Active Directory Collection FULL

Active Directory Collection
Updated: March 28, 2003
Active Directory Collection

Active Directory directory service is the distributed directory service that is included with
Microsoft® Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Active
Directory enables centralized, secure management of an entire network, which might span a building, a
city, or multiple locations throughout the world.
Active Directory in Windows Server 2003 includes the following:
Active Directory on a Windows Server 2003 Network
Active Directory Application Mode
Structure and Storage Technologies
Domain Controller Roles
Replication Technologies
Search and Publication Technologies
Installation, Upgrade, and Migration Technologies
In distributed computing environments, networked computers and other devices communicate over
remote connections to accomplish tasks through client/server applications. Distributed environments
require a central repository of information and integrated services that provide the means to manage
network users, services, devices, and additional information that administrators want to store.
Organizations operating a distributed environment need to have a way to manage network resources
and services. As the organization grows, the need for a secure and centralized management system
becomes more critical.
A directory service provides a centralized location to store information in a distributed environment

about networked devices and services and the people who use them. A directory service also
implements the services that make this information available to users, computers, and applications. A
directory service is both a database storage system (directory store) and a set of services that provide
the means to securely add, modify, delete, and locate data in the directory store.
Active Directory is typically used for one of three purposes:
Internal directory. Used within the corporate network for publishing information about users and
resources within the enterprise. A company’s internal directory may be accessible to employees when
they are outside the company network using a secure connection such as a virtual private network (VPN)
connection, but it is not accessible to non-employees.
External directory. These are directories typically located on servers in the perimeter network or
demilitarized zone (DMZ) at the boundary between the corporate local area network (LAN) and the
public Internet. External directories are typically used to store information about customers, clients, and
business partners who access external applications or services. They are also made available to
customers, clients, and business partners to provide them with selected business information such as
catalogs and so on.
Application directory. Application directories store “private” directory data that is relevant only to the
application in a local directory, perhaps on the same server as the application, without requiring any
additional configuration to Active Directory. The personalization data, which is only interesting to the
portal application and does not need to be widely replicated, can be stored solely in the directory
associated with the application. This solution reduces replication traffic on the network between domain
controllers.

Active Directory is the information hub of the Windows Server 2003 operating system. The following
figure shows Active Directory as the focal point of the Windows Server 2003 network used to manage
identities and broker relationships between distributed resources so they can work together.
Active Directory provides:

A central location for network administration and delegation of administrative authority. You have access
to objects representing all network users, devices, and resources and the ability to group objects for ease
of management and application of security and Group Policy.
Information security and single sign-on for user access to network resources. Tight integration with
security eliminates costly tracking of accounts for authentication and authorization between systems. A
single user name and password combination can identify each network user, and this identity follows the
user throughout the network.
Scalability. Active Directory includes one or more domains, each with one or more domain controllers,
enabling you to scale the directory to meet any network requirements.
Flexible and global searching. Users and administrators can use desktop tools to search Active Directory.
By default, searches are directed to the global catalog, which provides forest-wide search capabilities.
Storage for application data. Active Directory provides a central location to store data that is shared
between applications and with applications that need to distribute their data across entire Windows
networks.
Systematic synchronization of directory updates. Updates are distributed throughout the network
through secure and cost-efficient replication between domain controllers.
Remote administration. You can connect to any domain controller remotely from any Windows-based
computer that has administrative tools installed.
Single, modifiable, and extensible schema. The schema is a set of objects and rules that provide the
structure requirements for Active Directory objects. You can modify the schema to implement new types
of objects or object properties.
Integration of object names with Domain Name System (DNS), the Internet-standard computer location
system. Active Directory uses DNS to implement an IP-based naming system so that Active Directory
services and domain controllers are locatable over standard IP both on intranets and the Internet.
Lightweight Directory Access Protocol (LDAP) support. LDAP is the industry standard directory access
protocol, making Active Directory widely accessible to management and query applications. Active
Directory supports LDAPv3 and LDAPv2.
Active Directory Application Mode

Active Directory Application Mode (ADAM) is a directory service designed to meet the needs of
organizations that cannot rely solely on Active Directory to provide directory services for directory-
enabled applications. While Active Directory offers many benefits for managing network infrastructure,
organizations often need a more flexible directory service to support directory-enabled applications.
ADAM is a Lightweight Directory Access Protocol (LDAP) directory service designed specifically for
directory-enabled applications.
Structure and Storage Technologies

Active Directory uses domains and forests to represent the logical structure of the directory hierarchy.
Domains are used to manage the various populations of users, computers, and network resources in
your enterprise. The forest represents the security boundary for Active Directory. Within domains you
can create organizational units to subdivide the various divisions of administration.
The logical structure of Active Directory includes a two-dimensional definition that can be viewed as a
hierarchy, even though the objects themselves are stored in a flat database file. In addition to its own
name, each object stores the name of the container directly above it in the hierarchy. That container
object stores the name of its superior container, and so on, up to the root container. In this way, a logical
structure is imposed that can be viewed by using Active Directory tools as a tree of containers. By virtue
of a hierarchical naming system, the objects in the tree appear to be nested inside (contained by) other
objects.
The Active Directory schema defines the types of objects that are available to the directory service. The
schema is stored in the schema partition, which is also defined as an object in the directory. The
attributes and classes in Active Directory are stored in the schema partition as directory objects called
schema objects. It is possible for Administrators to add their own classes or attributes to an existing
object type. However, the default schema provides all of the classes and attributes that Active Directory
needs to function.
Active Directory uses objects to store and reference data in the directory. The Active Directory database
file (Ntds.dit) provides the physical storage of all Active Directory objects for a single forest. Although
there is a single directory, some directory data is stored within domains while other data is distributed
throughout the forest, without regard for domain boundaries. In Windows Server 2003, data can also be
distributed to domain controllers according to applications that use the data, where the scope of
distribution can be set according to the needs of the application.
Any updates made to data in the directory are automatically distributed to the appropriate domain
controllers by means of Active Directory replication. By replicating data according to directory partitions,
Active Directory provides a data repository that is logically centralized (maintains a single point of
administration) but physically distributed (is synchronized on multiple domain controllers throughout the
network).
Replication Technologies
Objects in the directory are distributed among the domain controllers in a forest, and all domain
controllers can be updated directly. Active Directory replication is the process by which the changes that
are made on one domain controller are automatically synchronized with other domain controllers. Data
integrity is maintained by tracking changes on each domain controller and updating other domain
controllers in a systematic way. By default, Active Directory replication uses a connection topology that is
created automatically. This replication topology makes optimal use of physical network connections and
frees administrators from having to determine which domain controllers replicate with one another. The
replication topology can also be created manually. Active Directory replication is designed to maximize
directory consistency and minimize the impact to network traffic.
Domain Controller Roles

A domain controller is a server that is running a version of the Windows Server 2003 or Windows 2000
Server operating system and has Active Directory installed.
Note
Implementations of Microsoft Windows NT 3.51 and Microsoft Windows NT 4.0 operating systems also
have domain controllers, but they do not support Active Directory.
When you install Windows Server 2003 or Windows 2000 Server on a computer, you can choose to
configure a server role for that computer. When you want to create a new forest, a new domain, or an
additional domain controller in an existing domain, you configure the server as a domain controller by
installing Active Directory.
By default, a domain controller stores one domain directory partition consisting of information about the
domain in which it is located, plus the schema and configuration directory partitions for the entire forest.
A Windows Server 2003 domain controller can also store one or more application directory partitions.
Whereas every domain controller stores the objects for only one domain, a domain controller that is
designated as a global catalog server stores the objects from all domains in the forest. For each object
that is not in the domain for which the global catalog server is authoritative as a domain controller, a
limited set of attributes is stored in a partial replica of a corresponding domain. The partial replicas on a
global catalog server are not writable — you cannot update an object in a partial replica on a global
catalog server, but only on a domain controller that stores a full replica. Thus a global catalog server
stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica
of every other domain in the forest. The attributes that are replicated to the global catalog servers are
the attributes that are most likely to be used to search for the object in Active Directory. These attributes
are identified by default in the schema as being included in the partial attribute set of the global catalog.
The global catalog makes it possible for clients to search Active Directory without having to be referred
from server to server until the domain controller that has the domain that stores the requested object is
found. By default, Active Directory searches are directed to global catalog servers. The first domain
controller in a forest is automatically created as a global catalog server. Thereafter, you can designate
other domain controllers to be global catalog servers if they are needed.
All domain controllers can receive updates to any writable object that they store (with the exception of
schema updates, which can be made only on the one domain controller in the forest that has the role of
schema master). The day-to-day operations that are associated with managing users, groups, and
computers are typically multimaster operations — that is, changes to these objects can be made on any
domain controller. When a client application updates an object on a domain controller, the domain
controller automatically replicates the change to all other domain controllers in the same domain if the
change is a domain change or to all other domain controllers in the forest if the change is a configuration
or schema change.
There are some operations, however, that are not performed as multimaster operations because they
must occur at only one place and time. For these operations, there are specially designated domain
controllers that manage the operations singly. Some master operations, required at the forest level,
include the schema master and the domain naming master. Others, required at the domain level, include
the PDC emulator, RID master and infrastructure master. Domain controllers that hold these special roles
are called operations masters.
Search and Publication Technologies

