Sunday, August 7, 2016

Flexible Single Master Operator (FSMOwi)


  • FSMO


Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:

    Schema Master (one for the forest)
    Domain Naming Master (one for the forest)
    PDC Emulator (one for each domain)
    RID Master (one for each domain)
    Infrastructure Master (one for each domain)

Schema Master
The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role. One of the five Flexible Single Master Operator roles (FSMO).

 
Infrastructure Master
The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator (FSMO) roles.

RID Master
The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Security Principal
An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).
RID
Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain

PDC Emulator
The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).

Domain Naming Master
The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. One of the five Flexible Single Master Operator (FSMO) roles. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.
http://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#FSMO



  • How to find out who has your FSMO Roles?


1-The easy way:
NetDOM /query FSMO

2-The Common way:
How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
1. Click Start, click Run, type dsa.msc, and then click OK.
2. Right-click the selected Domain Object in the top left pane, and then click Operations Masters.
3. Click the PDC tab to view the server holding the PDC master role.
4. Click the Infrastructure tab to view the server holding the Infrastructure master role.
5. Click the RID Pool tab to view the server holding the RID master role.

How to Determine the Schema FSMO Holder in a Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK.
3. Right-click Active Directory Schema in the top left pane, and then click Operations Masters to view the server holding the schema master role.
NOTE: For the Active Directory Schema snap-in to be available, you may have to register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32 schmmgmt.dll in the Open box, and then click OK. A message is displayed that states the registration was successful.

How to Determine the Domain Naming FSMO Holder in a Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK.
3. In the left pane, click Active Directory Domains and Trusts.
4. Right-click Active Directory Domains and Trust, and then click Operations Master to view the server holding the domain naming master role in the Forest.


https://blogs.technet.microsoft.com/mempson/2007/11/08/how-to-find-out-who-has-your-fsmo-roles



  • How To Find Servers That Hold Flexible Single Master Operations Roles

    How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
    How to Determine the Schema FSMO Holder in a Forest
    How to Determine the Domain Naming FSMO Holder in a Forest
    Using the Windows 2000 Server Resource Kit
    Using the NTDSUTIL Tool
    Using DCDIAG
https://support.microsoft.com/en-us/kb/234790



  • the domain controller that actually performs a single master operation is the

domain controller that currently holds the operation’s token, or the “role holder.”
An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.

AD DS contains five operations master roles. Two roles are performed for the
entire forest, and two roles are performed by three roles for each domain.
Forest Roles (two roles):

    Domain naming
    Schema

Domain Roles (three roles):

    Relative identifier (RID)
    Infrastructure
    PDC Emulator


RID Master Role
Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs
by assigning a unique RID to the domain SID. The RID master for the domain
allocates pools of unique RIDs to each domain controller in the domain. Thus,
each domain controller can be confident that the SIDs it generates are unique.
Note:

The RID master role is like DHCP for SIDs. If you are familiar with the concept that
you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs

Infrastructure Master Role
In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain
You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.

This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose


PDC Emulator Role
 Emulates a Primary Domain Controller (PDC) for backward compatibility

 Participates in special password update handling for the domain
  If a user attempts to log on immediately after
changing passwords, the domain controller responding to the user’s logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request

 Manages Group Policy updates within a domain
  When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.

Provides a master time source for the domain
Active Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.
 
http://blogs.msmvps.com/acefekay/2011/01/16/active-directory-fsmo-roles-explained



  • Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

Active Directory Schema snap-in
Active Directory Domains and Trusts snap-in
Active Directory Users and Computers snap-in
https://support.microsoft.com/en-us/kb/324801

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2


  • Step-By-Step: Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2


With the end of support for Windows Server 2003
As mentioned, Windows Server 2012 R2 provides a great first step towards cloud adoption. In addition to this the ability to allow your organization to take advantage of capabilities such as Active Directory Recycle Bin improvements, DHCP failover, Dynamic Access Control, Hyper-V replication and much more.
Migrating Active Directory off your existing Windows 2008 R2 server and onto a new Windows 2012 R2


Prerequisites
    Download Windows Server 2012 R2. You also have the ability to complete this Step-By-Step in a virtual lab by downloading Hyper-V Server 2012 for free.
    As a precaution, complete a full backup of your existing server.
    Check the Schema version of AD DS (Before adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.

Step 1: Preparing your existing forest via the adprep command
    Insert the Windows Server 2012 DVD into the DVD drive of the Windows Server 2008 R2 AD DS.
    Open command prompt, and type adprep /forestprep and press enter.
    Check the Schema version of AD DS (After adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.
 
