Anda di halaman 1dari 27

Active Directory FSMO Roles and

Troubleshooting Steps Explained

In your active directory environment, some of the domain controllers will have some special roles to
do make your network to function properly and for this purpose you will have a special kind of roles
in the active directory called fmso roles.

This FMSO roles is known as Flexible Single Master Operations roles and it was also called as the
Operations Master roles.

The Operations master can be categorized into two types and they are.

 Forest wide roles

 Domain wide roles

Forest wide operations master roles :

Every forest root domain must have the following two FMSO roles in the domain that should be
assigned to the domain controllers. These two rules are unique roles in the forest.

Domain Naming Master:

 Domain Naming Master was used for addition and removal of domain in the forest and it
was used only at the time when any additional child domains are added to the forest.

 Domain Naming Master was responsible for the changes in the namespace.

 There should be only one domain naming master in the forest.

Schema Master:

 Schema master was responsible for the changes which was made in the schemas
 Schema master replicates all the schema changes which was made to all the domain
controllers in the forest.
 There should be only one schema master in the forest.

Domain wide operations master roles :

These are the important roles which are unique in the domain level.

PDC Emulator:

 PDC Emulator play a important roles in the replicating the password changes, account
lockout to all the clients in a domain.

 PDC Emulator also synchronizes the times across all the domain controllers in a domain.

 PDC also maintains the consistency across the domain.

 PDC Emulator in a domain controllers support two types of authentication protocols and
they are Kerberos V5 Protocol and NTLM Protocol

 There should be only one PDC Emulator in a domain.

Infrastructure Master:

 Infrastructure Master is responsible for updating the reference objects in the cross
domain. i.e. When an object in one domain is referenced by an object in other domain
then it was handled by infrastructure master

 Infrastructure master uses the global catalogue to handle the reference objects by
comparing the objects which it gets from the replication

 The infrastructure master and the global catalogue should not be in a same domain
controller if it persists then the infrastructure master will not work.

RID Master:

 RID master is used for assigning the relative ID’s to the domain controller in a domain.
 Whenever a security principle (i.e. user, group) in created by a domain admin in a domain
the SID will be assigned to each and every newly created active directory object.

How to find which Domain Controller holds which FSMO

Roles :

To find out which domain hold the responsible fmso roles

Netdom query fmso

Here are the troubleshooting errors which you need to use for finding out
which fsmo role is responsible for the error which was occurred in your

PDC Emulator
Users can’t log on.
If system clocks become unsynchronized, Kerberos may fail.

Can’t change passwords

Password changes need this role holder.
Account lockout not working.
Account lockout enforcement needs this role holder.

Can’t raise the functional level for a domain.

This role holder must be available when the raising the domain functional level.

RID Master
Can’t create new users or groups.
RID pool has been depleted.
Infrastructure Master
Problems with universal group memberships.
Cross-domain object references need this role holder.

Domain Naming Master

Can’t add or remove a domain.

Changes to the namespace need this role holder.

Can’t promote or demote a DC.
Changes to the namespace need this role holder.

Schema Master
Can’t modify the schema.
Changes to the schema need this role holder.

Can’t raise the functional level for the forest.

This role holder must be available when the raising the forest functional level.
Rules for placing the FSMO roles in your domain
environment :

1) RID Master and the PDC Emulator should be placed on the same domain.

2) Schema master should be placed on the PDC Emulator of the forest’s root

3) Domain naming master should be placed on the forest’s root PDC


4) PDC Emulator should be placed on the domain controller which should

have the replica domain controller in same active directory site.

5) Infrastructure master should not be placed on the global catalogue server.

Network monitoring tools

Nagios tools

What is SYSVOL folder used for?

SYSVOL is a folder exits on each domain controller, which contains Active Directory related files
and folders. SYSVOL mainly stores important elements of Group Policy Objects and scripts, and it
is being replicated among domain controllers using File Replication Service (FRS).

What are the tools used to check and troubleshoot replication of Active
We can use command line tools such as repadmin and dcdiag. GUI toolREPLMON can also be used
for replication monitoring and troubleshooting.
Maintaining an AD DS Database is an important administrative task that you must schedule
regular to ensure that, in the case of disaster. You can recover lost or corrupted data and
repair the AD DS Database.
The AD DS has its own database engine, the Extensible Storage Engine (ESE), which manages
the storage of all AD DS objects in an AD DS database. The AD DS database is stored as a
file name Ntds.dit. When you install and configure AD DS, you can specify the location of the
file. The default location is %SystemRoot%NTDS.
AD DS includes the following files as in figure.

You can back up AD DS by using Windows Server Backup, Wbadmin.exe or PowerShell.