Successful operation of an Active Directory forest depends on clients and services being able to locate
domain controllers. The success of domain controller location depends on the registration of information
in DNS and the availability of that information. Active Directory uses DNS to locate networked computers
by resolving computer names to IP addresses. The Net Logon service on domain clients and domain
controllers interacts with Windows server application programming interfaces (APIs) and DNS to provide
a domain controller locator service (Locator). Locator finds requested service-specific and site-specific
domain controllers.
After a domain controller has been located, LDAP is used to retrieve information from the directory.
Active Directory stores objects that provide information about the real objects that exist in an
organization’s network and that are associated with one or more domains, such as users, specific groups
of users, computers, applications, services, files, and distribution lists. Active Directory makes this
information available to administrators, network users, and applications throughout the organization
through LDAP. LDAP enables clients to query, create, update, and delete information stored in a directory
service. The LDAP protocol is the Active Directory core protocol, and is the preferred and most common
way of interacting with Active Directory.
The creation, storage, and maintenance of information in Active Directory is called service publication.
Directory-enabled services and applications can publish globally useful information, such as service
availability and properties, in Active Directory. This allows client processes to find and connect to any
directory-enabled service as needed, and network clients and administrators to find, connect to, and
manage services.
Installation, Upgrade, and Migration Technologies

The installation or removal of Active Directory is performed by the Active Directory Installation Wizard.
Before installing Active Directory on a server, the wizard will verify that the server is eligible to run Active
Directory. After the prerequisites have been met, a user interface is used to gather information specific
to the environment in which Active Directory will be installed. Finally, the wizard configures the directory
service, making the server a domain controller.
Part of the directory configuration process includes configuring the Active Directory schema. The schema
contains a master list of all classes (object types) and attributes that can be used in the directory. The
Active Directory Preparation Tool (ADPrep) is used to prepare a Windows 2000 Active Directory forest
and domain for a newer version of the directory service. One of several tasks accomplished by ADPrep is
updating the Active Directory schema. If you do not prepare your Active Directory infrastructure, the
upgrade will fail.
After installing or upgrading to Windows Server 2003 Active Directory, you can enable the appropriate
Active Directory domain or forest functional level based on an assessment of your current environment.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows
Server 2003 Active Directory features that are available in that domain or forest. The functional level of a
domain or forest also defines the set of Windows operating systems that can run on the domain
controllers in that domain or forest. Functional levels provide configuration support for the Active
Directory features in Windows Server 2003 and ensure compatibility with domain controllers running
Windows 2000 Server and Windows NT 4.0.
Depending on the design of your environment, you might opt to restructure it instead of upgrading. For
example, if your Windows NT 4.0 environment consists of multiple domains, rather than upgrading each
domain it might be more productive to restructure the environment by consolidating some of those
domains. Or if your Windows 2000 environment was poorly designed and you are upgrading your
environment to Windows Server 2003, it might benefit you to restructure your existing environment
before or after the upgrade takes place. You can perform either of these tasks by using the Active
Directory Migration Tool (ADMT). ADMT includes wizards that automate migration tasks such as copying
users, groups, and service accounts; moving computers; migrating trusts; and performing security
translation. When you use ADMT to restructure Windows NT 4.0 domains, ADMT copies the accounts
that are migrated, so that when the accounts are created in the target domain, they continue to exist in
the source domain. The primary security identifiers (SIDs) for the accounts can be migrated to the SID
history in the target domain. SID history maintains resource permissions when you migrate accounts,
thus enabling access to resources in the source domain.
Another method for restructuring an Active Directory environment is to rename a domain. You can use
the domain rename process to change the names of your domains, and you can also use it to change the
structure of the domain trees in your forest. This process involves updating the Domain Name System
(DNS) and trust infrastructures as well as Group Policy and service principal names (SPNs).
The ability to rename domains provides you with the flexibility to make important name changes and
forest structural changes as the needs of your organization change. Using domain rename, you can not
only change the name of a domain, but you can change the structure of the domain hierarchy and
change the parent of a domain or move a domain located in one domain tree to another domain tree.
[edit] Forests, trees, and domains
The AD framework that holds the objects can be viewed at a number of levels. At the top of the
structure is the forest. The forest is a collection of every object, its attributes, and rules (attribute
syntax) in the AD. The forest, tree, and domain are the logical parts in an AD network.
The AD forest contains one or more transitive, trust-linked trees. A tree is a collection of one or
more domains and domain trees, again linked in a transitive trust hierarchy. Domains are
identified by their DNS name structure, the namespace.
The objects held within a domain can be grouped into containers called Organizational Units
(OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the
structure of the AD's company in organizational or geographical terms. OUs can contain OUs -
indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft
recommends as few domains as possible in AD and a reliance on OUs to produce structure and
improve the implementation of policies and administration. The OU is the common level at
which to apply group policies, which are AD objects themselves called Group Policy Objects
(GPOs), although policies can also be applied to domains or sites (see below). The OU is the
level at which administrative powers are commonly delegated, but granular delegation can be
performed on individual objects or attributes as well.
AD also supports the creation of Sites, which are physical, rather than logical, groupings defined
by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g.,
WAN, VPN) and high-speed (e.g., LAN) connections. Sites are independent of the domain and
OU structure and are common across the entire forest. Sites are used to control network traffic
generated by replication and also to refer clients to the nearest domain controllers. Exchange
2007 also uses the site topology for mail routing. Policies can also be applied at the site level.
The actual division of the company's information infrastructure into a hierarchy of one or more
domains and top-level OUs is a key decision. Common models are by business unit, by
geographical location, by IT Service, or by object type. These models are also often used in
combination. OUs should be structured primarily to facilitate administrative delegation, and
secondarily, to facilitate group policy application. Although OUs form an administrative
boundary, the only true security boundary is the forest itself and an administrator of any domain
in the forest must be trusted across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer domain controllers
(DCs), replacing the NT PDC/BDC model. Each DC has a copy of the AD; changes on one
computer being synchronized (converged) between all the DC computers by multi-master
replication. Servers joined in to AD, which are not domain controllers, are called Member
Servers. The AD database is split into different stores or partitions. Microsoft often refers to
these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object
classes and attributes within the Forest. The 'Configuration' partition, contains information on the
physical structure and configuration of the forest (such as the site topology). The 'Domain'
partition holds all objects created in that domain. The first two partitions replicate to all domain
controllers in the Forest. The Domain partition replicates only to Domain Controllers within its
domain. A subset of objects in the domain partition are also replicated to domain controllers that
are configured as global catalogs.
Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is
fully integrated with DNS and TCP/IP — indeed DNS is required. To be fully functional, the
DNS server must support SRV resource records or service records.
AD replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a
replication topology of site links using the defined sites to manage traffic. Intrasite replication is
frequent and automatic as a result of change notification, which triggers peers to begin a pull
replication cycle. Intersite replication intervals are less frequent and do not use change
notification by default, although this is configurable and can be made identical to intrasite
replication. A different 'cost' can be given to each link (e.g., DS3, T1, ISDN etc.) and the site link
topology will be altered accordingly by the KCC. Replication between domain controllers may
occur transitively through several site links on same-protocol site link bridges, if the 'cost' is low,
although KCC automatically costs a direct site-to-site link lower than transitive connections.
Site-to-site replication can be configured to occur between a bridgehead server in each site,
which then replicates the changes to other DCs within the site.
In a multi-domain forest the AD database becomes partitioned. That is, each domain maintains a
list of only those objects that belong in that domain. So, for example, a user created in Domain A
would be listed only in Domain A's domain controllers. Global catalog (GC) servers are used to
provide a global listing of all objects in the Forest. The Global catalog is held on domain
controllers configured as global catalog servers. Global Catalog servers replicate to themselves
all objects from all domains and hence, provide a global listing of objects in the forest. However,
in order to minimize replication traffic and to keep the GC's database small, only selected
attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can
be modified by modifying the schema and marking attributes for replication to the GC.
Replication of Active Directory uses Remote Procedure Calls (RPC over IP [RPC/IP]). Between
Sites you can also choose to use SMTP for replication, but only for changes in the Schema or
Configuration. SMTP cannot be used for replicating the Domain partition. In other words, if a
domain exists on both sides of a WAN connection, you must use RPCs for replication.
The AD database, the directory store, in Windows 2000 uses the JET Blue-based Extensible
Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each domain controller's
database. Microsoft has created NTDS databases with more than 2 billion objects.[citation needed]
(NT4's Security Account Manager could support no more than 40,000 objects). Called
NTDS.DIT, it has two main tables: the data table and the link table. In Windows 2003 a third
main table was added for security descriptor single instancing.[4]
Active Directory is a necessary component for many Windows services in an organization such
as Exchange.
FSMO (Flexible Single Master Operations)