Step 2: Promoting the Windows Server 2012 Server domain controller

Step 3: Verify the new Windows Server 2012 Domain Controller
    Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.  
    Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Tab. Verify that your server is listed in Name Servers: lists.  
    Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Step 4: Transferring the Flexible Single Master Operations (FSMO) Role
    Open the Active Directory Users and Computers console on your new Windows Server 2012 computer.  
    Right click your domain and select Operations Masters in the sub menu.  
    In the Operations Masters window, ensure the RID tab is selected.  
    Select the Change button.
    Select Yes when asked about transferring the operations master role.
Once the operations master role has successfully transferred, click OK to continue.
Ensure the Operations Master box now shows your new 2012 Windows Server.
Repeat steps 4 to 6 for the PDC and Infrastructure tabs.
Once completed, click Close to close the Operations Masters window.
Close the Active Directory Users and Computers window.  

Step 5: Removing the Windows 2008 R2 domain controller
    On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click OK.  
    After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain unchecked.  
    On the Administrator Password Page, enter your password and click Next.  
    On the Summary page, click Next, wait for the process to end, then click Finish.  
    On the Completing the Active Directory Domain Services Installation Wizard, click Finish.  
    On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.  
    After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.


https://blogs.technet.microsoft.com/canitpro/2014/05/27/step-by-step-active-directory-migration-from-windows-server-2008-r2-to-windows-server-2012-r2/


Verify the schema version
Note - You can verify the schema version using dsquery * cn=schema,cn=configuration,dc=sivarajan,dc=com -scope base -attr objectVersion command. The following table lists the Active Directory Schema and the corresponding Object Version:

Active Directory Object Version
Windows 2000 13
Windows 2003 30
Windows 2003 R2 31
Windows 2008 44
Windows 2008 R2 47
Windows 8 Beta 52
Windows 2012 56
Windows 2012 R2 69

Check the Schema version of AD DS (After adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.




  • View Active Directory schema version


1-You can use registry too:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parame ters\SchemaVersion

2-the objectVersion in ADSIEdit.

3-"dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion"

https://social.technet.microsoft.com/Forums/windowsserver/en-US/45f8e9b9-07b9-4af7-9eba-d87169dccc22/view-active-directory-schema-version?forum=winserverDS



  • Active Directory: Active Directory Upgrade - High Level Steps


Upgrade schema
Upgrade the schema using correct version of OS – Adprep

Verify the schema version

Add additional DC
New server
Install a new server with correct version of OS and join this server to the existing domain

Promote DC
Perform DCPRMO on this server and select Additional Domain Controller for an existing Domain option.

Transfer Roles
If you are planning to decommission the old servers, you need transfer FSMO roles, DHCP etc to the new server.
You can identify the FSMO role DC information using Netdom /Query FSMO command.

Decommission old DC
You can remove (demote) a domain controller using DCPROMO command and again
http://social.technet.microsoft.com/wiki/contents/articles/2903.active-directory-active-directory-upgrade-high-level-steps.aspx

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2


  • Step-By-Step: Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2


With the end of support for Windows Server 2003
As mentioned, Windows Server 2012 R2 provides a great first step towards cloud adoption. In addition to this the ability to allow your organization to take advantage of capabilities such as Active Directory Recycle Bin improvements, DHCP failover, Dynamic Access Control, Hyper-V replication and much more.
Migrating Active Directory off your existing Windows 2008 R2 server and onto a new Windows 2012 R2


Prerequisites
    Download Windows Server 2012 R2. You also have the ability to complete this Step-By-Step in a virtual lab by downloading Hyper-V Server 2012 for free.
    As a precaution, complete a full backup of your existing server.
    Check the Schema version of AD DS (Before adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.

Step 1: Preparing your existing forest via the adprep command
    Insert the Windows Server 2012 DVD into the DVD drive of the Windows Server 2008 R2 AD DS.
    Open command prompt, and type adprep /forestprep and press enter.
    Check the Schema version of AD DS (After adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.
 
Step 2: Promoting the Windows Server 2012 Server domain controller

Step 3: Verify the new Windows Server 2012 Domain Controller
    Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.  
    Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Tab. Verify that your server is listed in Name Servers: lists.  
    Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Step 4: Transferring the Flexible Single Master Operations (FSMO) Role
    Open the Active Directory Users and Computers console on your new Windows Server 2012 computer.  
    Right click your domain and select Operations Masters in the sub menu.  
    In the Operations Masters window, ensure the RID tab is selected.  
    Select the Change button.
    Select Yes when asked about transferring the operations master role.
Once the operations master role has successfully transferred, click OK to continue.
Ensure the Operations Master box now shows your new 2012 Windows Server.
Repeat steps 4 to 6 for the PDC and Infrastructure tabs.
Once completed, click Close to close the Operations Masters window.
Close the Active Directory Users and Computers window.  

