Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Determining 5 Flexible Single Master Operations (FSMO) Roles for Active Directory Domain Controller

/ September 28, 2016 — Network Services

Average User Rating

    Most domain controller functions replicate among the domain controllers in an Active Directory domain. There are five functions, though, that are not replicated. What this means is if you lose the domain controller that has the FSMO roles, then you need to do some recovery steps before your domain controllers replicate properly again. To determine what FSMO role a server has, use the ntdsutil command:

    C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: ?
?                             - Show this help information
Authoritative restore         - Authoritatively restore the DIT database
Configurable Settings         - Manage configurable settings
Domain management             - Prepare for new domain creation
Files                         - Manage NTDS database files
Help                          - Show this help information
LDAP policies                 - Manage LDAP protocol policies
Metadata cleanup              - Clean up objects of decommissioned servers
Popups %s                     - (en/dis)able popups with "on" or "off"
Quit                          - Quit the utility
Roles                         - Manage NTDS role owner tokens
Security account management   - Manage Security Account Database - Duplicate SI
D Cleanup
Semantic database analysis    - Semantic Checker
Set DSRM Password             - Reset directory service restore mode administra
tor account password
ntdsutil: roles
fsmo maintenance: ?
?                             - Show this help information
Connections                   - Connect to a specific domain controller
Help                          - Show this help information
Quit                          - Return to the prior menu
Seize domain naming master    - Overwrite domain role on connected server
Seize infrastructure master   - Overwrite infrastructure role on connected serv
er
Seize PDC                     - Overwrite PDC role on connected server
Seize RID master              - Overwrite RID role on connected server
Seize schema master           - Overwrite schema role on connected server
Select operation target       - Select sites, servers, domains, roles and
naming contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure maste
r
Transfer PDC                  - Make connected server the PDC
Transfer RID master           - Make connected server the RID master
Transfer schema master        - Make connected server the schema master
fsmo maintenance: connections
server connections: ?
?                             - Show this help information
Clear creds                   - Clear prior connection credentials
Connect to domain %s          - Connect to DNS domain name
Connect to server %s          - Connect to server, DNS name or IP address
Help                          - Show this help information
Info                          - Show connection information
Quit                          - Return to the prior menu
Set creds %s %s %s            - Set connection creds as domain, user, pwd.
Use "NULL" for null password,
* to enter password from the console.
server connections: connect to server remote1
Binding to remote1 ...
Connected to remote1 using credentials of locally logged on user.
server connections: q
fsmo maintenance: select operation target
select operation target: ?
?                             - Show this help information
Connections                   - Connect to a specific domain controller
Help                          - Show this help information
List current selections       - List the current site/domain/server/Naming Cont
ext
List domains                  - Lists all domains which have Cross-Refs
List domains in site          - Lists domains in the selected site
List Naming Contexts          - Lists known Naming Contexts
List roles for connected server - Lists roles connected server knows about
List servers for domain in site - Lists servers for selected domain and site
List servers in site          - Lists servers in selected site
List sites                    - List sites in the enterprise
Quit                          - Return to the prior menu
Select domain %d              - Make domain %d the selected domain
Select Naming Context %d      - Make Naming Context %d the selected Naming Cont
ext
Select server %d              - Make server %d the selected server
Select site %d                - Make site %d the selected site
select operation target: list roles for connected server
Server "remote1" knows about 5 roles
Schema - CN=NTDS Settings,CN=SV-1-WIN2003,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=remote1,DC=example,DC=com
Domain - CN=NTDS Settings,CN=SV-1-WIN2003,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=remote1,DC=example,DC=com
PDC - CN=NTDS Settings,CN=SV-1-WIN2003,CN=Servers,CN=Default-First-Site-Name,CN=
Sites,CN=Configuration,DC=remote1,DC=example,DC=com
RID - CN=NTDS Settings,CN=SV-1-WIN2003,CN=Servers,CN=Default-First-Site-Name,CN=
Sites,CN=Configuration,DC=remote1,DC=example,DC=com
Infrastructure - CN=NTDS Settings,CN=SV-1-WIN2003,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=remote1,DC=example,DC=com
select operation target: q
fsmo maintenance: q
ntdsutil: q
Disconnecting from remote1...
C:\Documents and Settings\Administrator>

    The first domain controller in the forest root domain is assigned all 5 FSMO roles. So, that is a good place to start. There are a number of ways that this can change, though, so it is good to make sure.

    Information

    About