There are times when you may need to change the Domain Controller which holds one of the 5 FSMO
roles. Either you could be facing a disaster recovery, where you have lost the first Windows 2003
Domain Controller, or you are organized and want to get the most out of your Active Directory Forest.
Although you rarely need to deal with Microsoft's FSMO, there is the feeling that knowledge of these
Operation Masters gives you power over your Windows 2003 Servers.
Topics for FSMO

Background of Operations Masters
5 FSMO Roles
Checking which DC holds which FSMO role
The 'Knack' of Changing Operations Master
Advice and Troubleshooting FSMO
Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple master model. The benefit is you
can add a computer, or change a user's password on any domain controller. For example, if you have
three domain controllers, you can physically create a new computer account in the NTDS.dit database on
any of the three. Within five minutes (15 seconds in Windows 2003), the new computer object will be
replicated to the other two domain controllers.
Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally
problems arise if two administrators perform duplicate operations before the next replication cycle. For
example, you created an OU called Accounts last week, today at the same instant you create new users
in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best to
obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in
the OU because it was deleted, the result is the users are added to the orphaned objects in the
'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in
Active Directory Users and Computers.
From the View Menu in Active Directory Users and Computer,

click: Advanced Features.
It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is
that a few operations are so critical that only one domain controller can carry out that process. Imagine
what would happen if two administrators tried to make different changes to the same schema object -
chaos. That is why administrators can only change the schema on one Domain Controller. Emulating a
PDC is the most famous example of such a Single Master Operation; creating a new child domain would
be another example.
The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down, and the Active
Directory task must only be carried out on one Domain Controller. FSMO roles:
PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two
other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time
service and creating group policies. I admit that it is confusing that these two jobs have little to do with
PDCs and BDCs.
RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each
domain controller issues unique numbers when you create objects such as users or computers. For
example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
Infrastructure Master - Responsible for checking objects in other other domains. Universal group
membership is the most important example. To me, it seems as though the operating system is paranoid
that, a) You are a member of a Universal Group in another domain and b) that group has been assigned
Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be
a security breach.
Domain Naming Master - Ensures that each child domain has a unique name. How often do child
domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not
impact on normal domain activity. My point is it's worth the price to confine joining and leaving the
domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned
domains.
Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep
which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is
a rare event. However if you have a team of Schema Administrators all experimenting with object
properties, you would not want there to be a mistake which crippled your forest. So its a case of
Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.
(There is a also an important Global Catalog Role, however its not a FSMO role as you can have more
than one Global Catalog. See more on Global Catalog Server)
How many FSMO Domain controllers in your Forest?
Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire
forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.
Checking which DC holds which FSMO role

RID, PDC, Infrastructure (1. 2. and 3.)
You can discover which server holds the Operation Master by opening
Active Directory Users and Computers, Right click your Domain and
select Properties, Operations Masters.
Domain Naming Master (4.)
To see the Domain Naming Master (4.), navigate to the little used,
Active Directory Domains and Trusts, Right click your Domain and
select Properties, Operations Masters.
Schema Master (5.)
The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by
default. Perhaps is this is Microsoft saying - don't mess with the object definitions. However, you can
reveal the Schema and its FSMO settings thus:
1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll
2) Run MMC, File menu, Add\Remove Snap-in, click the Add

button and select,
Active Directory Schema
3) Select Active Directory Schema, Right Click, Operations

Master.
Footnote
I have to confess a hidden agenda with FSMO. If I want to instantly know how well someone knows
Active Directory, I introduce FSMO into the conversation and watch their reaction. Professionals will
know what FSMO means and its significance, amateurs just frown.
FSMO (Flexible Single Master Operations)

This page will advise you what to do if you lose the Domain Controller holding one of the FSMO roles. I
will also cover the implications of having more than one FSMO master for the same role. If you have lost
your FSMO master then I have a troubleshooting section, and a separate page on transferring FSMO
roles. Incidentally, the modern tendency is to use the term Operation Masters, whereas in Windows
2000, FSMO was the term of choice.
Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also
known as operations master roles. Although the AD domain controllers operate in a multi-master
model, i.e. updates can occur in multiple places at once, there are several roles that are
necessarily single instance:
 Five roles in total

 Two roles where there is one per forest
 Schema master
 Domain naming master
 Three roles where there is one per domain
 Relative Identifier (RID) master
 Primary Domain Controller (PDC) Emulator
 Infrastructure master
Topics for FSMO

Schema Master
Domain Naming Master
PDC Emulator
Relative Id Master
Infrastructure Master
Troubleshooting FSMO
(Transfer FSMO Roles - Another page)
Role Name Scope Description

Controls updates to the Schema its a collection of objects and all object
1 per
Schema Master which comes under AD that care taken by schema master. DC will
forest
update all the process which comes under to that DC.
Domain 1 per Controls the addition and removal of domains from the forest it present
Naming Master forest in root domain
Provides backwards compatibility for NT4 clients for PDC operations
1 per (like password changes). The PDCs also run domain specific processes
PDC Emulator
domain such as the Security Descriptor Propagator (SDPROP), and is the
master time server within the domain.
1 per Allocates pools of unique identifier to domain controllers for use when
RID Master
domain creating objects
Synchronizes cross-domain group membership changes. The
Infrastructure 1 per
infrastructure master cannot run on a global catalog server (unless all
Master domain
DCs are also GCs.)
Schema Master
If you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or
extend the schema. However, short term no-one will notice a missing Schema Master, so try and repair
the old one rather than seize the role.
Implications for Duplicates

You must not allow two Schema Masters, so if the original is found or repaired, it must be completely
rebuilt rather than allowed into the forest.
Domain Naming Master

This is a forest wide role that is responsible for adding child domains and new trees. Unless you are
going to run DCPROMO, then you will not miss this FSMO role, so wait rather than seize the role.
You must not allow the original Domain Naming Master to return, rebuild before you let the machine
back in the forest.
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC's complain, but
also there will be no time synchronization. Another problem is that you probably will not be able to
change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group
policy master.
If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles.
Quickly seize PDC role from another machine.
RID Master
One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique
numbers so that no two new objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing Domain Controllers will have enough
unused RIDs to last a week or so do not be in a hurry to seize.
You must not allow two RID masters, as the possibility of two objects with the same RID would be
disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest.
The consequence for a missing Infrastructure master is that group memberships may be incomplete. If
you only have one domain, then there will be no impact as the Infrastructure Master is responsible for
updating your user's membership in other domains in the forest.

