FSMO

This entry was posted in Active Directory Uncategorized Windows on by

How to place FSMO and Global Catalog roles in Active Directory

During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers.

If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server.

It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server.

Recommended Best Practice setup of FSMO roles.

Domain Controller #1
Place the two forest roles on this server.

  • Schema Master
  • Domain Master

Domain Controller #2
Place the domain roles on this server.

  • RID Master
  • Infrastructure Master
  • PDC Emulator

If more domains exist in the forest, place the domain roles on a server in theese domains like Domain Controller #2

Global Catalog configuration.
In Windows 2008 Active Directory all Domain Controllers are by default Global Catalog servers, personally I would recommend using the same configuration in most Active Directory Setups, unless special needs and loads with multiple domains and quite a few Domain Controllers exist.
Remember do not place the Infrastructure Master FSMO role on a server with Global Catalog enabled, unless ALL Domain Controllers is Global Catalog enabled!
Global Catalog servers have information about their own domain and a subset of often used information from all domains in the forest. This allows a Global Catalog Domain Controller to give information about other domains in the forest much faster to the client. It also means the server will use more ressources (mostly memory) in a multiple domain configuration.

Tools to administrate FSMO roles.
FSMO roles can be administrated from a GUI in the Active Directory tools or from command line with the NTDSUTIL command. If a Domain Controller is down and unable to be restored, only NTDSUTIL can be used to Seize the role on to a new server.
Microsoft have a guide to doing this here: http://support.microsoft.com/kb/324801
Global Catalog settings can be administrated with the Active Directory Sites & Services GUI, by selecting Sites/SiteName/Servers/ServerName, right click NTDS Settings and select Properties, on the General Tab click to enable or disable Global Catalog.
Microsoft have a guide to doing this here: http://support.microsoft.com/kb/313994

List FSMO Roles (NETDOM)

  1. netdom query /domain:<domain> fsmo

List FSMO Roles (NTDSUTIL)

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
  2. Type roles, and then press ENTER.
  3. Type connections, and then press ENTER.
  4. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
  5. At the server connections: prompt, type q, and then press ENTER again.
  6. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
  7. At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
  8. Type q 3 times to exit the Ntdsutil prompt.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:WINDOWS>ntdsutil
ntdsutil:
  1. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
  1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
  1. Type transfer <role>. where <role> is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:

Options are:

Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master
  1. You will receive a warning window asking if you want to perform the transfer. Click on Yes.
  2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
  3. Restart the server and make sure you update your backup.

Leave a comment

Your email address will not be published. Required fields are marked *