FSMO Role Transfer

FSMO Role Description

Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically when we introduce directory service in environment..

Schema master (one per forest):  This role is responsible for maintaining and modifying the Active Directory schema.

PDC emulator (one per domain): This role maintains user and computer credentials and validate their credential info during their authenticate / authorize any resource , synchronize Group Policy across servers and desktops and maintain Time Service ( Time Service is very important for all clocks to be within 5 minutes of each other (by default) due to the implementation of the Kerberos protocol for authentication which relies on time stamped packets to prevent amongst other things, man-in-the-middle attacks.) etc..

Relative ID (RID) master (one per domain): This role ensures that every object created has a unique identification number.

Domain naming master (one per forest): This role is responsible for the addition and deletion of domains in a forest.

Infrastructure master (one per domain): This role is responsible for updating the group-to-user references whenever the members of groups change or receive new names.

Key difference between Transfer and Size

Transfer: With co-operation of current owner support, its mean when the roles need to place temporarily or permanently to another DC for maintenance purpose. Once roles transferred successfully the domain controller still provide LDAP service to client and it act ADC.

Seize: without co-operation of current owner support, when domain controller goes offline for some reason like hardware failure, OS crash etc.

Seizing the role mean, the roles force fully move from problematic DC to another DC.

Once role seized successfully the new DC become role holder. If problematic DC has been repaired and it’s back to online, the DC should remove domain service (DCPROMO /forceremoval). 

Pre Implementation check list

•  Verify connectivity between old Server to New Server.
•   All domain controllers are updated replication.
• Present NTP Server configuration on PDC master.

C:\>w32tm /query /configuration | find "NtpServer:"
NtpServer: 0.in.pool.ntp.org 3.asia.pool.ntp.org 0.asia.pool.ntp.org (Local)

(Verify that above NTP servers are reachable on Port 123 from the new server,it is my test lab, hence I am using MS NTP servers for my LAB )

• When transferring PDC role, it’s always better to move Time Service to PDC master.

Implementation Plan        

•              Take System backup old and new domain controllers.
•              On the old PDC Emulator, remove authoritative time source and set to follow domain hierarchy , this will ensure the old domain controller follow the new PDC time service.

C:\>w32tm /config /syncfromflags:domhier /reliable:no /update

•       Restart w32tm service on old PDC emulator

net stop w32time & net start w32time

•            Transfer FSMO roles to new domain controller
•           On the new PDC Emulator, configure authoritative time source to provide times to client computers.

w32tm /config /manualpeerlist:"0.in.pool.ntp.org 3.asia.pool.ntp.org 0.asia.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

       Verify that new time source is set by issuing w32tm /query /configuration query command or verify from registry.       
          
       Verify that other domain controllers getting time from new PDC master , (w32tm /resynce /rediscover and event 35 and 37)