No damage occurs if the old Infrastructure master returns, just check out the Roles and decide which
machine should hold the role.
Domain-wide FSMO Roles:

Every domain in an Active Directory forest must contain one of each of the following FSMO
roles:
 The Relative ID Master allocates security RIDs to DCs to assign to new AD security
principals (users, groups or computer objects). It also manages objects moving between
domains.
 The Infrastructure Master maintains security identifiers, GUIDs, and DNS for objects
referenced across domains. Most commonly it updates user and group links.This is
another domain-specific role and its purpose is to ensure that cross-domain object
references are correctly handled. For example, if you add a user from one domain to a
security group from a different domain, the Infrastructure Master makes sure this is done
properly. As you can guess however, if your Active Directory deployment has only a
single domain, then the Infrastructure Master role does no work at all, and even in a
multi-domain environment it is rarely used except when complex user administration
tasks are performed, so the machine holding this role doesn't need to have much
horsepower at all.
 The PDC Emulator operations master role processes all password changes in the
domain. Failed authentication attempts due to a bad password at other domain controllers
are forwarded to the PDC Emulator before rejection. This ensures that a user can
immediately login following a password change from any domain controller, without
having to wait several minutes for the change to be replicated. The PDC Emulator
Operations Master role must be carefully sited in a location to best handle all password
reset and failed-authentication forwarding traffic for the domain.
Forest-wide FSMO Roles:

Regardless of the number of domains in an Active Directory forest, the following FSMO roles
exist only once:
 The Schema Master maintains all modifications to the schema of the forest. The schema
determines the types of objects permitted in the forest and the attributes of those objects
for.
 The Domain Naming Master tracks the names of all domains in the forest and is
required to add new domains to the forest or delete existing domains from the forest.
Trust
To allow users in one domain to access resources in another, AD uses trusts. Trusts inside a forest
are automatically created when domains are created. The forest sets the default boundaries of
trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As
well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees,
transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or
nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect
to other forests or non-AD domains.
[edit] Trusts in Windows 2000 (native mode)

 One-way trust - One domain allows access to users on another domain, but the other domain
does not allow access to users on the first domain.
 Two-way trust - Two domains allow access to users on the other domain.
 Trusting domain - The domain that allows access to users from a trusted domain.
 Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
 Transitive trust - A trust that can extend beyond two domains to other trusted domains in the
tree.
 Intransitive trust - A one way trust that does not extend beyond two domains.
 Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
 Cross-link trust - An explicit trust between domains in different trees or in the same tree when a
descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 - supports the following types of trusts:-
 Two-way transitive trusts.

 One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
 Shortcut
Windows 2003 offers a new trust type - the forest root trust. This type of trust can be used to
connect Windows 2003 forests if they are operating at the 2003 forest functional level.
Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts
are also transitive for all the domains in the forests that are trusted.
Troubleshooting FSMO
Symptoms of FSMO Problems
I find that the first sign of a problem with a FSMO is that Active Directory Users and Computers is slow to
initialize. Moreover, if you try to even view Group Policies, you get an error such as:
Inaccessible GPO - Access Denied or

Failed to open the Group Policy Object. You may not have appropriate rights.
The cause of these symptoms is that the FSMO master holding the PDC emulator is unavailable. Fingers
crossed it's a temporary problem, however the problem persists then you need to investigate which
Domain Controller holds, or held the PDC emulator role.
Troubleshooting Toolkit
DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also provides information on
Active Directory replication. As ever with troubleshooting, you want to get to the root cause not merely
treat one of the symptoms.
NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the answer partly depends on
whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support
tools.
From the command line type netdom query fsmo. You should see a list of the of the 5 roles with the
corresponding Domain Controller.
DNS - Excuse what may seem like a digression, but it never ceases to amaze me how often faulty DNS
configuration is the source of an Active Directory problem. Therefore, head for the DNS snap-in and
observe that all settings are as expected. Remember the Monitor to tab. Make sure that each DNS
server is registering itself and registering with other DNS Servers.
DCPROMO - Rather drastic, but sometimes just running this program to demote a Domain Controller
creates error messages, which are handy additional sources of information. If there are no error
messages, you may just choose to cancel. However, if you go ahead and run DCPROMO to demote a
domain controller, watch out for a check box that says 'This is the last domain controller in the domain'.
If that box is UNchecked the wizard will automatically move any FSMO roles to another domain
controller.
How to Transfer FSMO Roles
Remember that in the acronym FSMO, the word Flexible means that you can move the role to a more
suitable domain controller. There are two scenarios for transferring the FSMO roles, the first is a planned
transfer where the original FSMO Operations Master is up and running. Alternatively, if the original
FSMO master has been stolen, corrupted or otherwise unavailable then you need NTDSUTIL
Topics for Transferring the FSMO Master.

Planning the FSMO Transfer
Where to Find the 5 FSMO Operation Masters
Pull those Operations Masters
At Last - We get to Press the Change Button
NTDSUTIL
Summary - FSMO transfer
Planning the FSMO Transfer
As a matter of planning strategy, decide if this move is a short term fix, or part of a long term transfer of
role. Another consideration is do you want all the roles on the same Domain Controller. The answer is
probably not, for example, best practice suggests that the Infrastructure master should not be on a
Global Catalog.
If the Global Catalog server and Infrastructure Master are on the same server, the Global Catalog no
longer updates information. You can either just accept this peculiarity, or research why it thinks it knows
best and does not need to replicate. This is only a problem in a multi-domain forest.
Your planning should also take into account the fact that each domain has its own RID, PDC and
Infrastructure Master, while there is only one Schema and one Domain Naming Master for the entire
Active Directory Forest.
Finally a minor consideration, have you the correct rights, for example, do you have access to an
account, which is and Enterprise Administrator and Schema Administrator.
Where to Find the 5 FSMO Masters
Three of the FSMO Operational Masters are found under the domain in
Active Directory Users and Computers. The FSMO roles found here are:
RID, PDC and Infrastructure masters. Right click on the domain name
(cp.com in diagram) then select Operations Masters.
The Domain Naming Master is tucked away under the Active Directory
Domains and Trusts. While the hardest FSMO master to find is the
Schema Master, the reason being you first have to register the schema
snap in with the command: Start, Run Start, regsvr32 schmmgmt.dll.
Now that you have located the 5 Operation Masters, the technique to
transfer ownership is the same in each case.
Pull those Operations Masters
The key concept is Pull. Make sure that you are connected to the
destination server. This is really such a simple point but once you have
grasped the concept, the knack transferring FSMO roles will be
easy. Sorry to harp on, but unless you make the new FSMO domain controller the focus for the MMC
snap in, trust me, you will be frustrated.
At Last - We get to Press the Change Button
Now that you have the 'focus' on the new Operations Master, your transfer will proceed smoothly. After
double checking that the server names are the correct way around, just click on the Change Button.
Now it's on to the next Operations Master, remember that

there are 5 roles. Although some Forests may have more than
one RID, PDC and Infrastructure master, usually you only need
to take one server out of commission at a time. However if
you are taking the opportunity to restructure your FSMO roles
then you may have to make more than 5 changes.
NTDSutil
NT directory service utility (NTDSutil) reminds me of UNIX or

mainframes. What you get with NTDSutil is command line
program with powerful verbs that can dramatically affect the
operating system. Rather like ESEutil you should take every
opportunity to practice with NTDSutil, so that when you have
to use it in anger you will know what you are doing. Even so
backup because there are no safety checks and the wrong command can wreak havoc.
When you are configuring FSMO with NTDSutil, the command that is,
Seize PDC (or Seize RID etc). However, as soon as you execute NTDSutil you realize how many different
jobs this utility has.
Make use of help at every NTDSutil prompt
Sample NTDSutil command session
ntdsutil, roles - help

connections - help
connect to server yourserver (change yourserver but include the word 'to')
seize pdc (or other FSMO Role)
C:\>ntdsutil
ntdsutil: roles
fsmo maintenance: help
? - Show this help information

Connections - Connect to a specific domain controller
Help - Show this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master
fsmo maintenance: connections

server connections: help
? - Show this help information

Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Show this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds %s %s %s - Set connection creds as domain, user, pwd.
Use "NULL" for null password,
* to enter password from the console.
server connections: connect to server william

Binding to william ...
Connected to william using credentials of locally logged on user.
server connections: seize pdc
Summary - FSMO transfer
Before you learn the knack of transferring the FSMO or Operations Master, take a minute to plan which
Domain Controllers should hold which roles. It is possible that existing servers have inappropriate roles,
for example if your forest has grown, the Schema master is best in the Root domain.
(There is a also an important Global Catalog Role, however its not a FSMO as you can have more than
one Global Catalog. See more on Global Catalog Server)
Schema Master
 Responsible for schema updates
 Only DC that can process schema updates
 After update, replicates changes to other DCs
 If this Operations master is unavailable, no schema changes can be made
The Windows Server 2003 Schema Snap-in is not available by default. There lies a clue that ordinary
administrators are not meant to change the Schema. However, to complete your understanding of
Active Directory take time to appreciate the object model that underpins Windows Server 2003.
Topics for Windows Server 2003 Schema
What you need to know about the Schema.
Major changes compared with Windows 2000
Getting Started
Recommendations
What you need to know about the Schema.
Object based Nature
It us useful to understand the nature of the Schema. Active Directory is an object based system. The
schema keeps a list of the definitions for each object such as Computer or User. The list is divided into
Classes and Attributes and the Schema recycles attributes like location and applies an instance to the
site, printer or computer object.
Flexible Master
The Schema is one of the five single master operations, this means that only one domain controller has a
read / write copy of the schema. Take the time to find out which machine hold the Schema Master role.
Right Click the Schema Snap-in, select Operations Master from the short cut menu.
Active Directory Training

