FSMO (Flexible Single Master Operations)
This page will advise you what to do if you lose the Domain Controller holding one of the FSMO roles. I will also cover the implications of having more than one FSMO master for the same role. If you have lost your FSMO master then I have a troubleshooting section, and a separate page on transferring FSMO roles. Incidentally, the modern tendency is to use the term Operation Masters, whereas in Windows 2000, FSMO was the term of choice.
Topics for FSMO
- PDC Emulator
- Infrastructure Master
- Rid Master
- Schema Master
- Domain Naming Master
- Troubleshooting FSMO
- (Transfer FSMO Roles – Another page)
‡
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC’s complain, but also there will be no time synchronization. Another problem is that you probably will not be able to change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group policy master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles. Quickly seize PDC role from another machine.
RID Master
One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique numbers so that no two new objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing Domain Controllers will have enough unused RIDs to last a week or so do not be in a hurry to seize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects with the same RID would be disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group memberships may be incomplete. If you only have one domain, then there will be no impact as the Infrastructure Master is responsible for updating your user’s membership in other domains in the forest.
Implications for Duplicates
No damage occurs if the old Infrastructure master returns, just check out the Roles and decide which machine should hold the role.
Forest Wide Roles
Schema Master
If you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or extend the schema. However, short term no-one will notice a missing Schema Master, so try and repair the old one rather than seize the role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or repaired, it must be completely rebuilt rather than allowed into the forest.
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM)
v12
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
Download your free trial of SolarWinds Network Performance Monitor.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and new trees. Unless you are going to run DCPROMO, then you will not miss this FSMO role, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild before you let the machine back in the forest.
Troubleshooting FSMO
Symptoms of FSMO Problems
I find that the first sign of a problem with a FSMO is that Active Directory Users and Computers is slow to initialize. Moreover, if you try to even view Group Policies, you get an error such as:
Inaccessible GPO – Access Denied or
Failed to open the Group Policy Object. You may not have appropriate rights.
The cause of these symptoms is that the FSMO master holding the PDC emulator is unavailable. Fingers crossed it’s a temporary problem, however the problem persists then you need to investigate which Domain Controller holds, or held the PDC emulator role.
Troubleshooting Toolkit
DCDiag – Not only does DCDiag have a routing to check the FSMOs but it also provides information on Active Directory replication. As ever with troubleshooting, you want to get to the root cause not merely treat one of the symptoms.
NetDOM – It’s a close call whether to run NetDOM before or after DCDiag, the answer partly depends on whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support tools.
From the command line type netdom query fsmo. You should see a list of the of the 5 roles with the corresponding Domain Controller.
DNS – Excuse what may seem like a digression, but it never ceases to amaze me how often faulty DNS configuration is the source of an Active Directory problem. Therefore, head for the DNS snap-in and observe that all settings are as expected. Remember the Monitor to tab. Make sure that each DNS server is registering itself and registering with other DNS Servers.
DCPROMO – Rather drastic, but sometimes just running this program to demote a Domain Controller creates error messages, which are handy additional sources of information. If there are no error messages, you may just choose to cancel. However, if you go ahead and run DCPROMO to demote a domain controller, watch out for a check box that says ‘This is the last domain controller in the domain’. If that box is UNchecked the wizard will automatically move any FSMO roles to another domain controller.
NTDSUTIL – Powerful Command Line tool, note the Seize verb See here for more about transferring FSMO roles with NTDSUTIL.
Guy Recommends 3 Free Active Directory Tools
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Download your FREE Active Directory administration tools.
If you like this page then please share it with your friends
More Windows Server 2003 topics:
• Global Catalog Server •Exchange Global Catalog Server • Schema Admin
• FSMO Roles • FSMO Advice • FSMO Transfer • FSMO Transfer Example
