Transfer, Seize and Placement of FSMO role ( Third of three post series)

Hi Friends

So, now we are on third post of FSMO series. In first two post we had discussed what FSMO is and their details. If you have not checked them yet you can read them here:

https://vinitpandey.wordpress.com/2015/10/21/fsmo-role-first-of-three-blog-series/

https://vinitpandey.wordpress.com/2015/10/21/fsmo-roles-in-detail-second-of-three-blog-series/

In this final blog we will discuss transfer, seize and placement of FSMO roles. So, lets start.

Transfer of FSMO roles

As discussed, first DC in forest holds all five roles and first DC in domain holds all three domain wide roles. These roles can be transferred to other DC for the following:

  1. Load Balancing
  2. In event when original operation master need to be offline ( for maintenance, troubleshooting etc.)

You can transfer FSMO role via GUI and command prompt.

GUI

In previous post we had discussed how to view operation master role. To transfer them first you need to connect to DC on which you need to transfer role. Then you can change it by clicking on “change” button.

Untitled1Untitled

To transfer FSMO roles by command prompt steps are as under:

  • Open a command prompt
  • Enter in ntdsutil
  • At the ntdsutil command prompt enter in roles
  • At the fsmo maintenance prompt enter in connection
  • At the server connections prompt enter in connect to <domaincontrollername>
  • At the server connections prompt enter in quit
  • At the fsmo maintenance prompt enter in transfer <FSMO role name>
  • Quit from the console

Seizing FSMO roles

Transfer of role is only possible if current operation master is online. In event of failure of FSMO master you have to seize operation master role. Before you seize operation master role you have to make sure that DC where you will transfer role is up-to-date. If not, you need to wait or run repadmin/syncall commands.  Seizing can be done only via command line. Steps are as under:

  • Open a command prompt
  • Enter in ntdsutil
  • At the ntdsutil command prompt enter in roles
  • At the fsmo maintenance prompt enter in connection
  • At the server connections prompt enter in connect to <domaincontrollername>
  • At the server connections prompt enter in quit
  • At the fsmo maintenance prompt enter in Seize <FSMO role name>
  • Quit from the console

Note : Seizing a role is a drastic step and you should perform only when the previous role owner will never be available again. Don’t seize an operations master role when you can transfer it gracefully using the normal transfer procedure.

Placement of FSMO role

Ok, so finally lets discuss what are best practices for placing FSMO roles.

  1. You should place the forestwide roles, schema master and domain naming master, on the same domain controller. There is very little overhead associated with these roles, so placement on the same server adds very little load overall. However, you must safeguard this server because these are critical roles in the forest. In addition, the server acting as the domain naming master should also be a global catalog server.
  2. You should place the RID master and PDC emulator roles on the same domain controller. The reason for this is that the PDC emulator uses more RIDs than most other DCs. If the RID master and PDC emulator roles aren’t on the same DC, the DCs on which they are placed should be in the same Active Directory site, and they should have a reliable connection between them.
  3. Don’t have Infrastructure master on Global Catalog Server.

Why not Infrastructure and Global Catalog be on same server ?

This is the question asked in nearly all my trainings. So, here is the answer.

The infrastructure master is responsible for updating cross domain group memberships. So, if a user is member of a group which is in another domain, once username is changed you can see name got updated in “member” tab of the group . To perform this infrastructure master periodically scans its database for group members from other domains. For each member from a foreign domain that the infrastructure master finds, it compares the name and the security identifier (SID) of the member against a global catalog. If the name or the SID does not match, the local reference is updated with the values in the global catalog. Because a global catalog maintains a partial attribute set of every object from every domain in the forest, the requirement to maintain any cross-domain references is eliminated. Therefore, if the infrastructure master is running on a global catalog server, it never finds any cross-domain references in its local database. Consequently, the infrastructure master is not able to determine which cross-domain references have changed and any changes (like in example above where username had changed) won’t replicate . For this reason, the infrastructure master should not run on a global catalog server in a forest that contains multiple domains.

The following exceptions apply:

  • If every domain controller in a domain is a global catalog server, no cross-domain references exist which solves replication issues.
  • If a given domain in a multidomain forest contains only one domain controller, the domain controller is the infrastructure master itself, or a global catalog. Therefore, the issue is not relevant.

So, here we finish this three post series. This was really big but important series.

I will see you guys soon with some other technical stuff. Till then take good care of yourself. Bye.

FSMO Roles in detail (Second of three blog series)

This is second of three blog series. In first blog we had discussed what is FSMO. If you have not checked my first post you can check it here:

https://vinitpandey.wordpress.com/2015/10/21/fsmo-role-first-of-three-blog-series/

In this post we will discuss FSMO roles in detail. So lets start.

Schema Master

The schema master is the only DC in the forest which can make changes to the schema. This role is hold by first DC in forest and can be transferred to other DC as per requirement. But there will be only one DC per forest. You make changes to the schema using the Active Directory Schema snap-in which is not visible in mmc by default. At first you need to run this command in “run” and press ok:

regsvr32 schmmgmt.dll

Untitled1 Untitled2

Once you have registered dll file you can open mmc. In mmc you can add  Active Directory Schema snap-in, it makes a direct connection to the schema master, allowing you to view the schema for the directory.

Untitled3

Note: To modify schema you need Schema Admin credential.

Domain Naming Master

The domain naming master is responsible for adding or removing domains from the forest. Whenever you create a domain, a remote procedure call (RPC) connection is made to the domain naming master, which assigns the domain a globally unique identifier (GUID). When you remove a domain, an RPC connection is made to the domain naming master and
the previously assigned GUID reference is removed. If domain naming master could not be contacted in event of adding or removing a domain, you will not be able to create or remove the domain.
To locate the domain naming master via GUI, start Active Directory Domains And Trusts. Press and hold or right-click the Active Directory Domains And Trusts node, and then select Operations Master.