As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video
and of course text material. You can either take one module, for example Active Directory or go for a
combination of modules. See more about Active Directory training
Modification by Exchange 2003 and Schema Admins
Exchange 2003 relies on Active Directory for definitions of the users mailboxes. When you install
Exchange 2003, firstly you have to be a member of the Schema Admin Global group; secondly Exchange
extends the schema to include these extra attributes like mailbox server. While it is possible to add
attributes and classes yourself - resist. Modifying the schema affects the entire forest and in my opinion
should only be done by a developer when there is a clear business need.
Role of the Global Catalog
The Global Catalog server keeps track of a subset of the most important attributes, and the Global
Catalog replicates this information to other Global Catalog servers. Be aware that you can add extra
attributes to the list, for example, information on department could be replicated. The benefit is you
could search on department or any other attribute that you added.
Major changes compared with Windows 2000
Deactivating attributes
Active Directory will not allow you to delete classes or attributes but you can deactivate them if you are
sure they will not be needed.
Improved replication
In Windows Server 2003, only changes in attributes are replicated, the benefit is less replication traffic
and less change of a conflict.
ADPREP
Active Directory preparation allows you to extend the schema ready for an installation of the NTDS.dit
database files. ADPREP uses /forestprep and /domainprep switches rather like Exchange 2000/3.
Getting Started
To make the Schema Snap-in appear, first you need to register a dll.:
Start, Run, regsvr32 schmmgmt.dll. Next I add the Schema snap-
in to my MMC. Run, MMC if you need to create a blank shell for
the snap-ins, then its File (Menu) Add/Remove Snap-in.
The schema shows all the Objects that exist in Active Directory.
Examples of Active Directory Schema Classes include: computer,
printer and user
Each object has attributes e.g. CN = Common Name, Department,

HomeDrive and USN. From a design point of view, Microsoft
implement 'mix and match'. Once a attribute like Location is created
it can be matched with several objects e.g. Printer Object or Computer Object. Finally, attributes have
values which you set through interfaces like the Active Directory Users and Computers.
While knowledge of the object based systems builds a picture of Active Directory; there is practical value
in understanding the role of the schema in Active Directory. For instance, when you install Exchange
2000 you need to be member of the Schema Admins otherwise your install will fail. You should also be
aware that Exchange 2000 alters the schema so that 4 new Email tabs are added to users' property tabs.
Inspecting the Schema Snap-in
Once you have registered the Active Directory Schema you can
check out the Classes and Attributes; this will give you an idea
of how objects like users are built up of attributes. Do not
worry about the X500 OID, but do inspect the Attributes
Properties to see which are published in the Global Catalog.
The Global Catalog is a subset of the Schema containing the
most useful attributes which are used in the Search menus.
In my opinion you should only create new Classes or even new

Attributes if you are a developer. One extra Class I have heard
suggested is Laptop. Personally I think that there enough user
attributes, but someone suggested adding a Car with an
Expense attribute.
Recommendations
Take the time to understand what the schema does for Active Directory.
Register the Schema snap-in
Find out which machine has the Schema Master Role.
Normally you will not need to alter the schema. The only time the Schema is extended is when you
install Active Directory aware programs like Exchange 2003.
Schema Issues
The most common schema issues encountered are with upgrading the schema. The first place to
look when you receive an error message while upgrading is the Schupgr.log file located in the
system32 folder.
Some common problems reported with the Schema upgrade process are the following:
•
Insufficient rights error: Usually Schema Upgrade LDIF files contain changes for both the
schema and configuration directory partitions. By default, only Schema Admins can modify
objects in the schema directory partition, and only enterprise administrators or root domain
administrators can modify objects in the configuration directory partition.
Note
The user must be logged in as a member of Schema Admins and Enterprise Admins because
Schupgr.exe runs within the security context of the current logged-on user.
The user needs to be logged on as a member of both because schupgr runs with current logged
in user credentials. Sometimes the user is logged in as a member of both, but still reports an
insufficient rights error. This is usually caused by the unavailability of a global catalog when the
user logged in. Schema/Enterprise admin group membership evaluation requires a global catalog.
If a global catalog is not available, those might not be in the user's token. Make sure the Global
Catalog is running, and then log off and log on again.
An example of insufficient rights would be the following:
Opened Connection to BARDOK2SSPI Bind succeededFound Naming Context

DC=bardok2,DC=comFound Naming Context
CN=Schema,CN=Configuration,DC=itreskit,DC=comFound Naming Context
CN=Configuration,DC=itreskit,DC=comCurrent Schema Version is 11Upgrading schema to
version 12Converting DNs in file C:\WINNT\System32\sch12.ldf ERROR: Failed to read
current FSMO role owner: 50 (Insufficient Rights)
•
Error in importing: ldifde.exe generates two files, ldif.log and ldif.err (in case of an error only).
Check the files to see which entry is in error and what error code is returned. You can then try to
import it manually through ldp or a separate ldif file that contains only this entry. Next capture a
sniffer trace, and figure out from the error information what the problem is.
•
Schupgr runs but doesn't update the schema version: The version number. is updated as the last
entry in the ldif file. If anything else fails before, the version is not updated. If no errors are
reported from Schupgr.log file, and the version number is still not updated, it is usually a
problem with ldifde. Make sure ldifde is running correctly. The instances when this occurs is
when ldifde access violates when loading.
•
Schupgr error: Cannot obtain schema version to upgrade to:
You are missing a file that winnt32 would have copied to your computer when running schupgr
to upgrade to the current build. To resolve the problem, run winnt32 to upgrade; it blocks
detecting the schema mismatch and copies down the two to three files that you need. Then run
schupgr.
•
"ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable)" in the schupgr log. This
means the current domain controller is not the schema FSMO role owner, and trying to transfer
the role from the other domain controller (whoever is the FSMO role owner) to this domain
controller failed. The error unavailable can come for various reasons; it can't reach the other
domain controller or the other domain controller didn't respond and so on. You can retry after
some time if there is any temporary network problems and so on.
To check who is the current schema fsmo role owner, use either the Schema snap-in or the
ntdsutil tool to view the current Schema FSMO role owner.
Note
If the previous suggestions do not yield the Schema FSMO role owner use the LDP or ADSIEdit
tool to look at the fsmo-role-owner attribute on the schema container
(cn=schema,cn=configuration,...). The fsmoRoleOwner attribute contains the name of the server
that is the schema-fsmo role owner.
To increase the DS diagnostics logging level (which logs schema failures to the event log,
sometimes providing clues as to why a schema operation is rejected) increase the value of the
Internal Processing entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics to
Level 3.
DOMAIN NAMING MASTER
 Responsible for changes to configuration naming context
 Adding and removing domains
 Adding and removing cross references to domains in

external directories
 After update, replicates to other DCs
 If unavailable, cannot add or remove domains
 Domain Naming Master must also be a global catalog

server
 May be unnecessary in single-domain forest?
Adding or Removing a Domain During Dcpromo Requires

Access to the Domain Naming Master FSMO Role Holder
View products that this article applies to.
Article ID : 254933
Last Review : March 1, 2007
Revision : 2.2
This article was previously published under Q254933
IMPORTANT: This article contains information about modifying the registry. Before you modify the
registry, make sure to back it up and make sure that you understand how to restore the registry if a
problem occurs. For information about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/EN-US/) Description of the Microsoft Windows

Registry
On This Page
SUMMARY
MORE INFORMATION
Active Directory Promotion
SUMMARY
The domain naming master Flexible Single Master Operations (FSMO) role holder is assigned to the
domain controller that is responsible for making changes to the CN=Partitions,CN=Configuration,
DC=domain configuration container in Active Directory. The configuration naming context is shared and
replicated by all Windows 2000-based domain controllers in the same forest.
This article describes issues that can occur when Windows 2000-based servers that are being promoted
or demoted are unable to contact the domain naming master FSMO role holder during Active Directory
promotion or demotion.
Back to the top
MORE INFORMATION
The domain naming master FSMO role holder is the only computer that can add or remove a domain
in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active
Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote
replica domain controllers in an existing domain.
Investigate Domain Name System (DNS) name resolution, network connectivity, and consistency in Active
Directory for the current domain naming master FSMO role holder when "naming master" or "FSMO"
error messages occur during Dcpromo operations.
Back to the top
Active Directory Promotion