Step 5: Removing the Windows 2008 R2 domain controller
    On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click OK.  
    After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain unchecked.  
    On the Administrator Password Page, enter your password and click Next.  
    On the Summary page, click Next, wait for the process to end, then click Finish.  
    On the Completing the Active Directory Domain Services Installation Wizard, click Finish.  
    On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.  
    After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.


https://blogs.technet.microsoft.com/canitpro/2014/05/27/step-by-step-active-directory-migration-from-windows-server-2008-r2-to-windows-server-2012-r2/


Verify the schema version
Note - You can verify the schema version using dsquery * cn=schema,cn=configuration,dc=sivarajan,dc=com -scope base -attr objectVersion command. The following table lists the Active Directory Schema and the corresponding Object Version:

Active Directory Object Version
Windows 2000 13
Windows 2003 30
Windows 2003 R2 31
Windows 2008 44
Windows 2008 R2 47
Windows 8 Beta 52
Windows 2012 56
Windows 2012 R2 69

Check the Schema version of AD DS (After adprep) by running regedit, navigating to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters and noting the current Schema version.




  • View Active Directory schema version


1-You can use registry too:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parame ters\SchemaVersion

2-the objectVersion in ADSIEdit.

3-"dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion"

https://social.technet.microsoft.com/Forums/windowsserver/en-US/45f8e9b9-07b9-4af7-9eba-d87169dccc22/view-active-directory-schema-version?forum=winserverDS



  • Active Directory: Active Directory Upgrade - High Level Steps


Upgrade schema
Upgrade the schema using correct version of OS – Adprep

Verify the schema version

Add additional DC
New server
Install a new server with correct version of OS and join this server to the existing domain

Promote DC
Perform DCPRMO on this server and select Additional Domain Controller for an existing Domain option.

Transfer Roles
If you are planning to decommission the old servers, you need transfer FSMO roles, DHCP etc to the new server.
You can identify the FSMO role DC information using Netdom /Query FSMO command.

Decommission old DC
You can remove (demote) a domain controller using DCPROMO command and again
http://social.technet.microsoft.com/wiki/contents/articles/2903.active-directory-active-directory-upgrade-high-level-steps.aspx

Read-only domain controllers (RODCs)


  • What Is an RODC?

Applies To: Windows Server 2008, Windows Server 2012

Read-only domain controllers (RODCs) are a new feature of Active Directory Domain Services (AD DS) in Windows Server 2008. RODCs are additional domain controllers for a domain that host complete, read-only copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder contents. By selectively caching credentials, RODCs address some of the challenges that enterprises can encounter in branch offices and perimeter networks (also known as DMZs) that may lack the physical security that is commonly found in datacenters and hub sites. RODCs also offer a number of manageability improvements
https://technet.microsoft.com/en-us/library/cc771030(v=ws.10).aspx


  • Advantages That an RODC Can Provide to an Existing Deployment

Security
Unidirectional replication. Unidirectional replication refers to how RODCs can replicate changes inbound but outbound replication does not occur.
Special krbtgt account. Each RODC has a special krbtgt account that also helps to restrict malicious updates from affecting the rest of the forest
Password Replication Policy (PRP). Each RODC has a PRP that, by default, does not allow any passwords to be cached on the RODC
RODC filtered attribute set (FAS). You can also restrict which application data can replicate to RODCs in your forest by adding attributes to the RODC FAS and marking them as confidential.
https://technet.microsoft.com/en-us/library/cc770320(v=ws.10).aspx

Adprep


  • Adprep

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server® 2008 operating system.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder. You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default

https://technet.microsoft.com/en-us/library/cc731728(v=ws.11).aspx

Prepare your Domain for the Windows Server 2008 R2 Domain Controller

Prepare your Domain for the Windows Server 2008 R2 Domain Controller

Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.

What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:

    Updating the Active Directory schema
    Updating security descriptors
    Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
    Creating new objects, as needed
    Creating new containers, as needed
   
    To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller
    The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller
   
    you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain
  If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).
 
  You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment.
  You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest
  make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep.
  You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
 
  Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.
  Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version
 
  In the Command Prompt window, type the following command:
    adprep /forestprep
 
  ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
  ADPREP should only be run on an existing DC.
  Allow the operation to complete, and then allow the changes to replicate throughout the forest
 
  In the Command Prompt window, type the following command
  adprep /domainprep
 
  If you’re running a Windows 2008 Active Directory domain, that’s it, no additional tasks are needed.
 If you’re running a Windows 2000 Active Directory domain, you must also the following command:
    adprep /domainprep /gpprep
    If you’re running a Windows 2003 Active Directory domain, that’s it, no additional tasks are needed. However, if you’re planing to run Read Only Domain controllers (RODCs), you must also type the following command:
    adprep /rodcprep
 

To verify that adprep /forestprep completed successfully please perform these steps:

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates.

7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

9. Click ADSI Edit, click Action, and then click Connect to.

10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.

11. Double-click Schema.

12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.  
https://www.petri.com/prepare-for-server-2008-r2-domain-controller