Best Practice Ezine #58 FSMOIt would make my day if this newsletter prompted you to check your FSMO strategy. Are you comfortable with the Flexible Single Master Operation concept? Are your RID, PDC, Infrastructure, Schema and Domain Naming Masters on the most suitable Domain Controllers? Finally could you transfer the FSMO roles with, and without the current FSMO master online? To help you with any of the above, including NTDSutil, See more about FSMO in my new section To digress, when I am training a course called, ‘Upgrade from NT’ (Yes some people still have NT 4.0) I experience the agony and ecstasy of Active Directory. First comes the ecstasy as I extol the benefits of the multiple master replication; I enthuse, ‘You can create a user on any Domain Controller because each DC has read write access to the NTDS.DIT database. Delegates say, ‘Wow that’s great’. The agony comes when I explain FSMO. I start the FSMO topic with the Schema Master because they can see the merits of changing something as radical as the schema on just one Domain Controller, it’s obvious you don’t want any orphaned schemas, or replication conflicts if two administrators were to simultaneously amend the same property on different domain controllers. Then, I cannot wait any longer, I have to admit that there is a FSMO role called the PDC emulator. At this point I get an outcry, even a rebellion on a bad course. ‘Guy, yesterday you told us about the multiple master model where there was no need for the BDC, now you are telling us you have to have a PDC emulator.’ Even though I patiently explain that the PDC emulator is only for backwards compatibility, and for minor roles such as time synchronization, they feel betrayed and they take it out on me. I plough on with course but the other roles of RID master, Infrastructure and Domain Naming Master pass in a blur. I try to regain ground with an elegant explanation of how it makes sense to give out batches of RID numbers from only one DC, but I know that delegates from hell and the Luddites will never trust me again. Ah well, that’s why I prefer Exchange Course (Until we come to RUS masters!). Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways: For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker What I want to tell you, who I think of as my friends, is how to change the FSMO roles. Sooner or later you need to take the original FSMO master Domain Controller offline. If you don’t transfer the FSMO roles while the original server is online you run into problems. Ah yes, it’s the PDC emulator that complains first, particularly if you try and change group policies when the PDC emulator is unavailable. Have you noticed how performing those tasks that you only configure once every blue moon, gives the most trouble? Well, transferring FSMO masters is a case in point. The knack is to remember to pull the Operations Master role to the new machine. Active Directory Users and Computers lets you change the role from any DC, however the secret is to select, ‘Connect to Domain Controller’ before you try and transfer the role. What you cannot do is make the existing FSMO the focus and then Click change on the Operations Master Window. Is this making sense? If not check out my website for detailed screenshots.See more about FSMO in my new section If all else fails you can try the command line NTDSutil, and Seize PDC, however, that is easier said than done as you have to find the command to ‘connect to yourserver’. Guy Recommends: Tools4ever’s UMRA Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes. It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA. If I could finish with an assortments of tips about FSMO. 1) The Schema master and Domain Naming Master are forest wide roles, while the other three (RID, PDC and Infrastructure Manager) are domain wide. So if you have 4 domains, then somewhere, you have 4 PDC emulators, but only one Schema master. It’s best to keep the forest wide FSMOs in the root domain. 2) If you run DCPROMO, there is a checkbox which controls whether or not to find another DC to transfer any FSMO roles. If the machine is the last or one-and-only FSMO master, then there is no point in DNS trying to locate another DC. 3) You should not let the Infrastructure Master be a Global Catalog. In a nutshell it interferes with replication. See more about FSMO in my new section
See more interesting permissions and Active Directory articles• E 63 Catalog • E 60 ADModify • E 59 ADSIEdit • E 58 FSMO •Free CSV Import Utility • E 52 Wins • E 46 Logs •E 45 LDAP Tips •E 26 MMC • E 21 Users Template • E 17 CACLS • Ezines •E 12 SQL • E 8 Security Permissions •Review of Solarwinds Permissions Monitor for AD | 
