All Determining the Operations Masters (FSMO role holders) in your Active Directory Forest

Determining the Operations Masters (FSMO role holders) in your Active Directory Forest

| Written by some jerk | Print | Email | Hits: 252

Domain Controllers that hold FSMO (Flexible Single Master Operations) roles are known as Operations Masters. Operation Masters in an Active Directory forest have an important responsibility during replication of directory data store between Domain Controllers. They uses a single-master model to prevent conflicting updates during replication of certain directory data information between Domain Controllers. It is important to know which Domain Controller holds which FSMO roles. This allows the IT administrator to better act against planned or unplanned shutdown of the Domain Controller in the environment. However, what are the steps to check which Domain Controller is holding which FSMO roles? There are different ways in determining the holders of FSMO roles in an Active Directory forest. This articles outlines the different methods that you can use to determine which FSMO roles are hosted by which Domain Controllers in your domain or forest.

 

There are 5 FSMO roles namely:

  1. Schema Master Role (Forest-wide)
  2. Domain Naming Master Role (Forest-wide)
  3. Relative ID (RID) Master Role (Domain-wide)
  4. PDC Emulator Master Role (Domain-wide)
  5. Infrastructure Master Role (Domain-wide)

In every forest, there are at least five operations master roles that are assigned to one or more Domain Controllers and each role must appear once. Forest-wide operations master roles are assigned to only one Domain Controller per Active Directory forest. Domain-wide operations master roles are assigned to only one Domain Controller per Active Directory domain.

During setting up of the first domain in the first forest, all the FSMO roles are assigned to the first Domain Controller promoted, which is the case with our demo. Our demo consists of a Microsoft Windows Server 2003 R2 Domain Controller (SRVPDC) which was promoted by creating a new domain in a new forest. Below is a screenshot from our Domain Controller. We have also opened the Active Directory Users and Computers and Active Directory Sites and Services consoles to confirm that this server is the only Domain Controller in our forest. These consoles can be accessed through the following steps:

  • Go to Start, Select Administrative Tools
  • From the vertical dropdown menu, Select Active Directory Users and Computers and Active Directory Sites and Services alternatively.

Now we will proceed by looking for the FSMO roles holders. This can be performed in three ways:

  1. Using the Ntdsutil command
  2. Using the Netdom command
  3. Using the Microsoft Management Console

Note:

  1. There are other ways to look for the FSMO roles holders. However, the three discussed in this article are the fastest methods that IT administrators will be more interested in knowing.
  2. With our demo, it is obvious that the FSMO role holder queries will return our SRVPDC server itself as this is the first and only Domain Controller. However, there is nothing to worry about, these steps work well in a complex Active Directory Forest environment.

Using the Ntdsutil command

Ntdsutil.exe is a command-line tool that IT administrators need to know. It is used to manage the core of the Active Directory domain services. More information on ntdsutil can be read from Microsoft Technet here.

You can use ntdsutil to determine which FSMO roles reside on which Domain Controller in the Active Directory Forest. Below are the steps that you need to perform for this tasks:

  • To access the ntdsutil management, go to Start, select Run.
  • In the Open textbox, type cmd to access the Command Prompt console.
  • In the Command Prompt console, enter the ntdsutil command. You will notice that the command prompt changes from the Local Directory location to the ntdsutil prompt.

  • Once the ntdsutil prompt appears, you need to tell the tool that you want to access the FSMO roles maintenance by typing “roles” command.

  • Now we need to establish a connection to the server we want to check for FSMO roles. This can be done by invoking the “connections” command as per below.

  • At the server connections prompt, we specify the server to which we want to connect by entering the command “connect to server srvpdc“, where “srvpdc” is the server hostname. Note that the server to which we are connecting need to be an operating Domain Controller within your forest.

  • Once connected to the server, we need to quit the server connection prompt by typing “q“. This will lead us back to the fsmo maintenance prompt.

  • We are back in the FSMO maintenance mode and connected to a Domain Controller in our forest. We now need to enter the mode to start querying the server about the Operation Masters. This is done by entering the “select operation target” command at the fsmo maintenance prompt.

  • We are now ready to list all the operations master roles that the server to which you are connected knows about and display the domain controllers that are the current operations master role owners. At the select operation target prompt, enter the command “list roles for connected server“.

  • and the results are:

Well, below is a formatted version of the result:

Server “srvpdc” knows about 5 roles

 

  1. Schema – CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  2. Domain – CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  3. PDC – CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  4. RID – CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  5. Infrastructure – CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local

So, we can easily notice that the server to which we were connected knows about all the 5 FSMO roles and they are all assigned to the server SRVPDC. This is because this is the only Domain Controller in the domain, which is the only domain in the forest. Lets take another example by saying:

  • We had two domains (itserveronline.local and bellerose.itserveronline.local) in our forest.
  • Server SRVPDC is the only Domain Controller located in the bellerose.itserveronline.local domain (child).
  • The server MAINDC is the only Domain Controller located in the itserveronline.local domain (parent) and was the first server as the Domain Controller in the forest.

Then the default results would have been:

Server “srvpdc” knows about 5 roles

 

  1. Schema - CN=NTDS Settings,CN=MAINDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  2. Domain - CN=NTDS Settings,CN=MAINDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  3. PDC - CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  4. RID - CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local
  5. Infrastructure - CN=NTDS Settings,CN=SRVPDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=itserveronline,DC=local

 

This is because, as mentioned earlier in this article, Schema and Domain FSMO roles are Forest-wideand the others are Domain-wide. Since the ntdsutil tool was run from a Domain Controller in the child domain, the 3 Domain-wide FSMO roles are each assigned on one Domain Controller in the child domain, but the 2 Forest-wide FSMO roles are each assigned to one Domain Controller in the parent domain.

