Flexible Single-Master Operations (FSMO) Roles

Revision as of 19:53, 6 May 2014 by Mmuehlfeld (talk | contribs) (Initial version of a HowTo about FSMO roles)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

What are FSMO roles and which roles exist?

See https://support.microsoft.com/kb/197132/en



Difference of transfering and seizing FSMO roles

Whenever it's possible, you should transfer FSMO roles and do not seize them! Transfering is the recommended and cleaner way. But it requires that the DC, which is currently owning the role you want to transfer, is still working and connected to the network. Transfering makes the old DC know, that he's not owning the role(s) any more.

If the DC is broken (e. g. hardware defect) and surely will never come back, then you seize the role on a remaining DC. But it's very important, that the old DC will really never be connected to the network again, as it may cause conflicts and lead into an inconsitent AD, because the old DC did not notice the change and still feels responsible for tasks related to the role.



Using samba-tool

Show current FSMO role owners

On a Domain Controller of your choice, run the following command, to print the owner of the different FSMO roles:

# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

The example shows, that all five roles are owned by DC1 at the moment.



Transfering a FSMO role

  • Log on to the DC, that should be the new owner of the role you want to transfer.
  • Transfer the role to the DC, by executing the following command:
# samba-tool fsmo transfer --role=...
FSMO transfer of '...' role successful
  • Ensure that the role was transfered ('samba-tool fsmo show').


Seizing a FSMO role

  • Log on to the DC, that should be the new owner of the role you want to transfer.
  • Seize the role to the current DC, by executing the folloging command:
# samba-tool fsmo seize --role=...
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO seize of '...' role successful
  • Ensure that the role was transfered ('samba-tool fsmo show').
  • Make sure, that the old DC will never be connected to the network again!



Using the Windows GUI

See https://support.microsoft.com/kb/255690/en