Operating Systems
Windows server 2008,
Windows Server 2008 R2,
Windows server 2003,
Windows server 2003 R2
Problem
Here explaining the different ways for managing the FSMO roles of windows servers with different useful utilities.
Solution
Domain controllers in Active Directory Domains have the ability to both read and from and write to AD database and are essentially interchangeable.
Certain operations are handled by a single authoritative source. These operations are handled by one domain controller and are divided in to 5 distinct operational categories, referred to as Flexible Single master Operations (FSMO).
There are five roles:
They are further classified in two
1. Forest Roles
Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.
2. Domain Roles
Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
RID Master - This role is responsible for making sure each security principle has a different identifier.
PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain.
Utilities used:
The Active Directory Replication Monitor utility (ReplMon) included with the support tools on the Windows
Server CD.That can identify the current FSMO role holders as well as send a query against them to see
if they are up and running. To start ReplMon, type ReplMon at the support tools command line.
We can download the windows support Tool from the below link.
http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe
When the tool opens, you will need to add a domain controller to the console. Right-click the Monitored Servers
node, and then select Add Monitored Server from the context menu, as shown in Figure.
The resulting dialog box allows you to type the domain controller’s name, or you can search Active Directory for the domain controller you want to use. The below Figures displays the dialog box that
you use to choose the monitored server, and shows the methods you can use to search for the domain controller’s name.
Once you have added the domain controller to the monitored servers list, by right-clicking on the server and selecting Properties, you can look at the properties of the domain controller to learn which domain controllers hold the FSMO roles.
After opening the properties, you can click the FSMO Roles tab to view the current role holders, as Figure shows.
Notice the Query button next to each role. Clicking this button causes Replication Monitor to check the current role holder to see if it is online. If it is online, the message shown in Figure appears.
If the role holder cannot be contacted, you see the message “active directory replication monitor was unable to resolve, connect, bind to the server hosting this fsmo role”.
2.Netdom
The another command we are always using is netdom
The command syntax that reports the role holders is as follows:
netdom query fsmo /domain:itoc.com
Replace Itoc.com with your domain name. This returns a list of all the role holders. The results appear in the command-prompt window, as shown in Figure.
3.Dsquery
There is the another useful utility to find individual role holders with the dsquery command, use the following commands:
To find the Schema Master:
dsquery server -hasfsmo schema
To find the Domain Naming Master:
dsquery server -hasfsmo name
To find the Infrastructure Master:
dsquery server -hasfsmo infr
To find the RID Master:
dsquery server -hasfsmo rid
To find the PDC Emulator:
dsquery server -hasfsmo pdc
4.DCdiag
DCDiag utility is used as follows:
dcdiag /test:knowsofroleholders /v
Because we included the verbose switch (/v), this command returns the role holders and provides
information on each.
Here below shows the output of the above applied command
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Masterserver, is a DC.
* Connecting to directory service on server Masterserver.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MASTERSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MASTERSERVER passed test Connectivity
Doing primary tests
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=MASTERSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itoc,DC=com
Role Domain Owner = CN=NTDS Settings,CN=MASTERSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itoc,DC=com
Role PDC Owner = CN=NTDS Settings,CN=MASTERSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itoc,DC=com
Role Rid Owner = CN=NTDS Settings,CN=MASTERSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itoc,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MASTERSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itoc,DC=com
......................... MASTERSERVER passed test KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : itoc
Running enterprise tests on : itoc.com
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Test omitted by user request: DNS
5.Dumpfsmos.cmd
Dumpfsmos.cmd utility from the resource kit is a small script that starts NTDSUTIL and issues the appropriate commands to return a list of the role holders. We can download the resource Kit tools from the below link.
http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
The syntax for this command is as follows:
dumpfsmos.cmd itco.com.
Replace Itoc.com with the name of the domain you are querying against.
Figure shows the information returned when you issue this command at the command
prompt.