  • Finally, to quit the ntdsutil tool, simple enter the “q” command 3 times.

So that’s it. This is how we determine the Operations Master roles owners using the Ntdsutil.exe tool.

In the other hand, this method has some disadvantages:

  1. It involves a lot of scripting
  2. It involves quite some knowledge from the IT adminsitrator to read the results which contains lots of information in LDAP relative distinguished name (CN) format and may be incomprehensible.

There is another command-line method that may be used. The command is the Netdom command.

Using the Netdom command

The Netdom.exe tool also enables IT administrators to query for FSMO roles and Operation Masters in specific domains. You can read more about the netdom.exe tool from Microsoft Technet here.

However, this tool is simpler than the Ntdsutil.exe tool in that:

  1. It implies fewer commands
  2. Results are more comprehensive and direct forward.

To use the netdom tool, on a Domain Controller

  • Go to Start, select Run.
  • In the Open textbox, type cmd to access the Command Prompt console.
  • In the Command Prompt console, enter the ”netdom query /domain:itserveronline.local fsmo“ command, where itserveronline.local is my demo domain name. See screenshot below.

And that’s it. Simple isn’t it? Notice the format of the results. It is comprehensible and straight forward. It returns which FSMO role is assigned to which Domain Controller in the specified domain.

So far, these two methods were the command-line methods to determine the Operations Master roles owners. Now, as promised earlier, we will discussed about the last method, a GUI method, through the Microsoft Management Console (MMC) which can be used to achieve the same goal.

Using the Microsoft Management Console

This console provides flexibility to IT administrators in their day-to-day tasks by allowing them to group their administrative tools together in a customized manner. Other than the command-line steps to determine the Operations Master roles owners, this tasks can also be performed by looking at specific locations within the Active Directory administrative tools. We can use MMC to group all the corresponding Active Directory administrative tools together to have a centralized view. It does not makes any difference if you are using MMC 3.0 (latest) or earlier versions. The steps are the same. The table below displays the administrative tools where the Operations Master role owners can be found.

Operations Master Active Directory administrative tools
RID Operations Master Active Directory Users and Computers
PDC Emulator Operations Master Active Directory Users and Computers
Infrastructure Operations Master Active Directory Users and Computers
Domain Naming Operations Master Active Directory Domains and Trusts
Schema Operations Master Active Directory Schema

So, before continuing, we need to ensure that all these Active Directory components are available from our server. It appears that these components are familiar to a Domain Controller since upon promotion of the Domain Controller, the Active Directory components are installed and ready to use, except for the Active Directory Schema console. To use the Active Directory Schema component, the schmmgmt.dll file need to be registered. Once all the Active Directory components are ready, then it is just a few clicks to determine the Operations Master roles owners. For the purpose of this demo, we will use our existing Microsoft Windows Server 2003 R2 Domain Controller, SRVPDC.

To register the schmmgmt.dll,

  • Go to Start, select Run.
  • In the Open textbox, type regsvr32 schmmgmt.dll and press OK.

The window below appears upon successful registration.

Now that all our administrative tools are ready, we can start customizing our MMC console to group all the tools together. To access the MMC console,

  • Go to Start, select Run.
  • In the Open textbox, type mmc.

Once the console is open, we proceed by adding the administrative tools as snap-ins. To add snap-ins to your MMC console:

  • Click on the File menu from the top Menu Bar and select Add/Remove Snap-in… option.

  • In the Add/Remove Snap-in window, under the Standalone tab, Click on the Add… button. The Add Standalone Snap-in window appears, where you are listed with all the different snap-ins (administrative tools) that you can add to your MMC console.

For the purpose of our demo, we will need the three following Active directory administrative tools as suggested in the table above:

  1. Active Directory Users and Computers
  2. Active Directory Domains and Trusts
  3. Active directory Schema
  • Therefore, select each of these tools and click on the Add button to add it to the MMC console. Note that if theschmmgmt.dll was not registered, the Active Directory Schema component would not have been listed among the snap-ins.

  • The screenshot below shows the MMC console ready, as a centralized console to determine the Operations Master role owners.

We start by looking for the three Domain-wide FSMO roles holders namely, RID, PDC Emulator andInfrastructure. As per our table above, these are located in the Active Directory Users and Computers component. The steps are:

  • Expand Active Directory Users and Computers
  • Right-click on your domain name and select the Operations Masters… option. In our demo, the domain name is “itserveronline.local“.

  • Here you are! The Operations Masters window  appears displaying the Domain Controllers that are assigned as owners to the three Domain-wide FSMO roles. From the screenshots below, we see that:
  1. The server srvpdc.itserveronline.local is assigned the RID FSMO role.

  2. The server srvpdc.itserveronline.local is assigned the PDC FSMO role.

  3. The server srvpdc.itserveronline.local is assigned the Infrastructure FSMO role.


So, till now, we succeeded in determining the three Domain-wide Operations Master role owners. Now lets proceed in determining the Domain Naming FSMO role holder. As per our table above, these are located in theActive Directory Domains and Trusts component. The steps are:

  • From the customized MMC console, right-click on Active Directory Domains and Trusts and select theOperations Masters… option.

  • The Change Operations Master window  appears, displaying the Domain Controller that is assigned as owner for the Domain Naming FSMO role.

Finally, we have to look for the Schema Operations Master in the Active Directory Schema. The steps are:

  • Right-click on Active Directory Schema snap-in and select the Operations Masters… option.

  • The Change Schema Master window  appears displaying the current Schema Master in the forest.

So, that’s it. We discussed about the three easiest and quickest method in determining the Operation Masters in your Active Directory forest. We hope that our article has been and will be in good help to you.

For further queries, feel free to post a comment below.