1. What is FSMO ROLES?

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

The Forest level FSMO:

• Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. When this update finish the schema will replicate to all other DC in our directory.

Note!

We have only ONE schema master per directory!

• Domain Naming Master Role
  – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.
  

The Domain level FSMO:

• RID Master Role
  – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).
  

The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

• PDC Emulator Role
  – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Authentication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.
  

The PDC role is the role that provides us the most services and from this we can Say that this role is the busy one on our environment, here are few Examples:

–          This role helps us to replicate the Sysvol folder in our environment.

–          Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

• Infrastructure Master Role
  – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.
  

FSMO levels:

Schema master                                       : One per forest.

Domain Naming Master                        : One per forest.

PDC Emulator                                       : One per domain.

RID Master                                            : One per domain.

Infrastructure Master                            : One per domain.

Worst Case Scenario – What Happens’ if Fsmo fails…?

• Schema Master – If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.
  
• Domain Naming Master – Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest.
  
• PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.
  
• Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).
  
• Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).
  

  To Transfer the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
   
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
   
3. Select the domain controller that will be the new role holder and press OK.
   
4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
   
5. Press the Change button.
   
6. Press OK to confirm the change.
   
7. Press OK all the way out.
   

   To Transfer the Schema Master Role:

8. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
   

regsvr32 schmmgmt.dll

1. Press OK. You should receive a success confirmation.
   
2. From the Run command open an MMC Console by typing MMC.
   
3. On the Console menu, press Add/Remove Snap-in.
   
4. Press Add. Select Active Directory Schema.
   
5. Press Add and press Close. Press OK.
   
6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
   
7. Press Specify…. and type the name of the new role holder. Press OK.
   
8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
   
9. Press the Change button.
   
10. Press OK all the way out.