Best Practices for placing FSMO Roles

FSMO Roles (Flexible Single Master Operation)

Each domain in an AD-based network has three FSMO roles that must be assigned to domain controllers within the domain:

  • PDC Emulator. The DC holding this role plays PDC for any legacy Windows NT BDCs you may still have running. But even if you’ve migrated all your legacy DCs and your domains are running in Windows 2000 mixed functional level or higher, the PDC Emulator role is still important because the PDC Emulator enforces account lockout, handles password changes, and synchronizes time for all DCs in the domain.
  • RID Master. When an administrator creates a new security principle in Active Directory (typically a new user or group) the SID for the new object is constructed from the domain SID and a relative ID (RID) selected from a pool of RIDs on the domain’s DCs. If this pool starts running low (under 50% remaining) the RID Master replenishes it.
  • Infrastructure Master. Ensures cross-domain object references are handled properly, such as when objects in one domain are referenced by objects in a different domain.

The forest root domain also has two additional FSMO roles that must be assigned to domain controllers in that domain:

  • Domain Naming Master. Handles changes to the namespace, for example when a new child domain is added to a parent domain.
  • Schema Master. Handles changes to the schema and replicates these changes to all other DCs throughout the forest.

There are a number of ways you can determine which DCs are FSMO roles holders on your network, but the simplest is to install the Support Tools from the SupportTools folder on your product CD and type netdom query fsmo at a command prompt:

LAB-0003

The Infrastructure Master for the lab.local domain can be held by secondary domain controller while all other roles are held by PDC. Other ways of determining FSMO role holders are outlined in KB 234790. The Script Center on Microsoft TechNet has a handy script for this purpose, too.

Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don’t work properly.

Symptom Possible Role Involved Reason
Users can’t log on. PDC Emulator If system clocks become unsynchronized, Kerberos may fail.
Can’t change passwords. PDC Emulator Password changes need this role holder.
Account lockout not working. PDC Emulator Account lockout enforcement needs this role holder.
Can’t raise the functional level for a domain. PDC Emulator This role holder must be available when the raising the domain functional level.
Can’t create new users or groups. RID Master RID pool has been depleted.
Problems with universal group memberships. Infrastructure Master Cross-domain object references need this role holder.
Can’t add or remove a domain. Domain Naming Master Changes to the namespace need this role holder.
Can’t promote or demote a DC. Domain Naming Master Changes to the namespace need this role holder.
Can’t modify the schema. Schema Master Changes to the schema need this role holder.
Can’t raise the functional level for the forest. Schema Master This role holder must be available when the raising the forest functional level.

 

Rules for FSMO Role Placement

Since FSMO roles are crucial for the proper functioning of an AD-based network, it’s a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, however, this default roles assignment may not be appropriate, so you need to transfer some of your roles to a different machine to achieve optimal FSMO-role placement on your network. See KB 223787 and KB 255504 for how to transfer roles. KB 321469 also has information on how to transfer roles using scripts.

Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

  • Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

  • Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
  • Exception 1: It’s OK to put the Infrastructure Master on a GC if your forest has only one domain.
  • Exception 2: It’s OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

  • Exception: If you’ve raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn’t need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

  • Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.

Active Directory Questions and Answers

There are some list of definitions in terms of Questions and answers relating to Active Directory (AD) which i have taken from different sources and gathered here

What is active directory?

What is Domain

What is domain controller? (a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain)

What is a standalone server (A standalone server is a server that runs alone and is not a part of a group. In fact, in the context of Microsoft Windows networks, astandalone server is one that does not belong to or is not governed by a Windows domain)

What I s a member server (Member server is a server role defined by Microsoft Active Directory (AD), a service that runs on the Windows 2000 and Windows Server2003 operating systems. A member server belongs to a domain but is not the domain controller)

What is Object

What is attribute (Single property of an object)

How do you make a server domain controller (By installing the role AD DS or by running command DCPROMO on older version of operating systems (older than 2008 R2))

What is the name of Active directory Database ( NTDS.dit)

What are the partitions on AD 2003 Database (Application, Domain Directory Partition, Schema Directory, Configuration Directory Partition)

What tool you can use to modify the Ad database (adsi.edit, ntdsutil)

What is DRO and what objects are in this partition (Resident Directory Object. Objects included in this partition are Users, Groups, computer accounts)

What is Schema

How many FSMO roles available

Name Operations Masters

Which FSMO role is the most important (PDC emulator) Reference

Which FSMO role is the less important (Rid master/ Infrastructure – Not Sure)

What is OU

What are 3 primary functions of OU

What is a Site

What is KCC

What is LSASS.EXE (Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.)

