Familiarize yourself with Active Directory's five FSMO roles

Takeaway: Active Directory is an entirely different beast than Windows NT. Back in the Windows NT days, primary domain controllers (PDCs) and backup domain controllers (BDCs) were not equal, and your PDC could be a single point of failure. Active Directory has made domain operations more resilient by flattening the domain hierarchy, making all domain controllers equal. However, that equality only goes so far.

There are still a number of single-instance roles installed on various domain controllers throughout your organization that can result in a single point of failure.

While Active Directory is a distributed system, some servers only carry out specific roles, known as Flexible Single Master Operations (FSMO) roles.. If something happens to this server or you need a more substantial server to handle a particular role, you must know which servers are handling each role.

There are five FSMO roles:

• PDC emulator (one per domain): This role allows Windows Server 2003 to act as a Windows NT primary domain controller (PDC), and it provides replication support for Windows NT-based backup domain controllers (BDCs). In addition, this role assists with time and group policy synchronization.
• Infrastructure master (one per domain): This role is responsible for updating the group-to-user references whenever the members of groups change or receive new names.
• Relative ID (RID) master (one per domain): This role ensures that every object created has a unique identification number.
• Schema master (one per forest): This role is responsible for maintaining and modifying the Active Directory schema.
• Domain naming master (one per forest): This role is responsible for the addition and deletion of domains in a forest.

How can you determine which servers hold these roles in an Active Directory forest? To find the PDC emulator, the infrastructure master, and the RID master, follow these steps:

1. Go to Start | Administrative Tools | Active Directory Users And Computers.
2. Right-click the domain, and select Operations Master.

The resulting three tabs will show you which server holds each respective role.

To find the schema master, follow these steps:

1. Go to Start | Run.
2. Enter regsvr32 schmmgmt.dll in the Open text box, and click OK.
3. Go to Start | Run.
4. Enter mmc in the Open text box, and click OK.
5. Go to File | Add/Remove Snap-In, and click Add.
6. Click Active Directory Schema, click Add, click Close, and click OK.
7. Right-click Active Directory Schema, and select Operations Master from the shortcut menu.

To find the domain naming master, follow these steps:

1. Go to Start | Administrative Tools | Active Directory Domains And Trusts.
2. Right-click Active Directory Domains And Trusts, and select Operations Master from the list.

Each option features a Change button, which allows you to move the role to another domain controller.
NOTE: You need to log into the destination DC you wish to transfer the role too or right click and select log into DC and connect to the DC you wish to transfer the roles too.

You can accomplish the same goal using a single command line command that consists of just three words, executed from a domain controller: netdom query fsmo. The netdom utility is included as a part of the Windows Server 2003 Support Tools.

Here are some other good links on FSMO and how to transfer or sieve the roles:
Pteri

• Petri - Understanding FSMO Roles in Active Directory.
• Transferring FSMO Roles - Petri.
• Seizing FSMO Roles.

Microsoft:

• How to view and transfer FSMO roles.
• Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.