Organizations are constantly looking to enhance employees’ productivity by giving them quick access to the resources they need. But, at the same time, organizations are also wary of security and want to provide access to only those resources that employees need.
Active Directory (AD) helps to strike a balance between these two objectives.
It is a database that stores information about different objects on the network so that users can find them quickly and administrators can stay on top of which user access which resource. Here objects are nothing but a single element such as a user, group, device, or any other network resource.
AD is hierarchical, multi-master enabled and can store millions of objects.
Before we get into FSMO roles, let's talk briefly about AD's architecture to understand the FSMO roles query.
Active Directory Architecture
The Active Directory has three main components, namely,
- Domains – Many objects such as users and devices that use the same database are grouped as a domain, and they follow a hierarchy or structure called the Domain Naming Structure (DNS).
- Trees – Two or more domains can be combined to form trees. This structure will use a contiguous namespace to provide a hierarchical order for the domains.
- Forests – A collection of trees is called a forest.
Domain Controller (DC) is a server that keeps all the data organized and secure and can respond to authentication and verification requests.
As you may have guessed, every domain has a DC. If your organization has multiple domains, each will have a separate DC, leading to numerous DCs. Now, you can update any DC at any time.
So, what happens when there are conflicts between DCs if there are opposing changes to the same object from different DCs?
Windows uses the last writer approach to prevent these conflicts, where only the last change is recorded. But this is far from ideal, so Active Directory uses a Single Master Model, where only one DC can make updates to an object at any given time. This is also called the Flexible Single Master Operations or FSMO in short.
FSMO Roles
Currently, there are five FSMO roles in AD, and they are:
- Schema master – Managed the read-write copy of your entire AD schema
- Domain naming master – Ensures that every domain name in a forest is unique.
- RID master – Prevent two objects from having the same Security Identifiers (SIDs)
- PDC emulator – Responds to authentication requests and manages password policy.
- Infrastructure master – Responsible for managing objects and their references.
The first two roles can be applied to an entire forest, while the last three are applicable only for a single domain.
These FSMO roles are not redundant, and hence, they are required to perform specific tasks within each DC. Sometimes, it even becomes necessary to transfer the current FSMO roles of one DC to another.
All these mean that you must query the FSMO roles of a DC before you decide to take any action.
How to Query FSMO Roles in AD?
There are many ways to query FSMO roles, and you can choose the one that fits your expertise and organizational environment.
Netdom to Query FSMO Roles
Netdom is a command-line tool available with Active Directory Domain Services (AD DS). It is built into Windows Server 2008 and Windows Server 2008 R2.
Here is a step-by-step guide to using Netdom
- Open the command prompt inside a domain controller. Make sure you open it with administrator rights.
- Type “netdom query fsmo” and press “enter”
- This will return all the FSMO roles and the DCs that have each.
You can use this information for further processing.
Thus, this is a simple and easy way to query FSMO roles.
PowerShell
You can also use PowerShell to query FSMO roles. The good news here is PowerShell comes with many built cmdlets that you can use to get the information you want.
To query FSMO roles for the entire forest, use this cmdlet.
Get-ADForest your domain
And for a domain, use the following cmdlet – Get-ADDomain your domain
You can also format the output the way you want for easy readability.
Windows Explorer
The third option is to query FSMO roles using Windows Explorer.
To query FSMO holders of a particular domain, follow these steps.
- Click Start/Windows button, select Run, and type dsa.msc
- This will open the AD pane, and here, look through all the domains and right-click on the domain for which you want to query FSMO roles.
- From the menu, choose “Operations Masters…”
- You will see three tabs when the window opens, namely, RID, PDC, and Infrastructure. If you recollect, these are three FSMO roles associated with a domain.
- When you click on each tab, you will see the DC that has this role.
On the other hand, if you want to know the FSMO role for the entire forest,
- Click Start/Windows button, select Run, and type mmc.
- When the console menu opens, choose Add/Remove Snap-in.
- Next, choose Add, double-click the Active Directory Schema, and click OK.
- Right-click the Active Directory Schema and choose “Operations Masters…”
- Here, you can see the server holding the schema master role.
Windows 2000 Server Resource Kit
In the Windows 2000 Server Resource Kit, look for a file called Dumpfsmos.cmd.
This file contains information on which servers have what FSMO roles. Here is a sample Dumpfsmos.cmd file contents.
@echo off REM REM Script to dump FSMO role owners on the server designated by %1 REM if ""=="%1" goto usage Ntdsutil roles Connections "Connect to server %1" Quit "select Operation Target" "List roles for connected server" Quit Quit Quit goto done :usage @echo Please provide the name of a domain controller (i.e., dumpfsmos MYDC) @echo. :done
Source: Microsoft
You can use this script independently or as a part of another program to query the FSMO server roles.
NTDSUTIL Tool
The NTDSUTIL tool is a part of Windows 2000 Server and Windows 2000 Datacenter Server and is often used to view or change some aspects of the Active Directory settings.
Here is how you can use this tool to query FSMO roles in AD.
- Click Start/Windows button, choose Run, and type ntdsutil in the command prompt. Press enter.
- Next, type domain management and press enter.
- Type connections and press enter.
- Next, you must connect to the server and type the name of the domain controller for which you want to query FSMO roles.
- Type quit and press enter. Note that you will not exit the command prompt altogether, and you will still be connected to the domain controller.
- Now, query FSMO roles in the domain controller by typing “list roles” and pressing enter.
You will see something like this.
Server "dc1" knows about five roles Schema - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com Domain - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com PDC - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com RID - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com Infrastructure - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=com
Source: Microsoft
DCDIAG Tool
Similar to the NTDSUTIL, there is another tool called the DCDIAG. This tool is a built-in utility for checking the health of an active directory domain controller. It can run more than 20 health checks to see if the domain controller is working as it should.
You can use this tool to query FSMO roles quickly.
Simply type the below code:
dcdiag /test: Knowsofroleholders /v
This will list all the owners of FSMO roles in your organization.
Thus, these are the ways to query FSMO roles in AD quickly.
Conclusion
To conclude, FSMO roles bring a certain order and structure in an Active Directory setup. Five different FSMO roles come with certain levels of access and privileges, and out of these, three roles are at the domain controller scope, while the remaining two can be applied across forests.
However, knowing which DCs have what roles is not a straightforward process. But, it doesn't have to be impossible either! This is why we have put together a few simple and easy ways to query FSMO roles in AD quickly.
We hope this was an insightful read for you. Check out our other guides as well!
Query FSMO roles in AD FAQs
What are FSMO roles?
FSMO (Flexible Single Master Operations) roles are specialized domain controller tasks that manage specific aspects of the Active Directory. There are five FSMO roles in Active Directory.
What are the five FSMO roles in Active Directory?
The five FSMO roles in Active Directory are Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master.
What is the purpose of the Schema Master role?
The Schema Master manages all updates and modifications to the schema for the entire forest. This role is responsible for ensuring consistency and compatibility across all domain controllers in the forest.
What is the purpose of the RID Master role?
The RID Master manages the allocation of RIDs to domain controllers in a domain. RIDs are used to create security principals, such as user accounts and group accounts.
What is the purpose of the Infrastructure Master role?
The Infrastructure Master maintains references to objects in other domains. This role ensures that object references are updated correctly when objects are moved or renamed.
How do I determine which domain controller holds a particular FSMO role?
You can use the "netdom query fsmo" command in PowerShell or the Command Prompt to determine which domain controller holds a particular FSMO role.
Can FSMO roles be moved from one domain controller to another?
Yes, FSMO roles can be moved from one domain controller to another. However, some roles, such as the Schema Master, can only be transferred using specialized tools and procedures.
What happens if an FSMO role holder fails?
If an FSMO role holder fails, another domain controller in the domain or forest will automatically assume the role. However, it is important to ensure that FSMO roles are properly backed up and that there is a plan in place for restoring them in the event of a failure.
