Understanding and Migrating FSMOs to Windows Server 2008 R2

Print Friendly, PDF & Email

In this document we have the explanation of each FSMO function or role that our domain controllers will have. We will also look at how to transfer these functions between domain controllers and the recommendations to consider.

Forest Operations Master

These are unique functions in the forest. Therefore in the forest there can only be one Schema Master and one Domain Name Master.

Maestro de Esquema o Schema Master:
Is responsible for modifying the Active Directory schema, Active Directory schema is replicated across all domain controllers, only the domain controller with the 'Schema Master' role will be able to modify it.

Maestro de Nombres de Dominio o Domain Naming Master:
The person responsible for maintaining the domain name scheme within the forest as well as being in charge of registering and deregistering dominoes.

Domain Operations Master
These are unique features in each domain. Therefore, in each domain of the forest there can only be one Master Emulator of the PDC, a RID Master and an Infrastructure Master

PDC Emulator or PDC Emulator:
Responsible for synchronizing user account and group properties with NT domain controllers 4 (Emulates being the PDC in an NT domain 4) It is also responsible for the synchronization of time between the forest.

The PDC Emulator in the primary domain will need to be configured to synchronize with an external time resource. We can set up an external server by following this document: HTTP://www.bujarra.com/?p=1070. It is recommended to combine the PDC Emulator function with the RID Master function.

Relative ID Master or RID Master:
Assign sequences of ID's or IDs. Relating (RID) to each of the different controllers in the domain. At any given time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates an object (user, group, team...) assign a security ID (or SID) unique to the created object. This SID is made up of a domain SID, which is the same for all SIDs created in the domain, and a RID, that is unique to each of the SIDs created in the domain. It is advisable to separate this role from the Global Catalog. It is advisable to combine the RID Master function with the PDC Emulator function.

Infrastructure Master or Infrastructure Master:
Responsible for universal group membership check in multi-domain environments. Responsible for updating object references from your domain to other domains unless there is a single DC in the domain, The infrastructure master role should not be assigned to the domain controller that hosts the global catalog.

Transfer roles between domain controllers:

To transfer an FSMO function to other domain controllers, we can do it using the management tools “Active Directory sites and services”, “Active Directory Users and Computers” and “Active Directory Schema”. Or directly from the command line thanks to NTDSUTIL. To do this,, from command line or “Command Prompt”, Run “Ntdsutil”, Let's enter; The next command to type is “Roles”, we hit Enter. Then we wrote “connections” and hit Enter again. After, We connect to the server that we want to have the role to migrate or the roles to migrate, Put “connect to server NOMBRE_SERVIDOR”, we hit Enter; Once connected, we leave by putting “q” and hit Enter again. Now we write the role that we are interested in moving to this server, always preceded by the word “transfer”, and the five roles would be: “Naming Master”, “Infraestructure Master”, “PDC”, “RID master” and “Schema Master”. We would have to execute the command with all the roles that we want to transfer or migrate, it will ask us every time we move the role between the DC's if we are sure, and we confirm with “Yes”.

If, on the other hand,, We fail to transfer roles between domain controllers, or we directly have some disappeared role, lost or with some error, either because we are missing a domain controller… we can always recover the role and perform a forced transfer by means of the command “Seize”, in the same way that we would migrate the roles, We should take ownership of the role we have damaged/lost.

Once these transfers are successful, We will be able to confirm this in the Event Viewer of any domain controller.

For more information: http://support.microsoft.com/kb/223346.


Recommended Posts

Auditing access to removable storage devices
Read
Monitoring Windows Events from Centreon
Read
Deploying Crowdsec on a Windows machine
Read
Windows metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Preparing Active Directory for Windows 2008 R2

20 of January 2010

Migrating our Active Directory to Windows 2008 R2

20 of January 2010