It is common when migrating from a Windows NT environment to Active Directory to set up trusts to down-level master account domains or resource domains. This allows AD users to access resources in the NT domains without providing alternate credentials. Windows NT does not support transitive trusts and therefore your only option is to create a nontransitive trust. That means you’ll need to set up individual trusts between the NT domain and every Active Directory domain that contains users that need to access the NT resources.

(more…)

The first domain controller in a new forest is assigned the two forest-wide FSMO roles (schema and domain naming). The first domain controller in a new domain gets the other three domain-wide roles. It is very likely you’ll need to move the roles around to different domain controllers at some point. Also, when you need to take down a domain controller that is currently a FSMO role owner, you’ll want to transfer the role beforehand. If you plan to install a hotfix or do some other type of maintenance that necessitates only a quick reboot, you may not want to go to the trouble of transferring the FSMO role.

(more…)

Several Active Directory operations are sensitive, such as updating the schema, and therefore need to be done on a single domain controller. Active Directory cannot guarantee the proper execution of these functions in a situation where they may be invoked from more than one DC. The FSMO mechanism is used to limit these functions to a single DC.

There are five designated FSMO roles that correspond to these sensitive functions. A FSMO role can apply either to an entire forest or to a specific domain. Each role is stored in the fSMORoleOwner attribute on various objects in Active Directory depending on the role.

Using a graphical user interface

For the Schema Master:

1. Open the Active Directory Schema snap-in.
2. Right-click on Active Directory Schema in the left pane and select Operations Master.

For the Domain Naming Master:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.

For the PDC Emulator, RID Master, and Infrastructure Master:

1. Open the Active Directory Users and Computers snap-in.
2. Make sure you’ve targeted the correct domain.
3. Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
4. There are individual tabs for the PDC, RID, and Infrastructure roles.

Using a command-line interface

In the following command, you can leave out the /Domain option to query the domain in which you are currently logged on:

> netdom query fsmo /Domain:

You can also use the dsquery server command to list the FSMO role owners as shown here where can be schema, name, infr, pdc, or rid:

> dsquery server -hasfsmo 

Using VBScript

' This code prints the FSMO role owners for the specified domain.

' ------ SCRIPT CONFIGURATION ------

strDomain = ""  ' e.g., emea.rallencorp.com

 ' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") strDomainDN  = objRootDSE.Get("defaultNamingContext") strSchemaDN = objRootDSE.Get("schemaNamingContext") strConfigDN = objRootDSE.Get("configurationNamingContext")

' PDC Emulator set objPDCFsmo = GetObject("LDAP://" & strDomainDN) Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner

' RID Master set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN) Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner

' Schema Master set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN) Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner

' Infrastructure Master set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN) Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner

' Domain Naming Master set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN) Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner

The first domain controller promoted into a forest is by default also made a global catalog server. If you want additional servers to contain the global catalog, you have to enable it. The global catalog on a domain controller becomes enabled when the low-order bit on the options attribute on the ntdSDSA object under the server object for the domain controller is set to 1. The DN of this object for dc1 in the Default-First-Site-Name site looks like this: cn=NTDSSettings,cn=DC1,cn=Default-First-Site-Name,cn=Sites,cn=Configuration, dc=rallencorp,dc=com.

(more…)

The DC locator process as described in MS KB 314861 and MS KB 247811 defines how clients find the closest domain controller. The process uses the site topology stored in Active Directory to calculate the site where a particular client is. After the client site has been identified, it is a matter of finding a domain controller that is either a member of that same site or that is covering that site.

(more…)