What is SYSVOL (The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders.)

What is Journal Wrap and how to troubleshoot journal wrap issues?

DNS Questions and Answers

There are some list of definitions in terms of Questions and answers relating to DNS which i have taken from different sources and gathered here

What Is DNS

What does Active directory integrated DNS mean

What is a Zone?

What port DNS operates on? 53

What is A record : (The A in A record stands for Address. Simply put, an A record is used to find the address of a computer connected to the internet from a name. Whenever you visit a web site, send an email, connect to Twitter or Facebook or do almost anything on the Internet, the address you enter is a series of words connected with dots.)

What is Host record (The Domain Name System, more popular as DNS, is responsible for associating domain names, the user-friendly names of websites, with their corresponding real system names – IP addresses. These IP addresses are vital for bringing the website online and in the DNS system are known as A records.)

What is Glue Record (A glue record is a term for a record that’s served by a DNS server that’s not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.)

What is PTR Record (Pointer records are used for the reverse DNS (Domain Name System) lookup. Using the IP address you can get the associated domain/hostname. An A record should exist for every PTR record.)

What is Forward lookup zone

What is Reverse lookup zone

What is Alias record (An ALIAS record is a virtual record type that we created to provide CNAME-like behavior on apex domains)

What is Cname record (CNAME stands for Canonical Name. CNAME records can be used to alias one name to another)

What is MX Record (An MX (Mail eXchange) record will redirect email sent to any user’s machine (joe@norbert.dept1.cornell.edu, for example) to a designated mailhost. It tells the MDA where to route email)

What is default priority for MX record : 10

What is SRV record (A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33)

What tool can be used for DNS troubleshooting (NSLOOKUP)

What is DCDiag.exe (DC Diagnostic Tool)

What is Repmon.exe (Replication Monitor)

What is FRSDiag.exe (File Replication Diagnostic Tool)

What is Netlogon service, what does it do? (A service that is responsible for communication between systems in response to account logon events)

What is root hint servers (Root hints are used to prepare servers authoritative for non-root zones so that they can learn and discover authoritative servers that manage domains located at a higher level or in other subtrees of the DNS domain namespace)

How many root hint servers available by default 13

List of Root Servers

Hostname IP Addresses Manager
a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 VeriSign, Inc.
b.root-servers.net 192.228.79.201, 2001:500:84::b University of Southern California (ISI)
c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications
d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland
e.root-servers.net 192.203.230.10 NASA (Ames Research Center)
f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc.
g.root-servers.net 192.112.36.4 US Department of Defence (NIC)
h.root-servers.net 128.63.2.53, 2001:500:1::803f:235 US Army (Research Lab)
i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod
j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 VeriSign, Inc.
k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC
l.root-servers.net 199.7.83.42, 2001:500:3::42 ICANN
m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project

Where do I locate root hint servers in DNS

DNS management using Powershell

DNSCMD is powerful command line utility to manage the DNS in windows environment. The details for DNSCMD comes into a rescue for such scenarios.

LAB-0002

DNSCMD

  • displays and changes the properties of DNS servers zones, and resource records
  • manually modifies these properties, creates and deletes zones and resource records
  • Forces replication events between DNS server physical memory DNS databases and data files.

Clearcache (DNS)

  • C:>dnscmd dc1.lab.local /clearcache

Recorddelete (PTR)

  • C:>dnscmd /recorddelete 20.20.20.in-addr.arpa. 123 PTR

RecordAdd

  • Dnscmd /RecordAdd will not generally perform a replace.
  • D:>dnscmd /RecordAdd lab.local W10PC A 20.20.20.101
  • Add A Record for W10PC.lab.local lab.local

RecordAdd

  • D:>dnscmd /RecordAdd lab.local test A 20.20.20.101
  • Add A Record for test. lab.local at lab.local

enumrecords

  • PS C:UsersAdministrator> dnscmd /enumrecords lab.local test

RecordDelete

  • D:>dnscmd /RecordDelete lab.local test A

Recordadd (A record)

  • D:>dnscmd /RecordAdd lab.local test A 20.20.20.103

 

For more detailed list of command and arguments here is the technet: https://technet.microsoft.com/en-us/library/cc772069.aspx

Active Directory Useful Commands

There are some useful Shortcut keys for managing Active Directory for daily operations.

dnsmgmt.msc (DNS Manager)

domain.msc (Active Directory domains and trusts)

schmmgmt.msc (Active Directory Schema snap-in)

dssit.msc (Active Directory Sites and Services)

dsa.msc (Active Directory Users and Computers)

DCPromo (Active Directory Installation Wizard)

Dcdiag.exe (command line tool analyzes the state of domain controllers and reports any problems.
adsiedit.msc (Used for editing Active Directory to add, delete, or move objects within the directory)

Netdiag.exe
(Helps isolate networking and connectivity problems by performing a series of tests to determine the state of the network client.)