Depending on the roles installed on the computer running Windows Server 2012 R2, the
System State Data on a Domain Controller includes the following components:
 Active Directory Database (Ntds.dit)
 The SYSVOL shared folder
 The registry
 System startup files
 The COM+ Class Registration database
 Active Directory Certificate Services (AD CS) database
 Cluster service information
 Microsoft Internet Information Services (IIS) metadirectory
 System files under Windows Resource Protection
Backing up the System State in Windows Server 2012 R2 creates a point-in-time snapshot
that you can use to restore a server to a previous working state. It does this using the Volume
Shadow Copy Service (VSS). VSS helps to prevent inadvertent data loss.
To back up the System State Backup using the Graphical User Interface (GUI), perform the
following steps:
1. Log on to the domain controller with an account that is a member of the Domain
Admins group and Open Server Manager from the Taskbar.
2. In the Server Manager, click the Tools Menu and select Windows Server Backup.

3. In the Wbadmin (Windows Server Backup) Local console, Click Backup Once in
the Actions pane.
4. On the Backup Once Wizard page, click the Different Options, and then click Next.
5. On the Select Backup Configuration page, click the Custom button, and then click Next.
6. On the Select Items for Backup page, click the Add Items button. In the Select
Items Windows, check System state check box, and then click OK.
7. Back on the Select Items for Backup page, click Advanced Settings, and then click VSS
Settings and select VSS full backup click Next.
8. On the Specify Destination Type page, select either the Local drives or Remote shared
folder button and click Next.
9. On the Select Backup Destination page, select the backup destination and then
click Next.
10. On the Confirmation page review the Backup items, and then click Backup to
11. On the Backup Progress page, System state backup status is completed and then
clicks Close.
To back up System State through the Wbadmin.exe:
1. Open Command Prompt (Admin).
2. In the Administrator: Command Prompt, type wbadmin.exe Start SystemStateBackup
This will back up the System State from volume(s) from Local Disk (C:) to E:.
Do you want to start the backup operation?
Type Y for Yes and Press Enter.
Next, Wbadmin.exe creates the shadow copy of the C drive. After it does this it identifies
the system state files to back up. Once it has completed its search for system state files,
it begins the back up.
Figure shows that back up of system state completed successfully.
Once the backup is complete, wbadmin.exe creates a log with a naming convention
of System State Backup-14-08-2014_07-52-55.log.

Backing of Active Directory is essential to maintain an AD DS database. You can back up AD
DS by using Graphical User Interface (GUI), Wbadmin.exe or PowerShell. I hope this article
helps during Backing up AD DS Database in Windows Server 2012 R2 Domain Controller.
Share level permissions work at the folder level.

NTFS permissions work at the folder and the file level.

Documents inside shared folders inherit the permissions (share level or NTFS!) of the folder unless
you stop the inheritance directly and apply new permissions.

When you move shared folders, you lose the share level permissions.

When you move folders and files that have NTFS permissions, they may keep their permisssions or
inherit permissions of a folder they go live in.

Difference between Printers and Print Devices

A Printer is Software

A Print devices is hardware

You need to have a printer in order to use a print device.

Once you have printers, you can use them to control who has access to which print device.

Group Policy

Group policy give you control over what users and computers can do,

GPO’s are used with containers (Domain, Sites, and OU’s) but are not applied to groups (but group
can play a part! )

Basic Disk

Format partitions

Mark partitions as active

Create and delete primary and extended partitions

Create and delete logical drives.

Covert basic disk to dynamic (do not delete data)

Dynamic Disk

Create and extend volumes

Remove or break a mirrored volume

Extend simple or spanned volumes

Repair partitions

Convert from dynamic to basic ( delete data)

Branch cache

Allow it admin who has multiple location to speedup access the file at the main sites it does by
caching the file from branch site after the user open the file for first time.

Distributed Cache Mode uses computers at the branch site.

If the branch sites does not have the server then the cache mode distributed is the option to choose
because it will cache the file from server at the main sites to one or more workstation at the
remote sites.

Hosted cache mode uses a cache server to feed branch site computers.

If you have a server at the remote sites. A user goes to access the file which only exist at the main
sites it then open up on the client computers then cache on the remote sites server If the file open
up again any one on that remote sites.

BranchCache Dual mode uses a cache server in some sites and distributed mode in others.

DAS – Direct Attached Storage

It is a cable going from a server into a storage device. Older device would be scisi and serial attached

Which mean there is a card on the server itself that has port on it for either scici or sas or other type
of connection & it goes into the box of hard drive and those hard drive show up in the file an storage
area as drive we can partition and add drive letter.

NAS- Network Attached Storage:

It actually sit on the network & you communicate with using TCP IP it has its own operating system
on it typically linux or something else login and give access to various users they able to see and
share file using that access which we add.

SAN- Storage Area Network

Typically type of connection by fiber iscisi which is scici type of technology that uses with Ethernet
cable (TCP IP)

Group policy

Group policy objects give you control over what a users and computers can do, but