Active Directory FSMO Roles and Troubleshooting Steps Explained
In your active directory domains environment, some of the domain controllers will have some special roles to do make your network to function properly and for this purpose you will have a special kind of roles in the active directory called as the FSMO Roles. This FSMO roles is know as the Flexible Single Master Operations roles and it was also called as the Operations Master roles. These are the most import roles which needs to be configured properly and if any of the configurations gone wrong then your active directory environment will not work properly.
The Operations master can be categorized into two types and they are.
1) Forest wide roles.
2) Domain wide roles.
Forest wide operations master roles :
Every forest root domain must have the following two FSMO roles in the domain that should be assigned to the domain controllers. These two roles are unique roles in the forest.
Domain Naming Master :
- Domain naming master was used for addition and removal of domain in the forest and it was used only at the time when any additional child domains are added to the forest.
- Domain Naming Master was responsible for the changes in the namespace.
- There should be only one domain naming master in a forest.
Schema Master :
- Schema master was responsible for the changes which was made in the schemas.
- Schema Master replicates all the schema changes which was made to all the domain controllers in the forest.
- There should be only one schema master in a forest.
Domain wide operations master roles :
These are the important roles which are unique in the domain level.
PDC Emulator :
- PDC Emulator plays a significant roles in the replicating the password changes, account locouts to all the clients in a domain.
- PDC Emulator also synchronizes the time across all the domain controllers in a domain.
- PDC Emulator also maintains the consistency across the domain.
- PDC Emulator in a domain controller supports two types of authentication protocols and they are Kerberos V5 protocol and NTLM Protocol.
- There should ne only one PDC Emulator in a domain.
Infrastructure Master :
- Infrastructure master is responsible for updating the reference objects in the cross domain i.e. when an object in one domain is referenced by an object in other domain then it was handled by Infrastructure master.
- Infrastructure master uses the Global catalogue to handle the reference objects by comparing the objects which it gets from the replication.
- The Infrastructure master and the global catalogue should not be in a same domain controller, if it persists then the infrastructure master will not work.
RID Master :
RID master is used for assigning the relative ID’s to the domain controller in a domain.
Whenever a security principle (i.e. user, group) is created by a domain admin in a domain then the SID will be assigned to each and every newly created active directory object.
ISD consists of two elements, they are
1) Domain SID and this is same for all in the domain.
2) RID, which is unique for all the SID which was created in the domain.
How to find which Domain Controller holds which FSMO Roles :
To find out which domain hold the responsible FSMO roles, follow the steps below.
Goto Command Prompt -> type “netdom query fsmo” and hit enter
Here are the troubleshooting errors which you need to use for finding out which fsmo role is responsible for the error which was occurred in your domain.
|Errors in FSMO roles||Responsible Role||Reason for the errors|
|Users can’t log on.||PDC Emulator||If system clocks become unsynchronized, Kerberos may fail.|
|Can’t change passwords.||PDC Emulator||Password changes need this role holder.|
|Account lockout not working.||PDC Emulator||Account lockout enforcement needs this role holder.|
|Can’t raise the functional level for a domain.||PDC Emulator||This role holder must be available when the raising the domain functional level.|
|Can’t create new users or groups.||RID Master||RID pool has been depleted.|
|Problems with universal group memberships.||Infrastructure Master||Cross-domain object references need this role holder.|
|Can’t add or remove a domain.||Domain Naming Master||Changes to the namespace need this role holder.|
|Can’t promote or demote a DC.||Domain Naming Master||Changes to the namespace need this role holder.|
|Can’t modify the schema.||Schema Master||Changes to the schema need this role holder.|
|Can’t raise the functional level for the forest.||Schema Master||This role holder must be available when the raising the forest functional level.|
Rules for placing the FSMO roles in your domain environment :
These are some of the simple rules which you need to follow before placing the FSMO roles in your active directory environment.
1) RID Master and the PDC Emulator should be placed on the same domain.
2) Schema master should be placed on the PDC Emulator of the forest’s root domain.
3) Domain naming master should be placed on the forest’s root PDC Emulator.
4) PDC Emulator should be placed on the domain controller which should have the replica domain controller in same active directory site.
5) Infrastructure master should not be placed on the global catalogue server.
How to administer the FSMO roles :
FSMO roles can be administrated using the active directory GUI tool or it can also be administrated using the command prompt tools which was by default available int he Microsoft windows server cd or in the server manager in the 2008, 2012 and above. The tools which was used was NTDSUTIL and this tool was used for seizing the roles to the new server if your any of your domain controller was down.