles to a directory server in a different domain if the credentials are the same in both domains.

The Move-ADDirectoryServerOperationMasterRole cmdlet provides two options for moving operation master roles:

• Role transfer, which involves transferring roles to be moved by running the cmdlet using the Identity parameter to specify the current role holder and the OperationMasterRole parameter to specify the roles for transfer. This is the recommended option.
• Role seizure, which involves seizing roles you previously attempted to transfer by running the cmdlet a second time using the same parameters as the transfer operation, and adding the Force parameter. The Force parameter must be used as a switch to indicate that seizure, instead of transfer, of operation master roles is being performed. This operation still attempts graceful transfer first, then seizes if transfer is not possible.

Operation roles include PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role, use a comma-separated list.

Examples (taken from the MS docs page)

Example 1: Move a PDC emulator to a domain controller
Move-ADDirectoryServerOperationMasterRole -Identity ServerFQDN -OperationMasterRole PDCEmulator

Example 2: Move the PDC emulator and schema master roles to a domain controller
Move-ADDirectoryServerOperationMasterRole -Identity ServerFQDN -OperationMasterRole PDCEmulator,SchemaMaster

Example 4: Seize specific roles
Move-ADDirectoryServerOperationMasterRole -Identity ServerFQDN -OperationMasterRole RIDMaster,InfrastructureMaster,DomainNamingMaster -Force

Note the -Force parameters allows a role to be seized from an offline/decommissioned server

Troubleshooting the transfer process

There are two know issues if the previous Infrastructure or RID master server is unavailable.

Error when you run the Adprep /rodcprep command

Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com

Adprep failed the operation on partition DC=DomainDnsZones,DC=Contoso,DC=com Skipping to next partition.

Adprep could not contact a replica for partition DC=ForestDnsZones,DC=Contoso,DC=com

Adprep encountered an LDAP error. Error code: 0x0. Server extended error code: 0x0, Server error message: (null).

Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=com Skipping to next partition.

Adprep completed with errors. Not all partitions are updated.

This error is due to the partition no longer existing. You need to manually clean up the connections.

ntdsutil
partition management
connections
Connect to server ServerFQDN
list
remove nc replica %s1 %s2

ServerFQDN is full qualified domain name of the AD server
%s1 and %s2 are the distinguished names

Deletes instance with DNS name %s2 from the replica set of the application directory partition with distinguished name %s1. If you specify "NULL" for %s2, this command uses the currently connected Active Directory domain controller or AD LDS instance.

RID Master error

If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

From the Microsoft support page

Schema Master FSMO Role

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory.

• There is only one schema master per directory.
• You need to be a member in the Schema Admins group
• Naming context (Active Directory partition) CN=Schema,CN=configuration,DC=<forest root domain>

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

• There is only one per forest.
• You need to be a member in the Enterprise Admins group
• Naming context (Active Directory partition) CN=configuration,DC=<forest root domain>

RID Master FSMO Role

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC.

• There is one RID master per domain in a directory.
• You need to be a member in the Domain Admins group
• Naming context (Active Directory partition) DC=<domain>

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

There is one PDC per domain in a directory.

You need to be a member in the Domain Admins group

Naming context (Active Directory partition) DC=<domain>

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
• Account lockout is processed on the PDC emulator.
• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

  This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment. The following information describes the changes that occur during the upgrade process:

  • Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.
  • Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests.
  • Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.

• There is one Infrastructure master per domain in a directory.
• You need to be a member in the Domain Admins group
• Naming context (Active Directory partition) DC=<domain>

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

Reference

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-seizing-operations-master-role
• https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds
• https://docs.microsoft.com/en-us/powershell/module/activedirectory/move-addirectoryserveroperationmasterrole?view=windowsserver2019-ps
• https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/error-run-adprep-rodcprep-command

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}