Windows 2000-based servers that are being promoted to domain controllers may generate the
following error message when they are unable to contact the domain naming master FSMO role holder
during promotion (in this case, the first domain controller of a new child domain, Y, of the root domain
Z.COM):
The operation failed because:
To perform the requested operation, the directory service needs to contact the Domain Naming Master
(server servername). The attempt to contact it failed. The specified server cannot perform the requested
operation.
The %SystemRoot%\Debug\Dcpromo.log file shows similar information:
DD/MM HH:MM:SS [INFO] Installing the Directory Service

DD/MM HH:MM:SS [INFO] Calling NtdsInstall for y.z.com
DD/MM HH:MM:SS [INFO] Starting the Directory Service installation
DD/MM HH:MM:SS [INFO] Validating user supplied options
DD/MM HH:MM:SS [INFO] Determining local site to enter
DD/MM HH:MM:SS [INFO] Examining existing Enterprise Directory Service
DD/MM HH:MM:SS [INFO] Error - To perform the requested operation, the Directory Service needs to
contact the Domain Naming Master (server z-dc-01.y.z.com). The attempt to contact it failed. (58)
DD/MM HH:MM:SS [INFO] NtdsInstall for y.z.com returned 58
DD/MM HH:MM:SS [INFO] DsRolepInstallDs returned 58
DD/MM HH:MM:SS [ERROR] Failed to install the directory service (58)
DD/MM HH:MM:SS [INFO] The attempted domain controller operation has completed
DD/MM HH:MM:SS [INFO] DsRolepSetOperationDone returned 0
A related message can occur when information about a new domain in the forest has not yet been
replicated to the computer that is the intended holder of the domain naming FSMO role for the forest:
Active Directory Installation Failed. The operation failed because: The Directory Service failed to create
the object CN=servername,CN=Partitions,CN=Configuration,DC=Y,DC=Z,DC=com. Please check the event
log for possible system errors. The directory cannot validate the proposed naming context name because
it does not hold a replica of the naming context above the proposed naming context. Please ensure that
the domain naming master role is held by a that is server configured as a global catalog server, and that
that server is up to date with its replication partners.
This behavior can be caused by inconsistency in the domain naming master role owner as seen by
different domain controllers in the forest because of replication latency or problems. Use the following
troubleshooting steps to determine if a problem exists:
 Confirm that the domain naming master is replicating Active Directory. Type repadmin
/showreps at a command prompt.
 Domain controllers in the forest are consistent about the computer name that is designated as
the current domain naming master.
 Confirm that the domain naming master is a global catalog server. Type nltest
/dsgetdc:domainname /server:servername to see if the server is advertising the "GC" flag. New
global catalog servers also register event 1119 ("This Windows domain controller is a now a
global catalog server"). For additional information, click the article numbers below to view the
articles in the Microsoft Knowledge Base:
 234790 (http://support.microsoft.com/kb/234790/EN-US/) How to Find FSMO Role Holders
223787 (http://support.microsoft.com/kb/223787/EN-US/) Flexible Single Master Operation

Transfer and SeizureProcess
223346 (http://support.microsoft.com/kb/223346/EN-US/) FSMO Placement and Optimization

on Windows 2000 Domains
 If the domain naming master FSMO role holder is not a global catalog server, it locates another
global catalog server to check for the creation. Determine whether the global catalog servers
have finished promotion. Global catalog servers require a successful synchronization with a
source for each domain. If there are error messages in the Event log about incomplete global
catalog server promotion, try to correct the communication problem with all domains in the
forest. Type nltest /dsgetdc:root.domain.name /server:servername, where servername is the
correct server. Determine whether the server is advertising the "GC" entry in the flags section of
the Nltest output.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Set the logging verbosity for the Global Catalog entry under the
HKLM\SYSTEM\CCS\Services\NTDS\DIAGNOSTICS registry key to 5, and then examine the
directory service Event log.
 The destination and installed parent domain are created on the domain naming master/global
catalog server. Using Ldp.exe, connect to the global catalog server port (port 3268 ) on the
domain naming master and search for objects in the appropriate domain(s) by navigating the
tree. If they are not visible, examine the directory service Event logs to see why replication has
not occurred.
PDC EMULATOR
The PDC emulator is one of the five operations master roles in Active Directory. It is used in a domain
containing non-Active Directory computers. It processes the password changes from both users and
computers, replicates those updates to backup domain controllers, and runs the Domain Master
browser. When a domain user requests a domain controller for authentication, and the domain
controller is unable to authenticate the user due to bad password, the request is forwarded to the PDC
emulator. The PDC emulator then verifies the password, and if it finds the updated entry for the
requested password, it authenticates the request.
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to
ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not
permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external source.
All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
 Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.
 Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
 Account lockout is processed on the PDC emulator.
 Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the
PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
 The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain
controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC
emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in
the forest.
 Mixed Mode
 Acts as NT PDC to NT BDCs
 Supports Netlogon replication

 Native and Mixed Modes
 Password changes replicated preferentially to PDC emulator
 Authentication failures due to bad password at another

DC forwarded to PDC emulator before failing
completely
 Manages password changes from 95, 98, NT clients
 Native and Mixed Modes
 By default, Group Policy snap-in runs on PDC emulator
 Reduces potential for Group Policy replication conflicts
 Can be changed
 Miscellaneous
 All DCs synchronize their clock to that of the PDC emulator
 PDC emulator of forest root domain should be

synchronized to external time source
 In multi-domain forest, PDC emulator for domain

synchronizes with PDC emulator of forest root domain
 Acts as Domain Master Browser
RID Master
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the
object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is
unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that
DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request
by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At
any one time, there can be only one domain controller acting as the RID master in the domain.
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all
DCs within a given domain. It is also responsible for removing an object from its domain and putting it in
another domain during an object move.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting
DC. There is one RID master per domain in a directory.
 Objects e.g. users and groups, each have a unique security

identifier (SID)
 Consists of domain SID and unique relative identifier (RID)
 RID master allocates each DC a pool of RIDs
 When a DC’s RID pool falls too low, it requests additional RIDs
from RID master
 RID master also controls moving objects between domains
 With no RID master, when a DC runs out of RIDs, new security

principals (i.e. users, groups etc.) cannot be created on that DC
When an object in one domain is referenced by another object in another domain, it represents the reference by
the GUID, the SID (for references to security principals), and the DN of the object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in
a cross-domain object reference. At any one time, there can be only one domain controller acting as the
infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog
server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references
in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the
domain controllers in a domain also host the global catalog, all the domain controllers have the current data,
and it is not important which domain controller holds the infrastructure master role.
When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that effect will be logged
on that DC's event log.
If all the domain controllers in a domain also host the global catalog, all the domain controllers have the
current data, and it is not important which domain controller holds the infrastructure master role.
At any time, there can be only one domain controller acting as the infrastructure master in each
domain. The infrastructure master is responsible for updating references from objects in its
domain to objects in other domains. The infrastructure master compares its data with that of a
global catalog. Global catalogs receive regular updates for objects in all domains through
replication, so the global catalog data will always be up to date. If the infrastructure master finds
data that is out of date, it requests the updated data from a global catalog. The infrastructure
master then replicates that updated data to the other domain controllers in the domain.
Important
 Unless there is only one domain controller in the domain, the infrastructure master role
should not be assigned to the domain controller that is hosting the global catalog. If the
infrastructure master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will never find data that
is out of date, so it will never replicate any changes to the other domain controllers in the
domain.
In the case where all of the domain controllers in a domain are also hosting the global
catalog, all of the domain controllers will have the current data and it does not matter
which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever
the members of groups are renamed or changed. When you rename or move a member of a
group (and that member resides in a different domain from the group), the group may
temporarily appear not to contain that member. The infrastructure master of the group's domain
is responsible for updating the group so it knows the new name or location of the member. This
prevents the loss of group memberships associated with a user account when the user account is
renamed or moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group
update. Only an administrator looking at that particular group membership would notice the
temporary inconsistency.
For information about transferring operations master roles, see Transferring operations master
roles. For information about what to do when an operations master fails, see Responding to
operations master failu
 Object in domain referencing object in another domain uses

GUID, SID and DN
 E.g. group in one domain referencing user or group in

another domain
 Infrastructure master updates SID and DN in cross-domain

references
 E.g. if referenced object moves
 Multiple-domain, infrastructure master role must not be held by

