Check fsmo roles
How to check FSMO roles
Active Directory contains five roles called Flexible Single Master Operation Roles (FSMO), these roles are required for the domain controllers to function correctly. During the first domain controller installation, the FSMO roles are installed automatically.
In most cases they can be left alone, but there are times when they need to be moved such as a failed DC. It is a good idea to be familiar with where the roles are installed in your AD environment, you never know when a disaster will hit. In this post, I will walk through two simple methods for finding the roles. The first method uses the Netdom query tool and the second uses windows GUI mode.
Forest Wide Roles
- Schema Master
- Domain naming master
Domain Wide Roles
- PDC Master
- RID Master
- Infrastructure Master
Schema Master
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.You can also transfer this role to any of domain controller in forest.
What happens when Schema Master is not available
As there is no impact on users directly because users do not need it. Only admins need this FSMO to extend the AD schema.If schema master role is not available or down, you cannot extend the AD schema to support your custom extensions or other extensions to support other (Microsoft) products (e.g. Exchange, OCS/Lync, etc). These activities are not done on a day to day basis, so relatively speaking it is not critical when its not available.
Domain Naming Master
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.You can transfer this role to any of domain controller in forest.
What happens when Domain Naming Master is not available
The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure, the domain naming master role can remain offline for an indefinite period of time.
Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Infrastructure Master
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.
As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
What happens when infrastructure Master is not available
A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.
Initial replication and connectivity requirements
- This FSMO role holder is active only when the role owner has inbound replicated the domain NC successfully since the Directory Service started.
- There is no connectivity requirement for this FSMO role holder. It is a forest internal cleanup functionality.
RID Master
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master.
The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
What happens when RID Master is not available
A failed RID master will eventually prevent domain controllers from creating new SIDs and, therefore, will prevent you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online. So, that’s all in this blog.
How to check the RID pool in active directory
We should know about RID master and its purpose and how it works before checking the RID pool on domain controllers.The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master.
The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. We can check the RID pool by command line. Open the command line and run the below mentioned command to get the RID pool status.
DCDIAG /Test:Ridmanager /v
Once command is executed, below output come that will show you the RID pool status.
Primary Domain Controller(PDC) Emulator
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol.
All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
- Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
- Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
- Account lockout is processed on the PDC emulator.
- Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
- The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. 
What happens when Schema Master is not available
The PDC Emulator is the operations master that will have the most immediate impact on normal operations and on users if it becomes unavailable. Fortunately, the PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.
Initial replication and connectivity requirements
- This FSMO role holder is always active when the PDC emulator finds the fSMORoleOwner attribute of the domain NC head points to itself. There is no inbound replication requirement.
- DCs contact the FSMO role holder when they have a new password, or the local password verification fails. No error occurs when the PDC emulator can’t be reached or the AvoidPdcOnWan registry value is set to 1.
- You can use the following cmdlet to run the prerequisites for demoting a DC.
PS C:\Users\vipan.kumar-DS-A> Test-ADDSDomainControllerUninstallation -DemoteOperationMasterRole |fl So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Netdom query command line tool
Netdom is a command line tool used to manage Active Directory domains and trusts. The Netdom tool is built into Windows Server 2003 and up. 1. On any domain controller open the command prompt.
On Windows 2012 server click the start button and type cmd, windows will search and return the command prompt. Click on “Command Prompt”.
2. From the command prompt type “netdom query fsmo” and hit “enter”.
netdom query fsmo
The below command should return the five roles and which DC they are on.
That’s it for the Netdom query method, very simple and straightforward.
fsmocheck on domain controller
Dcdiag is a Microsoft Windows command line utility that can analyze the state of domain controllers in a forest or enterprise. You can choose to analyze a single domain controller or all DC’s in a forest.
Run the below command line to do FSMO check on domain controller
DCDIAG /Test:FSMOCheck