Untitled3

RID Master

SID of every object security principal object such as a user or group must be unique. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Every DC in a domain is issued a block of relative IDs by the RID master. Whenever new security principals are created on DC, it will allocated it RID from the pool it obtained from RID master. The block of relative IDs issued to a DC is called a RID pool which are issued in lots of 500.

Note : You can increase size the RID pool by editing the registry on each domain controller and changing the REG_DWORD value of the RID Block Size value located in HKLM\System\CurrentControlSet\Services\NTDS\RID Values.

For Windows Server 2012, the maximum RID pool block size is 15,000. Previously, the maximum was 10,000.

Apart from this RID master is also responsible for moving any object from one domain to another.

RID pool exhaustion (Troubleshooting)

Total number of available RID is 2^30 – 1 which equals to nearly 1 billion. Although this number is huge but old enterprise can run out of available RID and in this case no new objects can be created. These condition which leads to RID pool exhaustion are as under:

  1. If RID is released for any new object, same RID can’t be used even if new object creation failed during process.
  2. If a deleted DC computer object was restored, the DC could repeatedly request a new RID pool block because of a missing rIDSetReference attribute and, by itself, could use up the RID pool in about 24 months.

Solution in Windows 2012

  1. RID Reuse pool – When object creation fails, the RID, instead of being leaked and lost, is placed in the Reuse pool.
    Because a DC checks the Reuse pool prior for available RIDs before taking an RID from the primary pool, the RID can be assigned to the next object created on that domain controller. Rebooting a domain controller clears its RID Reuse pool.
  2. Warning message –  When 10 percent of the global address space is used, the RID master logs an informational event with an RID consumption warning. The RID master logs another RID consumption warning when 10 percent of the remainder is used, and so on so that the RID consumption warnings become more frequent as more and more of the global space is depleted.
  3. Soft ceiling – The soft ceiling is reached when 90 percent of the available address space is used. As a result, the RID master will not allocate any additional blocks of RIDs until the soft ceiling is removed. To remove ceiling you have to use ldp.exe or ADSIedit.
  4. Increasing RID pool size – If a domain’s RID master and all other DCs are running Windows Server 2012, you can double the size of the RID pool by enabling SID compatibility. Enabling SID compatibility unlocks the 31st bit of the RID pool, which effectively raises the total number of RIDs available for a domain to 2^31 – 1 or approximately 2 billion objects. This setting can be configured from ADSIedit.

Infrastructure master

The infrastructure master is responsible for updating cross-domain, group-to-user references. So if you change name of any user, infrastructure master is responsible for ensuring that changes of a user account are correctly reflected in the group membership information for groups in other domains in the forest. The infrastructure master does this by comparing its directory data to that of a global catalog. If the data is outdated, it updates the data and replicates the changes to other domain controllers in the domain. If for some reason the infrastructure master is unavailable, group-to-user name references will not be updated, and cross-domain group membership might not accurately reflect the actual names of user objects.

PDC Emulator Master

PDC emulator performs several tasks as listed below:

  1. Password management and replication: When a user changes a password, the change is first sent to the PDC emulator, which in turn replicates the change to all the other domain controllers in the domain. If a user tries to log on to the network but provides an incorrect password, the DC checks the PDC emulator to see if it has recent password change for this account. If so, the domain controller retries the logon authentication on the PDC emulator. This approach is designed to ensure that if a user has recently changed a password, he is not denied logon with the new password.
  2. PDC Emulator – Emulates as PDC (Parent DC) which was concept of Windows NT servers for legacy applications.
  3. Master time browser: The PDC Emulator is the domain source for time synchronization for all other domain controllers. In a multi-domain forest, the PDC Emulator in each domain synchronizes to the forest root PDC emulator. To ensure that time synchronization is accurate in the Active Directory forest, you should configure the PDC emulator to synchronize time with a reliable external time source, a reliable internal time source, NTP server or a hardware clock.

Domain computers on the network don’t necessarily get their time directly from the PDC emulator. Generally, domain computers follow the directory hierarchy and synchronize time with a domain controller in their local domains. Domain controllers synchronize their time using a series of queries that help them determine the best time source. A domain controller will make up to six queries:
1. The domain controller queries for parent domain controllers in the same site.
2. The domain controller queries for other domain controllers in the same site.
3. The domain controller queries for a same-site PDC emulator.
4. The domain controller queries for parent domain controllers in other sites.
5. The domain controller queries for other domain controllers in other sites.
6. The domain controller queries for a PDC emulator in other sites.

Each query returns a list of domain controllers that can be used as a time source and a relative weighting for each based on reliability and location. A score of 8 is assigned to a domain controller in the same site. A score of 4 is assigned to a domain controller configured as a reliable time source. A score for 2 is assigned to a domain controller in a parent domain. A score of 1 is used for a domain controller that is the PDC emulator. Because the weighting scores are cumulative, a same-site PDC emulator would have a score of 9 (8 + 1).

Note: When you transfer PDC emulator role,time server role is not transferred and you need to configure it manually on new PDC server.

To locate the RID, Infrastructure and PDC Emulator master via GUI, start Active Directory Users and Computers. Press and hold or right-click the domain name, and then select Operations Master.

Untitled

So, that’s all in this post. In final post I will be discussing transfer, seize and placement of FSMO roles. Till then take good care of yourself. Bye.