GC server
 Not a problem in single-domain forests (because no external

references)
Managing Operations Master Roles
Since only one or a few domain controllers are assigned the Operations Master roles, it is
important that these specific domain controllers remain functioning in the Active Directory
environment. There are essentially two processes involved in the management of FSMOs. These
management tasks are outlined below:
 Because the FSMOs are automatically created when the first domain controller is
installed, you might need to transfer OM roles to a more robust server. You would also
need to transfer OM roles to a different server before demoting the domain controller
hosting them.
 When a lost domain controller cannot be recovered, you would to need any seize OM
roles assigned to the particular domain controller.
Transferring an Operations Master role, involves moving it from one server to a different server.
To transfer the Schema Master role, you need to have Schema Admins rights, and to transfer the
Domain Naming Master role, you need to have Enterprise Admin rights.
You can use an Active Directory console or a command-line utility to transfer OM roles. The
Active Directory MMC consoles that can be utilized to transfer the different FSMOs are outlined
below:
 Active Directory Schema MMC snap-in: For transferring the Schema Master role
 Active Directory Domains and Trusts console: For transferring the Domain Naming
Master role
 Active Directory Users and Computers console: For transferring the RID Master role,
PDC Emulator role, and Infrastructure Master role.
When you seize an OM role, you do it without the cooperation of the existing domain controller
that is assigned with the particular OM role. When an OM role is seized, it is basically
reassigned to a different domain controller. Before you attempt to seize any OM roles, first try to
determine what the reason is for the failure of the existing domain controller which is assigned
with the particular OM role. Certain network issues which are likely to be corrected in short time
fames are well worth enduring through. Before you seize OM roles, first ensure that the domain
controller you are planning to shift these roles to; is indeed powerful enough to uphold these
roles. In summary, you should only really seize an OM role if the existing OM cannot be
recovered again. You would need to use the Ntdsutil tool command-line tool to seize OM roles.
The Consequences of FSMOs Failing

The following section looks at what actually happens when each FSMO role fails:
 A Schema Master failure is basically only evident when an Administrator attempts to

change the Active Directory schema. What this means is that a Schema Master failure is
invisible to your standard network users. You should only seize this role to the domain
controller designated as the standby schema master if the existing Schema Master can in
fact never be recovered.
 As is the case with a Schema Master failure, Domain Naming Master failure is only
evident if an Administrator is attempting to add a domain to the forest, or remove a
domain from the forest. A Domain Naming Master failure can generally not be perceived
by your standard network users. You should only seize this role to the domain controller
designated as its standby when the existing Domain Naming Master would never be
operational again.
 A RID Master failure is only evident to Administrators if they are attempting to add new
Active Directory objects in the particular domain where the RID Master failed. When this
happens, the RID Master is unable to allocate relative IDs to the domain controllers on
which the new Active Directory objects are being created. A RID Master failure cannot
be detected by your conventional network users. You should also generally only seize this
OM role when the existing domain controller assigned with the RID Master role would
never recover from the failure.
 An Infrastructure Master failure is also not visible to your standard network users. The
failure only impacts Administrators that are attempting to move user accounts, or rename
them. Consider moving the role to the designated standby domain controller if the
existing domain controller assigned with the Infrastructure Master is to be unavailable for
a reasonably extended period of time, and the changes that need to be made are pertinent.
 Unlike the OM role failures previously described that are not evident to your standard
network users, a PDC Emulator failure does impact network users. It is important to
immediately seize this role to its designated standby domain controller if the domain
contains any Windows NT backup domain controllers. You can always return this role to
its previous domain controller when it is recovered and online again.
How to view the existing Schema Master role assignment

1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll
on the computer.
2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
3. From the File menu, select Add/Remove Snap-in and then select Add.
4. In the list of available snap-ins, double-click Active Directory Schema.
5. Click Close. Click OK.
6. Open the Active Directory Schema snap-in.
7. In the console tree, right-click Active Directory Schema and select Operations Masters
from the shortcut menu.
8. The Change Schema Master dialog box opens.
9. You can view the name of the existing Schema Master in the Current Schema Master
(Online) box.
10. Click Close.
How to view the existing Domain Naming Master role

assignment
1. Open the Active Directory Domains And Trusts console from the Administrative Tools
menu.
2. In the console tree, right-click Active Directory Domains And Trusts and select
Operations Masters from the shortcut menu.
3. The Change Operations Master dialog box opens.
4. You can view the name of the existing Domain Naming Master in the Domain Naming
Operations Master box.
5. Click Close.
How to view the existing RID Master role, PDC Emulator,

and Infrastructure Master role assignments
1. Open the Active Directory Users And Computers console from the Administrative Tools
menu.
2. In the console tree, right-click Active Directory Users And Computers and click All
Tasks, and then Operations Masters from the shortcut menu.
3. The Operations Masters dialog box contains the following tabs:
o RID tab: The name of the existing RID Master is displayed in the Operations
Master box of this tab.
o PDC tab: In the Operations Master box of the PDC tab, you can view the name of
the existing PDC Emulator.
o Infrastructure tab: The existing Infrastructure Master's name is displayed in the
Operations Master box.
4. Click Close.
How to transfer the Schema Master role to another domain

controller
Before you can transfer the Schema Master role to another domain controller, ensure that you
have the required Schema Admins rights, and that both domain controllers you are planning to
work with are available. Before you can use the Active Directory Schema MMC snap-in, you
first have to add it to a MMC.
To add the Active Directory Schema snap-in to a MMC,
1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll
on the computer.
2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
3. From the File menu, select Add/Remove Snap-in and then select Add.
4. In the list of available snap-ins, double-click Active Directory Schema.
5. Click Close. Click OK
To transfer the Schema Master role,
1. Open the Active Directory Schema snap-in.

2. Right-click Active Directory Schema in the console tree, and select Change Domain
Controller from the shortcut menu.
3. The options available when the Change Domain Controller dialog box opens are
o Any DC: If this option is selected, Active Directory will select a new domain
controller for the Schema Master role.
o Specify Name: If this option is enabled, you have to enter the name of the new
location for the Schema Master Role.
4. Click OK
5. Right-click Active Directory Schema in the console tree again, and choose Operations
Master from the shortcut menu.
6. When the Change Schema Master dialog box opens, click Change.
7. Click OK when a message appears prompting for verification of the OM role transfer you
want to perform.
8. Click OK to exit the Change Schema Master dialog box.
How to transfer the Domain Naming Master role to another

domain controller
You have to be a member of the Enterprise Admin group to transfer the Domain Naming Master
role to another domain controller.
1. Open the Active Directory Domains And Trusts console from the Administrative Tools
menu.
2. In the console tree, right-click Active Directory Domains And Trusts and select Connect
To Domain Controller from the shortcut menu.
3. The Connect To Domain Controller dialog box opens. This is where you specify the
name of the new domain controller that should be assigned the Domain Naming Master
role.
4. Click OK
5. In the console tree, right-click Active Directory Domains And Trusts and select
Operations Masters from the shortcut menu.
6. When the Change Operations Master dialog box opens, click Change
7. Click Close
How to transfer the RID Master role, PDC Emulator role, or

Infrastructure Master role to another domain controller
1. Open the Active Directory Users And Computers console from the Administrative Tools
menu.
2. In the console tree, right-click Active Directory Users And Computers and click Connect
To Domain from the shortcut menu.
3. When the Connect To Domain dialog box opens, enter the domain name that you want to
work with.
4. Click OK
5. In the console tree, right-click Active Directory Users And Computers and click Connect
To Domain Controller from the shortcut menu.
6. When the Connect To Domain Controller dialog box opens, specify the new domain
controller for the OM role that you are transferring.
7. Click OK
8. In the console tree, right-click Active Directory Users And Computers and click All
Tasks, and then click Operations Masters from the shortcut menu.
9. The Operations Masters dialog box opens. On one of the following tabs,
o RID tab: Click Change to change the location of the RID Master
o PDC tab: Click Change to change the location of the PDC Emulator
o Infrastructure tab: Click Change to change the location of the Infrastructure

Master.
10. Click Yes to verify that you want to transfer the particular OM role to a different domain
controller.
11. Click OK. Click Close.
How to seize an Operations Master role

When you seize an OM role, you need to perform the following tasks:
 Verify that the new domain controller for the role is completely updated with changes
performed on the existing domain controller of the particular role. You can use the
Replication Diagnostics command-line utility for this verification. Repadmin.exe is
included with the Windows Support Tools on the Windows Server 2003 CD-ROM.
 You would not use the Ntdsutil tool to seize the particular OM role. The Ntdsutil tool first
attempts to transfer the role before it actually proceeds to seize the role.
However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can use the
Active Directory Users and Computers console. The Ntdsutil tool has to though be used to seize
the other FSMOs – Schema Master role, Domain Naming Master role, and RID Master role. You
can however also use the Ntdsutil tool to seize the PDC Emulator role or Infrastructure Master
role.
To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users and
Computers console,
1. Open the Active Directory Users and Computers console

2. In the console tree, right-click the domain object, and choose Connect to Domain
Controller from the shortcut menu.
3. Enter the name of the other domain controller. Click OK
4. To perform the seizure of the role, right-click the domain object and choose Operations
Masters from the shortcut menu.
5. Click either the PDC tab, or the Infrastructure tab
6. You will notice that the particular OM role is indicated as being offline.
7. Click Change.
8. Click OK to verify that you want to transfer the OM role.
9. Click Yes when prompted to verify that you want to perform a forced transfer.
To seize any OM roles using the Ntdsutil tool,
1. Click Start, Command Prompt.

