8 FSMO Roles Best Practices

The Flexible Single Master Operations (FSMO) roles are a set of five unique roles that can be performed by one or more domain controllers in an Active Directory Domain. The FSMO roles are:

-Schema Master -Domain Naming Master -RID Master -PDC Emulator -Infrastructure Master

Each of these roles is vital to the proper functioning of an Active Directory Domain, and as such, it is important to understand the best practices for configuring and managing these roles.

In this article, we will discuss the eight FSMO roles best practices that every Active Directory administrator should know.

1. Keep FSMO roles on separate domain controllers

If you have all five FSMO roles on a single domain controller and that domain controller goes down, your entire domain is going to be in trouble. All of those FSMO roles are critical for the proper functioning of Active Directory, so if one domain controller goes down, you’re going to have a lot of problems.

By keeping the FSMO roles on separate domain controllers, you can minimize the impact of a single domain controller going down. If one domain controller goes down, the other four can pick up the slack and keep your domain running smoothly.

2. Use the same server for all five roles

If you have multiple servers hosting FSMO roles, and one of those servers goes down, you will have to seize the roles from that server and transfer them to another. This process is not only time-consuming, but it can also be risky. There’s a chance that something could go wrong during the transfer process, which could lead to data loss or corruption.

By using the same server for all five FSMO roles, you can avoid this potential problem. If that server does go down, you can simply bring it back online and resume normal operations without having to worry about transferring roles.

3. Move a role to another DC in the same site

When you move a FSMO role to another DC, the original DC is no longer authoritative for that role. This means that any changes made to that role on the original DC will not be replicated to other DCs.

This is important because it prevents accidental changes to FSMO roles from being replicated throughout your environment. For example, if you accidentally delete a FSMO role on one DC, that change will not be replicated to other DCs, and you will not have to worry about those changes affecting your entire environment.

4. Move a role to another DC in a different site

When a DC in one site goes down, the other DCs in that site cannot communicate with it. This means that any FSMO roles that are hosted on the down DC will be unavailable.

However, if you have at least one DC in each site hosting a copy of all five FSMO roles, then the loss of any single DC will not result in the loss of any FSMO roles. This is because the other DCs in the same site can still communicate with the DC hosting the FSMO role, and they can take over the role if necessary.

There are two ways to move FSMO roles to another DC in a different site: manually or using Active Directory Sites and Services.

To move a FSMO role manually, you first need to transfer the role to another DC in the same site. You can do this by opening the Active Directory Users and Computers snap-in, right-clicking on the domain name, and selecting Operations Masters. From there, you can select the role you want to transfer and click the Change button.

Once the role has been transferred, you can then move the DC hosting the FSMO role to the other site. To do this, open the Active Directory Sites and Services snap-in, expand the site where the DC is located, right-click on the DC, and select Move.

Alternatively, you can use the Active Directory Sites and Services snap-in to directly move FSMO roles to another DC in a different site. To do this, expand the site where the DC hosting the FSMO role is located, right-click on the DC, and select Move. Then, select the destination site from the list and click OK.

5. Transferring or seizing a role from a failed DC

When a domain controller (DC) fails, the first thing you need to do is determine whether or not it can be brought back online. If it cannot, then you need to seize the FSMO roles that were held by that DC. This ensures that your domain continues to function properly and that you don’t have any downtime.

To transfer or seize a role from a failed DC, you’ll need to use the ntdsutil tool. This tool is built into Windows and can be used to manage Active Directory.

Once you’ve launched ntdsutil, you’ll need to enter the following commands:

ntdsutil
roles
connections
connect to server
q
quit

Replace with the name of the server that you want to connect to.

After you’ve connected to the server, you’ll need to enter the following command to seize the role:

seize schema master

You can also use this command to seize other FSMO roles, such as the domain naming master or the PDC emulator.

Once you’ve seized the role, you’ll need to restart the server. After the server has been restarted, you should check to make sure that the seizure was successful. You can do this by running the following command:

netdom query fsmo

6. Seizing a role from an offline DC

When you seize a role from an offline DC, it ensures that the domain controller holding the role is no longer available. This is important because if the domain controller were to come back online, it could cause problems with the replication process.

To seize a role from an offline DC, you’ll need to use the ntdsutil tool. Once you’ve launched ntdsutil, you’ll need to issue the following commands:

ntdsutil
roles
connections
connect to server
q
quit
seize fsmo maintenance
Once you’ve issued these commands, the FSMO role will be seized and you can then transfer it to another domain controller.

7. Moving a role between two online DCs

When you move an FSMO role from one DC to another, the original DC becomes a replica of the new DC. This means that any changes made on the new DC are replicated back to the old DC.

If the old DC is offline when the change is made, the changes will not be replicated and the old DC will no longer have an up-to-date copy of the directory. This can cause problems when you try to bring the old DC back online, as it may try to apply outdated changes to the directory.

To avoid this problem, you should always move FSMO roles between two online DCs. This way, the changes are replicated immediately and there is no risk of the old DC becoming out-of-sync with the rest of the domain.

8. Using PowerShell to transfer and seize FSMO roles

When you transfer a FSMO role, the current owner of the role is demoted and the new server is promoted in its place. This process can be done manually or by using PowerShell.

Seizing a FSMO role should only be done as a last resort, such as when the current owner of the role is no longer available. Seizing a FSMO role forcibly removes the role from the current owner and assigns it to the new server. This process can also be done manually or by using PowerShell.

Using PowerShell to transfer or seize FSMO roles is the best practice because it’s less likely to cause errors than doing it manually. Additionally, using PowerShell allows you to automate the process, which can save you time.