Skip to main content
From http://www.symantec.com/connect/articles/readyfsmo-roles-active-directory-windows-2008-server

Flexibility Schema Operations Master FSOP

1. Forest Roles

Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.
2. Domain Roles

Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
RID Master - This role is responsible for making sure each security principle has a different identifier.
PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain
Where these roles are configured?

Domain wide roles are configured in Active Directory users and computers. Right click and select domain and here option is operations master.
Forest roles Domain Naming master is configured in active directory domain and trust right click and select operations master. It will let you know the roles.
(c)Forest roles Schema Master is not accessible from any tool as they want to prevent this. Editing schema can create serious problem in active directory environment. To gain access you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.
Seizing of Roles

In case of failures of any server you need to seize the roles. This is how it can be done:

For Schema Master:

Go to cmd prompt and type ntdsutil

Ntdsutil: prompt type roles to enter fsmo maintenance.
Fsmo maintenance: prompt type connections to enter server connections.
Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
Server connections: prompt, type quit to enter fsmo maintenance.
Fsmo maintenance: prompt, type seize schema master.
After you have Seize the role, type quit to exit NTDSUtil.

For Domain Naming Master:

Go to cmd prompt and type ntdsutil

Ntdsutil: prompt type roles to enter fsmo maintenance.
Fsmo maintenance: prompt type connections to enter server connections.
Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
Server connections: prompt, type quit to enter fsmo maintenance.
Fsmo maintenance: prompt, type seize domain naming master.
After you have Seize the role, type quit to exit NTDSUtil.

For Infrastructure Master Role:

Go to cmd prompt and type ntdsutil

Ntdsutil: prompt type roles to enter fsmo maintenance.
Fsmo maintenance: prompt type connections to enter server connections.
Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
Server connections: prompt, type quit to enter fsmo maintenance.
Fsmo maintenance: prompt, type seize infrastructure master.
After you have Seize the role, type quit to exit NTDSUtil.

For RID Master Role:

Go to cmd prompt and type ntdsutil

Ntdsutil: prompt type roles to enter fsmo maintenance.
Fsmo maintenance: prompt type connections to enter server connections.
Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
Server connections: prompt, type quit to enter fsmo maintenance.
Fsmo maintenance: prompt, type seize RID master.
After you have Seize the role, type quit to exit NTDSUtil.

For PDC Emulator Role:

Go to cmd prompt and type ntdsutil

Ntdsutil: prompt type roles to enter fsmo maintenance.
Fsmo maintenance: prompt type connections to enter server connections.
Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
Server connections: prompt, type quit to enter fsmo maintenance.
Fsmo maintenance: prompt, type seize PDC.
After you have Seize the role, type quit to exit NTDSUtil.

Comments

Popular posts from this blog

Excel document for pinging list of computers VBA

Here is an excel document I created that will ping a list of nodes in column A and give results in column B. There are much better tools that can be used such as angry ip scanner  http://www.angryip.org/w/Home . I just wrote this as an example Requirements: Tested with Office 2010 Download: Download

Powershell - Com+ Application Recycle

Needed a script to recycle a com+ application nightly and this is what i came up with. This script will write each recycle it does to the event log under application. Run locally or via a scheduled task. #Recycle COM+ Application and write to the event log the status # 1.0 Release # Run script locally # Write to the event log ######################################## #Configurable ######################################## #Com+ ApplicationName $ComPlusLikeAppName = "Put the name of Com+ Application here a like statement is used to eval so you can get away with putting part of it" #EventLog to write to. $eventlog = "Application" #Source for eventlog. $source = "RecycleComObject" #Successful Event ID $SEventID = 0 #Error Event ID $EEventID = 666 #Process that COM+ runs under $process = "dllhost.exe". ######################################## #Clear $CurrentMemory = $null $PRocessID = $null $Commandline = $null $GUID = $null $AppID = $null $Messag

Powershell : Certutil Find Expired Certs on CA server

Wrote this to get certificate expiration information for certificates that expired 5 days ago to ones that expire in 90 days. Wrap an invoke-command around this for remote query. $Before = (get-date).adddays(90).ToString("MM/dd/yyyy") $After = (get-date).AddDays(-5).ToString("MM/dd/yyyy") <# https://blogs.technet.microsoft.com/poshchap/2016/01/01/powershell-and-certutil-exe/ We create a date range with $Before, i.e. certificates expiring before this date, and $After, i.e. certificates expiring after this date. These values are converted into something that certutil can understand - $Restrict. This is then used with the certutil -restrict parameter. #> $Restrict = "NotAfter<=$Before,NotAfter>=$After" $Report = @() $cmd = & certutil.exe -view -restrict $Restrict -out "RequesterName,CommonName,Certificate Expiration Date","Certificate Template" $SplitLines = $cmd.Split("`n`r") $Index = 0 foreach ($line in $Sp