Five FSMO roles in Active Directory

2007-06-19T13:34:00.000-07:00

The following information was obtained from here.

1. Schema Master (Forest level)

The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.

2. Domain Naming Master (Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest.

3. PDC Emulator (Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.

4. RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.

There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.

Windows uptime

2007-04-19T20:30:00.000-07:00

Simple command that can be used to find how long a computer has been up.

cmd /k "systeminfo | findstr "Time:"

Works on Windows Server 2003 and XP Professional.

Troubleshooting Active Directory DNS issues

2007-04-11T10:53:00.000-07:00

One useful command to check for the Active Directory Domain SRV records in the DNS is the following:

launch nslookup from the command prompt, then query using the command "

> ls -t srv DOMAIN

Where DOMAIN is the name of your domain.

The above mentioned command will fail if zone transfers are not allowed.

Another way to use nslookup to see if domain controllers can be found using DNS :

launch nslookup then enter the following commands :

1.  set type=srv

2.  _ldap._tcp.dc._msdcs.Active.Directory.local

Where Active.Directory.local is your active directory domain name.

More information can be found at the following article.

MCSE Preparation

2007-03-30T23:37:00.000-07:00

Hello and welcome to my MCSE Training blog.

My name is Mansoor and I am currently preparing for my MCSE 2003 certifications. As I go through the course material, I intend to post entries on this blog to create an online journal for myself and possibly assist others while doing so.

The MCSE program I am preparing for consists of 7 components:

Windows® XP Professional
Managing & Maintaining a Windows 2003 Server Environment
Implementing, Managing & Maintaining Network Infrastructure
Planning & Maintaining Windows Server 2003 Network Infrastructure
Planning, Implementing & Maintaining Active Directory Infrastructure
Designing Security for a Microsoft Windows Server 2003 Network
Exchange Server 2003