This is the last theoretical topic in FSMO Roles series. I hope till this point you have understood what FSMO roles are. In production environment, we can’t have one machine for something forever. Similarly we can’t have one FSMO role, whether it’s forest level or domain level, on one Domain Controller forever. Movement of existing FSMO roles are required when we have some maintenance activity or hardware failure.
In terms of FSMO Roles, we classify the movement into two parts:
Suppose we have two domain controllers in our environment – DC01.DevOpsAge.local and DC-02.DevOpsAge.local. Now let’s see these two scenarios:
We need to upgrade the RAM of DC-01, holding one or more FSMO roles. Now we simply can’t let the FSMO role down because my machine is going to be down temporarily. So we can:
- Move the role from DC-01 to DC-02.
- Take down DC-01 and upgrade the RAM.
- Once DC-01 is again up and running, we then move the roles back to DC-01.
Suppose due to electric short circuit, DC-01 burnt out completely. In this case we don’t have any other option but to move the role to DC-02. But how, since DC-01 has completely destroyed.
Now before I answer, I want you to hold for 2 mins and find out the key difference between both scenarios.
The key difference in both the cases is – in Scenario-1, we still have connectivity between DC-01 and DC-02 whereas in Scenario-2, we don’t have any connectivity between DC-01 and DC-02.
This is the exact difference between transferring and seizing the role. Let’s understand:
- Transfer FSMO Role: In this, both the source and destination DCs must be connected. In first scenario if you see carefully, we had proper connectivity before we took down the DC-01, that’s why we could transfer the role first to DC-02 and then transferred it back to DC-01.
- Note: You can transfer any FSMO roles N number of times from one domain controller to another.
- Seize FSMO Role: This is designed for disaster recovery where we have already lost the connectivity properly. In second case, we don’t have any connectivity at all and neither any chance to recover DC-01 in near future. Seizing role is basically forcefully moving the role, without having any connectivity between source and destination DCs.
- Note: Once the FSMO roles are seized, only PDC and Infrastructure Master can be transferred back to the original machine (if it comes up). Remaining three roles – Schema Master, Domain Naming Master and RID Master can’t be move back to the original machine. However they can be transferred to any other DC, except the one who earlier died.
So always remember – Transfer needs source and destination to be connected but Seize doesn’t need the connection.
To transfer or seize the role we generally use a command line tool called ntdsutil. Transfer can be done from GUI too. In next few posts, we will see the step-by-step demonstration of FSMO roles.