Transferring FSMO roles

I found a very nice step by step guide on how to transfer the FSMO roles. The link is:

http://www.elmajdal.net/win2k8/Transferring_FSMO_Roles_in_Windows_Server_2008.aspx

Before you transfer the roles, you can check the roles by using the following commands:

i) netdom query fsmo

ii) dsquery server -hasfsmo

for eg. dsquery server -hasfsmo pdc

iii) dcdiag /test:knowsofroleholders /v

/v- verbose

Correct Placement of Infrastructure Master Role

Correct placement of Infrastructure master in a domain is very important. On the diagram on the left, I have shown two domains in the same forest with a 2 way transitive trust. In domain2.com, infrastructure master is on a separate server than the GC server. Infrastructure master's job is to check the cross domain reference- so here it checks whether the user smith from the other domain is a member of operations group, it has to validate that against the GC server. In domain2.com it checks against GC server and if a change is made it also replicates to the other DC.

In case of domain1.com when the infrastructure master checks whether adam is member of marketing group, it has to check against GC server. Because GC is on the same server as Infrastructure master, when a change takes place, GC server will make that change in the NTDS.dit file. Because Infrastructure Master is on the same server, it does not see any change on the GC server as it validates against the same NTDS.dit file. Because it sees no change, it does not replicate the change to the other domain controller.

MS2008 Server Operations Masters

Operations Masters are also commonly known flexible single master operations or FSMO roles. There are commonly 5 FSMO roles which can be divided into Forest and Domain. These roles are as follows:


Forest:
1. Domain Naming
2. Schema


Domain:
1. Infrastructure
2. RID Master
3. PDC Emulator

I will explain these roles one by one now.

1. Domain Naming: This role is applied forest wide and it prevents someone accidently creating another domain with the same name.

2. Schema: All the options that can be filled in to a objects properties like their name, all the radio buttons, checkboxes, etc is because of the schema master.

Before you add this role, you have to register it by following command on command prompt:

regsvr32 schmmgmt.dll



5. PDC Emulator: This is one of the most important roles in Win Srv environment. PDC Emulator does the following tasks:

i) Acts as PDC for NT4 domain and NT4 based apps.
ii) Acts as a password authority and dictates all the password changes to the other DC's.
iii) GPO authority role and dictates the other DC's about any GPO changes in the domain and other DC's report to PDC Emulator about GPO changes.
iv) Domain Master Browser- Acts as a domain master browser and is responsible for the network browsable objects in the windows explorer windows.
v) Master Time source- all objects in the domain get the time from PDC emulator. It has to access the NTP (UDP port 123) which should be open on the firewall.

Follow this document to configure NTP on your PDC emulator.http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspxLet's talk about dividing the roles among DC's. One way of doing this is shown below.You can also use ADSI Edit to check the SID of the object. Right click on the object and go to properties to find the SID.



4. RID Master : RID masters purpose is to keep a track of SID. To check your SID, type the following command.

whoami /user
To find the information about the RID pool, use the following command.

dcdiag /test:ridmanager /v
3. Infrastructure: Purpose of this role is to keep the cross domain referencing straight especially when it comes to locate the users in a different domain's security group.

This divides the roles according to the forest roles and domain roles classifications.

Another way of doing this in a busy environment like schools, where many accounts have to be created every year is shown below. By dividing roles this way we divide the RID master and PDC emulator roles, which would get very busy in such environments. We also have a standby master in case one of the DC fails.

Group Scope