FSMO
Role Description
Active Directory has
five special roles which are vital for the smooth running of AD as a
multimaster system. Some functions of AD require there is an authoritative
master to which all Domain Controllers can refer to. These roles are installed
automatically when we introduce directory service in environment..
Schema master (one per
forest): This role is responsible
for maintaining and modifying the Active Directory schema.
PDC emulator (one per domain):
This role maintains user and computer credentials and validate their credential
info during their authenticate / authorize any resource , synchronize Group
Policy across servers and desktops and maintain Time Service ( Time Service is
very important for all clocks to be within 5 minutes of each other (by default)
due to the implementation of the Kerberos protocol for authentication which
relies on time stamped packets to prevent amongst other things,
man-in-the-middle attacks.) etc..
Relative ID (RID) master
(one per domain): This role ensures that every object
created has a unique identification number.
Domain naming master (one
per forest): This role is responsible for the addition
and deletion of domains in a forest.
Infrastructure master
(one per domain): This role is responsible for updating the
group-to-user references whenever the members of groups change or receive new
names.
Key difference between Transfer and Size
Transfer: With co-operation
of current owner support, its mean when the roles need to place temporarily
or permanently to another DC for maintenance purpose. Once roles transferred successfully
the domain controller still provide LDAP service to client and it act ADC.
Seize: without co-operation of current owner support, when domain
controller goes offline for some reason like hardware failure, OS crash etc.
Seizing the role mean, the roles force fully move from problematic
DC to another DC.
Pre Implementation check list
- Verify connectivity between old Server to New Server.
- All domain controllers are updated replication.
- Present NTP Server configuration on PDC master.
NtpServer: 0.in.pool.ntp.org 3.asia.pool.ntp.org 0.asia.pool.ntp.org (Local)
(Verify
that above NTP servers are reachable on Port 123 from the new server,it is my
test lab, hence I am using MS NTP servers for my LAB )
- When transferring PDC role, it’s always better to move Time Service to PDC master.
Implementation Plan
- Take System backup old and new domain controllers.
- On the old PDC Emulator, remove authoritative time source and set to follow domain hierarchy , this will ensure the old domain controller follow the new PDC time service.
C:\>w32tm
/config /syncfromflags:domhier /reliable:no /update
- Restart w32tm service on old PDC emulator
net
stop w32time & net start w32time
- Transfer FSMO roles to new domain controller
- On the new PDC Emulator, configure authoritative time source to provide times to client computers.
w32tm
/config /manualpeerlist:"0.in.pool.ntp.org 3.asia.pool.ntp.org
0.asia.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
Verify that new time source is set by
issuing w32tm /query /configuration query command or verify from registry.
Verify that other domain controllers getting time from new PDC master , (w32tm /resynce /rediscover and event 35 and 37)
Verify that other domain controllers getting time from new PDC master , (w32tm /resynce /rediscover and event 35 and 37)