Netdom.exe

Ntdsutil.exe (Used to perform database maintenance of Active Directory, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network)

Repadmin.exe (diagnose replication problems between domain controllers.)

 

NLTEST

/dclist parameter is used to create a list of domain controllers of the domain fourthcoffee.com

nltest /dclist:lab.local

nltest /user:”TestAdmin” (Advanced information about users)

nltest.exe /server:W2K16dc01 /sc_query:lab.local (Verify trust relationship with a specific server)

nltest /dcname:lab (Determine the PDC emulator for a domain)

nltest /domain_trusts (Show trust relationships for a domain)

For more details on NLTEST command: https://technet.microsoft.com/en-us/library/cc786478.aspx

 

 

 

Enable Recycle Bin Feature In Active Directory

The Active Directory Recycle Bin feature is disabled by default in Windows Server 2012 R2. To enable the Active Directory Recycle Bin feature the forest functional level should be Windows Server 2008 R2 or higher. Enable the Active Directory Bin Feature on Windows Server 2012 R2 by log in with a user account that have “Enterprise Admins” or “Schema Admins” group permissions.

From the Server Manager, click on Tools and click Active Directory Administrative Center. Right click the target domain in the left navigation pane and click Raise the forest functional level.

FEB-126

 

In my Domain Active Directory Forest Functional level is already Windows Server 2012 R2. To enable the Active Directory Recycle Bin feature the forest functional level should be Windows Server 2008 R2 or higher

FEB-1333

To check the current Forest functional level of your organization using powershell command:

Get-ADForest -Identity sysghosta.local

FEB-131

To raise the forest functional level using powershell command, then launch Active Directory Module for Windows Powershell and execute:

Set-ADForestMode 6 -Identity SYSGHOSTA.LOCAL

Where:

6 – Raise the forest functional level to Windows Server 2012 R2

5 – Raise the forest functional level to Windows Server 2012

4 – Raise the forest functional level to Windows Server 2008 R2

FEB-132

Now open Active Directory Administration console and Right click on the target domain and click Enable Recycle Bin.

FEB-133

 

 

Click OK

FEB-137

 

Refresh Console now

 

FEB-138

 

To enable the Active Directory Recycle Bin feature using Powershell command:

Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=sysghosta,DC=local" -Scope ForestOrConfigurationSet -Target "sysghosta.local"

And command to verify the result:

Get-ADOptionalFeature -filter *

FEB-136

Now go to Administrative console and you will see container called Deleted Object.

FEB-139

Now to test if its working or not, i will delete a test user account and restore it using recycle bin:

FEB-140

 

The user Temp is deleted and you can see this user in Recycle Bin of AD with following command:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=sysghosta,DC=local" -ldapFilter:"(msDs-lastKnownRDN=*)" -IncludeDeletedObjects -Properties lastKnownParent

 

FEB-141

 

Now we will restore this account as:

FEB-142

FEB-143

after this you will be able to see this user again on same location:

FEB-144

To restore the deleted object back to the original location using powershell command:

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects | Restore-ADObject

 

Installation of Certificate Authority (CA) on server 2012

Open Server Manager – Manage – Add Roles and Features

Choose server and Click Next

 

JAN-0068

Check Active Directory Certificate Service and then click Add Feature in dialoge box.

Click Next

JAN-0069

Choose : “Certification Authority” and “Certification Authority Web Enrollment”

Click Next and Install.

Now To Configure Active Directory Certificate Services

Choose the Exclamation Mark on the Flag

JAN-0070

Choose Next

JAN-0071

Next

JAN-0072

Select both options and next

JAN-0073

Next

JAN-0074

Next

JAN-0075

Next

JAN-0076

Next

JAN-0077

 

Next

JAN-0078

Next

JAN-0079

Configure

JAN-0080

Close.