Managing the Schema Master FSMO






Managing the Schema Master FSMO

Problem

You want to view, transfer, or seize the Schema Master FSMO for your Active Directory Forest.

Solution

Using a graphical user interface

To view the current Schema Master FSMO role holder, do the following:

  1. Open the Active Directory Schema snap-in.

  2. Right-click on Active Directory Schema in the left pane and select Operations Master.

To transfer the Schema Master to another server, follow these steps:

  1. Open the Active Directory Schema snap-in. Right-click on Active Directory Schema and select "Connect to Domain Controller." Select the DC that you wish to transfer the FSMO role to.

  2. Right-click on Active Directory Schema in the left pane and select Operations Master.

  3. Click the Change button.

  4. Click OK twice.

  5. You should then see a message stating whether the transfer was successful.

Using a command-line interface

To query the owner of the Schema Master FSMO role, you can use the dsquery server command shown here:

	> dsquery server -hasfsmo schema

To transfer the Schema Master to another server, follow these steps:

	> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer Schema Master" q q

To forcibly seize the Schema Master to another DC, do the following:

	> ntdsutil roles conn "co t s <NewRoleOwner>" q "seize Schema Master" q q

Using VBScript
	' This code prints the Schema Master role owner for the specified forest.

	strSchemaDN = objRootDSE.Get("schemaNamingContext")

	' Schema Master
	set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN)
	Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner

	' This code transfers the Schema Master role to another server
	Set dse = GetObject("LDAP://localhost/RootDSE")
	set myDomain = GetObject("LDAP://" & dse.get("defaultNamingContext"))
	dse.Put "becomeSchemaMaster",1
	dse.SetInfo

	' This code seizes the Schema Master role to another server
	set myDomain = GetObject("LDAP://" & dse.get("defaultNamingContext"))
	dse.Put "becomeSchemaMaster",1
	dse.SetInfo
	

Discussion

Several Active Directory operations, such as updating the schema, are sensitive and therefore need to be restricted to a single domain controller to prevent corruption of the AD database. This is because Active Directory cannot guarantee the proper evaluation of these functions in a situation where they may be invoked from more than one DC. The FSMO mechanism is used to limit these functions to a single DC.

The first domain controller in a new forest is assigned the two forest-wide FSMO roles, the schema master and domain naming master. The first domain controller in a new domain gets the other three domain-wide roles. If you need to decommission the domain controller that is currently the Schema Master role owner (either permanently or for a significant period of time), you'll want to transfer the role beforehand.

If the Schema Master becomes unavailable before you can transfer it, you'll need to seize the role (see Recipe 3.32).

If you seize the Schema Master FSMO to another server, you should reformat and reinstall the original role holder before returning it to your production environment.


See Also

Recipe 3.30, Recipe 3.31, and Recipe 3.32 for more on viewing, transferring, and seizing FSMO roles; and MS KB 324801 (How to view and transfer FSMO roles in Windows Server 2003)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows