Les rôles FSMO c'est quoi ? Comment transférer les rôles FSMO d'un DC vers un autre ?
FSMO Roles Transfer and Seizing
Author: Abdel YEZZA
Level: Intermediate/Advanced

Merci de noter que seulement la première section est en français, le reste est en anglais, avant tout c'est la langue de la technique et du business !

Définition du FSMO

FSMO signifie Flexible Single Master Operations, autrement dit, des rôles uniques par rapport au contexte dans lequel ils opèrent et ils sont transférables. Dans toute infrastructure Microsoft basée sur Windows 2000 ou 2003, il existe 5 rôles attribués à des Contrôleurs de Domaines (DC). Deux rôles uniques dont l'étendu est la forêt entière, attribués au niveau du domaine racine (Root Domain). Les trois autres rôles opèrent au niveau de chaque domaine de la forêt (S'il y a plus d'un domaine évidemment) et sont uniques dans chaque domaine (racine, fils ou sous-arbre). Le tableau suivant résume les 5 rôles FSMO et l'étendu de chacun d'eux.

FSMO-ROLE Scope Where?
Schema Forest At the root domain of the forest
Naming Context Forest At the root domain of the forest
RID Domain At the root domain of the forest and each sub-domain (child domain)
PDC Domain At the root domain of the forest and each sub-domain (child domain)
Infrastructure Domain At the root domain of the forest and each sub-domain (child domain)

FSMO Role Transfer

We will show in this section how to transfer FSMO roles from the current DC (Domain Controller) holder to another DC in the same domain. This should be done at the root domain level (forest-wide roles and domain-wide roles) as well as in child domains (only domain-wide roles) as indicated in the first section. If the transfer operation does not work, then as a last alternate solution consists in seizing the role, this action should be done with caution and only if the role is not assigned to any DC of the domain. The transfer operation can be done by many ways:
  • in the appropriate AD (Active Directory) console,
  • by using the NtdsUtil utility,
  • or scripting (VbScript/Perl/JScript) and programming in low level languages as C++/C#/VB.
Lets give details on each of these methods.

1. Using consoles

All the administration consoles can be made available by downloading and installing the Windows Administration Tools Pack AdminPack.msi from Microsoft at this address: http://www.microsoft.com/downloads/details.aspx?FamilyID=E487F885-F0C7-436A-A392-25793A25BAD7&displaylang=en.
 
Note about the Active Directory Schema editor: If the console file name is not present in the Administration Tools Start Menu or the same folder in the Control Panal folder, add the appropriate snap-in to the MMC editor. If the snap-in is not present, you have to register the component schmmgmt.dll by executing the command-line: 
regsvr32 schmmgmt.dll
and then reload the snap-ins dialog if necessary.

The table below summarizes the FSMO roles and show how to transfer using the appropriate console as well as necessary group membership to do the transfer.
FSMO-ROLE Console/Snap-in to use Standard Console name Default Group having FSMO transfer permissions
Schema Active Directory Schema schmmgmt.msc Schema Administrators
Naming Context Active Directory Domains and Trusts domain.msc Enterprise Admins
RID Active Directory users and Computers dsa.msc Domain Admins
PDC Active Directory users and Computers dsa.msc Domain Admins
Infrastructure Active Directory users and Computers dsa.msc Domain Admins

2. Using NtdsUtil utility

Transfer <FSMO-ROLE> (refer to the table below for the FSMO-ROLE holder tu use) to domain controller <DC1> using NtdsUtil: 
ntdsutil roles conn "co t s <DC1>" q "transfer <FSMO-ROLE>" q q
Example: Transfer RID Master role to the DC DCName 
ntdsutil roles conn "co t s DCName" q "transfer rid master" q q
The table below indicates the expression to use for each FSMO role:
FSMO-ROLE Expression to use
Schema Schema master
Naming Context domain naming master
RID RID master
PDC PDC
Infrastructure infrastructure master

Note that the command-line using ntdsutil could be also executed in a prompt fashion by typing each command on a separate line and the used commands have been abreviated as indicated in the following table:
Command Signification
conn connexions
co connect
t to
s server
q quit

3. Using scripting (VBScript)

The following VbScript listing contains all functions to be called to transfer FSMO roles: 
'/////////////////////////////////////////////////
' AUTHOR:  	Abdel YEZZA
' DATE  : 	12/02/2008
' NOTE	:	NOT validated!!!! (Be aware)	
' COMMENT: 	Transfer FSMO roles functions
'/////////////////////////////////////////////////

Option Explicit


Function 	TransferSchemaRole(strNewDCOwner)
	TransferSchemaRole = TransferFSMORole("SchemaMaster", strNewDCOwner)
End Function

Function 	TransferNamingContextRole(strNewDCOwner)
	TransferNamingContextRole=TransferFSMORole("SchemaMaster", strNewDCOwner)
End Function

Function 	TransferRIDRole(strNewDCOwner)
	TransferRIDRole=TransferFSMORole("RidMaster", strNewDCOwner)
End Function

Function 	TransferPDCRole(strNewDCOwner)
	TransferPDCRole=TransferFSMORole("PDC", strNewDCOwner)
End Function

Function 	TransferInfrastructureRole(strNewDCOwner)
	TransferInfrastructureRole=TransferFSMORole("InfrastructureMaster", strNewDCOwner)
End Function

'//////////////////////////////////////////////////////////
'	Transfer the role: 	strRole 
'	to the new DC owner: 	strNewDCOwner
'//////////////////////////////////////////////////////////
Function	TransferFSMORole(strRole, strNewDCOwner)
	
	Dim objRootDSE
	Dim strNewOwner
	
	strNewOwner = strnewDCOwner  ' e.g. dc2.MyDomain.com
	
	Set objRootDSE = GetObject("LDAP://" & strNewOwner & "/RootDSE")
	objRootDSE.Put "become" & strRole, 1
	objRootDSE.SetInfo
	
	If Err.Number<>0 Then
		TransferFSMORole=False
	Else
		TransferFSMORole=true
	End if
	
	Set objRootDSE = nothing
End Function
Example: In order to transfer RID Master role to the DC DCName, make a call to the function TransferRIDRole: 
TransferRIDRole("DCName")

FSMO roles seizing

If the transfer does not work or the role was completely lost because the DC holder is down, seizing the role is an alternative to force the role DC holder. Note that seizing is not available in standard MMC consoles and must be the last alternative to restore one the lost roles.

1. Using NtdsUtil utility

Seize <FSMO-ROLE> to domain controller <DC1> using NtdsUtil: 
ntdsutil roles conn "co t s <DC1>" q "seize <FSMO-ROLE>" q q
Example: Seize the RID master to the DC DC1 
ntdsutil roles conn "co t s DC1" q "seize rid master" q q
The table below shows the expression to be used after the word seize for each role seizing:
FSMO-ROLE Expression to use Scope
Schema Schema master Forest
Naming Context domain naming master Forest
RID RID master Domain
PDC PDC Domain
Infrastructure infrastructure master Domain

2. Using scripting (VBScript)

To be completed later... comme back next weeks