2. Enter the following at the command prompt: ntdsutil. Press Enter
3. Enter the following at the ntdsutil prompt: roles. Press Enter
4. Enter the following at the fsmo maintenance prompt: connections. Press Enter
5. Enter the following at the server connections prompt: connect to server, and the fully
qualified domain name (FQDN). Press Enter
6. Enter the following at the server connections prompt: quit. Press Enter.
7. Enter one of the following at the fsmo maintenance prompt:
o seize schema master. Press Enter
o seize domain naming master. Press Enter
o seize RID master. Press Enter
o seize PDC. Press Enter
o seize infrastructure master. Press Enter
8. Enter quit at the fsmo maintenance prompt. Press Enter

9. Enter quit at the ntdsutil prompt.
How to perform a metadata cleanup

The class objects and attribute objects of the schema are referred to as metadata. A metadata
cleanup is usually performed when you are unable to restore a failed domain controller. The
cleanup removes any references to the failed domain controller in Active Directory.
To perform the metadata cleanup,
1. From the command prompt, enter ntdsutil and press Enter.

2. Enter the following at the ntdsutil prompt: metadata cleanup. Press Enter
3. Enter the following at the metadata cleanup prompt: connections. Press Enter
4. Enter the following at the server connections prompt: connect to server, followed by the
server name. Press Enter
5. Enter quit, and press Enter
6. Enter the following at the metadata cleanup prompt: select operation target. Press Enter
7. Enter list domains. Press Enter
8. Enter select domain, followed by the number of the domain that holds the server that you
want to remove. Press Enter
9. Enter list sites. Press Enter
10. Enter select site, followed by the number of the site that holds the server that you want to
remove. Press Enter
11. Enter list servers in site. Press Enter
12. Enter select server, followed by the number of the server that you want to remove. Press
Enter.
13. Enter quit and press Enter to return to the metadata cleanup prompt.
14. Enter remove selected server, and press Enter.
15. When a message box appears prompting you to verify whether the server should be
removed, click Yes
16. Quit from Ntdsutil.
Default Placement of Roles
 First DC in a forest holds all roles
 First DC in a new domain within existing forest holds all domain

roles
 RID master
 Infrastructure master
 PDC emulator
Guidelines for the Placement of Roles

 Keep schema master and domain naming master roles on same
DC
 DC should also be a global catalog server
 Put RID master and PDC emulator roles on the same DC
 In multi-domain forest, the infrastructure master must not be a

global catalog server
 Should have good connection to global catalog server
 Single-domain forest
 Keep all five roles on same DC which should also be a global

catalog server
 Multiple-domain forest
 Move infrastructure master role to a DC that is not a global

catalog server
Determining Role Placement
 Replication Monitor
 Easiest — Support Tools (2000 CD)
 Active Directory Users and Computers
 PDC Emulator, Infrastructure master, RID master
 Active Directory Domains and Trusts
 Domain Naming master
 Active Directory Schema Snap-In

 Schema master
 NB Schmmgmt.dll must be registered before first use
 Dumpfsmos
 Resource kit
 NTDSUTIL
 Command line tool included with 2000 server
User Rights to Change Roles
 By default, certain groups only have rights to change role holders
 Schema Administrators
 Schema master
 Enterprise Administrators
 Domain naming master
 Domain Administrators
 All domain role holders
 NB By default, Administrator of forest root domain is a member of

all these groups
Modifying Permissions to Change Roles
 Adsiedit (support tools) tool allows all permissions to be changed
Transferring Roles
 Transfer only when source and destination DCs are up and running
 Domain-specific roles
 Active Directory Users and Computers
 Schema Master
 Schema Manager Snap-In
 Domain Naming Master
 Active Directory Domains and Trusts
When to Transfer Roles
 Initial setup of domain
 E.g. in a multi-domain forest, move Infrastructure master off

global catalog server
 Permanently demoting a DC
 Roles held by the DC transferred automatically but manual

transfer gives control over location
 Temporarily taking down a DC
 Probably unnecessary to transfer schema and domain

naming masters (little used); also infrastructure master in
single-domain forest
 Always transfer the PDC emulator; may be wise to transfer

RID master, but probably unnecessary for short downtime
Seizing Roles
 Generally only seize when originally role holder has failed

irrecoverably and will not be restored from backup
 Exception — can fairly safely seize PDC emulator role
 Strangely, this is also the role that you can least do without
References — Overview
 Managing Flexible Single-Master Operations
 http://www.microsoft.com/WINDOWS2000/techinfo/reskit/
en/default.asp?
PP=/windows2000/techinfo/reskit/en/toc/w2rkbook-0-2-1-
6.xml&tocPath=w2rkbook-0-2-1-
6&URL=/windows2000/techinfo/reskit/en/distrib/dsbl_fsm_
djnw.htm
 Windows 2000 Active Directory FSMO Roles
 http://support.microsoft.com/support/kb/articles/Q197/1
/32.ASP
 Windows 2000 Active Directory FSMO Roles
 http://support.microsoft.com/support/kb/articles/Q197/1
/32.ASP
 FSMO Placement and Optimization on Windows 2000 Domain
Controllers
 http://support.microsoft.com/support/kb/articles/Q223/3/4
6.ASP
 Setting User Rights for Designating FSMO Roles in an Enterprise
6.ASP
References — Determining Operations Masters
 How to Find FSMO Role Holders (Servers)
0.ASP
 How to View and Transfer FSMO Roles in the Graphical User

Interface
0.ASP
 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain

Controller
4.ASP

Active Directory Collection FULL

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Active Directory Collection FULL

Diunggah oleh

Hak Cipta:

Format Tersedia

Active Directory Collection

Updated: March 28, 2003

Active Directory Collection

Active Directory in Windows Server 2003 includes the following:

Active Directory on a Windows Server 2003 Network

Active Directory Application Mode

Structure and Storage Technologies

Domain Controller Roles

Search and Publication Technologies

Installation, Upgrade, and Migration Technologies

A directory service provides a centralized location to store information in a distributed environment

Active Directory is typically used for one of three purposes:

Active Directory on a Windows Server 2003 Network

Active Directory on a Windows Server 2003 Network

Active Directory provides:

Active Directory Application Mode

Structure and Storage Technologies

Domain Controller Roles

Search and Publication Technologies

Installation, Upgrade, and Migration Technologies

[edit] Forests, trees, and domains

FSMO (Flexible Single Master Operations)

Topics for FSMO

Checking which DC holds which FSMO role

The 'Knack' of Changing Operations Master

Advice and Troubleshooting FSMO

Background of Operations Masters

From the View Menu in Active Directory Users and Computer,

The Five FSMO Roles

How many FSMO Domain controllers in your Forest?

Checking which DC holds which FSMO role

Domain Naming Master (4.)

Schema Master (5.)

2) Run MMC, File menu, Add\Remove Snap-in, click the Add

3) Select Active Directory Schema, Right Click, Operations

FSMO (Flexible Single Master Operations)

 Five roles in total

Topics for FSMO

(Transfer FSMO Roles - Another page)

Role Name Scope Description

Implications for Duplicates

Domain Naming Master

Implications for Duplicates

Implications for Duplicates

Implications for Duplicates

Implications for Duplicates

Domain-wide FSMO Roles:

Forest-wide FSMO Roles:

[edit] Trusts in Windows 2000 (native mode)

Windows 2000 - supports the following types of trusts:-

 Two-way transitive trusts.

Additional trusts can be created by administrators. These trusts can be:

Inaccessible GPO - Access Denied or

How to Transfer FSMO Roles

Topics for Transferring the FSMO Master.

Where to Find the 5 FSMO Operation Masters

Pull those Operations Masters

At Last - We get to Press the Change Button

Summary - FSMO transfer

Planning the FSMO Transfer

Where to Find the 5 FSMO Masters

Pull those Operations Masters

At Last - We get to Press the Change Button

Now it's on to the next Operations Master, remember that