There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles.
Either you could be facing a disaster recovery, where you have lost the first Windows 2003 Domain Controller, or you are organized and want to get the most out of your Active Directory Forest.
Although you rarely need to deal with Microsoft's FSMO, there is the feeling that knowledge of these Operation Masters gives you power over your Windows 2003 Servers.
For most Active Directory operations, Windows 2003 uses the multiple master
model. The benefit is you can add a computer, or change a user's password on
any domain controller. For example, if you have three domain controllers, you can
physically create a new computer account in the NTDS.dit database on any of the three. Within five minutes (15 seconds in Windows 2003), the new computer object will be replicated to the other two
domain controllers.
Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle.
For example, you created an OU called Accounts last week, today at the same instant you create new users in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best
to obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in the OU because it was deleted, the result is the users are added to the orphaned
objects in the 'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers.
From the View Menu in Active Directory Users and Computer, click: Advanced Features.
It was worth investigating how
Active Directory handles orphaned objects because the point of FSMO is that a few operations are
so critical that only one domain controller can carry
out that process. Imagine what would happen if two administrators tried to make different changes to the same schema object - chaos. That is why administrators can only change the schema on one
Domain Controller. Emulating a PDC is the most famous example of such a
Single Master Operation; creating a new child domain would be
another example.
There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on
one Domain Controller. FSMO roles:
PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time
service and
creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.
RID Master - Each object must have a globally unique number
(GUID). The RID
master makes sure each domain controller issues unique numbers when you create
objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
Infrastructure Master - Responsible for checking objects in
other other domains. Universal group
membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned
Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach.
Domain Naming Master - Ensures that each child domain has a unique name.
How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine
joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
Schema Master - Operations that involve expanding user
properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema
Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single
Master Operation and thus a FSMO role.
(There is a also an important Global Catalog Role, however its not a FSMO role as you can have more than one Global Catalog. See more on Global Catalog Server)
How many FSMO Domain controllers in your Forest?
Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are
unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.
Guy
recommends: SolarWinds LANsurveyor
LANsurveyor will produce a neat diagram of your network topology. But that's
just the start;
LANsurveyor can
create an inventory of the hardware and software
on your machines and network devices. Other neat features include dynamic
update for when you add new devices to your network. I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you take a free trial of LANsurveyor then you
will find a device on your network that you had forgotten about, or someone else
installed without you realizing.
You can discover which server holds the Operation Master by
opening Active Directory Users and Computers, Right click your Domain and select
Properties, Operations Masters.
To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select
Properties, Operations Masters.
Schema Master (5.)
The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by default. Perhaps is this is Microsoft saying - don't mess with the object definitions.
However, you can reveal the Schema and its FSMO settings thus:
1) Register the Schema Snap with this
command, RUN regsvr32 schmmgmt.dll
2) Run MMC, File menu, Add\Remove Snap-in, click the Add button and select, Active Directory Schema
3) Select Active Directory Schema, Right Click, Operations Master.
I have to confess a hidden agenda with FSMO. If I want to instantly
know how well someone knows Active Directory, I introduce FSMO into the
conversation and watch their reaction. Professionals will know what FSMO
means and its significance, amateurs just frown.
The extra features you get in your eBook
include: lots of examples on 'How to ...'. New pages
with deployment recommendations. Detailed instructions and screen shots showing the menus to
configure.
Go for offline convenience
and get a printable version with copy enabled and no expiry date.
Released October 2003. Check out the features.
From the View Menu in Active Directory Users and Computer, 
click the Add button and select, 
The extra features you get in your eBook
include: lots of examples on 'How to ...'. New pages
with deployment recommendations. Detailed instructions and screen shots showing the menus to
configure.
