Tuesday, January 15, 2008

FSMO ROLES

One of the most asked interview question is the FSMO roles. I remember in ach interview I walk into last coupe year I have asked every single time the FSMO roles. Operation masters no doughty is very important and curtail for every MCSE to understand and use it whenever is needed. I have already blogged about FSMO roles, why we needed them and how to keep memorize this role. I most offend ask to my students following question about FSMO roles.

If you have 12 Domain, and considering one Forest how many FSMO roles in total exist? I get multiple answers including 1 and 12 domains. Of course those of you understand would say 38 domains without thinking a second. Knowing FSMO roles are very important, indentifying these roles in AD (Active directory) is fairly easy. The Domain wide FSMO roles can be easily seen from ADUC (active directory users and computer, which are

  • RID
  • PDC
  • Infrastructure

The Forest ones can be seen with multiple utilities, such as NetDom

C:\>netdom query fsmo

Schema owner nhqdtcdc1.ri.SMTP25.org

Domain role owner nhqdtcdc1.ri.SMTP25.org

PDC role nhqdtcdc4.archq.ri.SMTP25.org

RID pool manager nhqdtcdc4.archq.ri.SMTP25.org

Infrastructure owner nhqdtcdc3.archq.ri.SMTP25.org

The command completed successfully.

Other command question I have seen is related the AD maintenance

Ntdsutil

Authoritative restore

Authoritatively restore the DIT database

Configurable Settings

Manage configurable settings

Domain management

Prepare for new domain creation

Files

Manage NTDS database files

Help

Show this help information

LDAP policies

Manage LDAP protocol policies

Metadata cleanup

Clean up objects of decommissioned servers

Popups %s

(en/dis)able popups with "on" or "off"

Quit

Quit the utility

Roles

Manage NTDS role owner tokens

Security account management

Manage Security Account Database

Duplicate SID Cleanup

Semantic database analysis

Semantic Checker

Set DSRM Password

Reset directory service restore mode administrator account password


  • Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory.
  • Seize FSMO roles using Ntdsutil.exe
  • The partition for each FSMO role is in the following list:

FSMO role

Partition

Schema

CN=Schema,CN=configuration,DC=<forest root domain>

Domain Naming Master

CN=configuration,DC=<forest root domain>

PDC

DC=<domain>

RID

DC=<domain>

Infrastructure

DC=<domain>


Directory Services Restore Mode
Regards
Oz ozugurlu

No comments: