Learn AD in 15 Minutes a Week: Active Directory Schema Master

Learn AD in 15 Minutes a Week: Active Directory Schema Master


July 10, 2002

by Jason Zandri
www.2000trainers.com

Welcome to the ninth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to begin the more detailed discussion of the Windows 2000 Active Directory Single Masters of Operation. This particular article is going to be a more detailed breakdown of the Schema Master Flexible Single Masters of Operation Domain Controller.

[NOTES FROM THE FIELD] - Some of the sections below are a recap from my Active Directory Single Masters of Operation article. It does seem like overkill to a degree to include three paragraphs from that column here, but rather than have the reader go back and forth for reference, I have included the most important sections here.


Overview

In the Windows 2000 Active Directory, there are certain specific domain controllers that are assigned the extra role of Operations master. Sometimes referred to as Flexible Single Masters of Operation (FSMO) servers, these roles are special roles assigned to one or more domain controllers in an Active Directory domain and forest. The domain controllers assigned these roles perform single-master replication of the data they are in charge of (or, if they have more than one role placed on them, multiple replication, albeit, independently of one another). Some of these servers hold forest-wide operations master roles and others hold domain-wide operations master roles.

The Windows 2000 Active Directory design supports multimaster replication of the Active Directory domain database partition between all domain controllers in the domain. This basically means that you can make changes to the domain database partition at any given domain controller, such as functions at a user level like changing your domain password all the way up to a Domain Administrator adding new users to the domain at a remote site by hitting the local domain controller at that site.

[NOTES FROM THE FIELD] - Back in the NT4 days this was not the case. All changes from user passwords to new user creation happened only on the Primary Domain Controller. This meant that if your headquarters (and PDC) was in England and you were at the New York offices and changed your password, that change had to "travel" back to the PDC in London to take effect. The same would be true if you were a Domain Administrator temporarily working out of the Los Angeles office. You would have to "connect" to the PDC in London to perform the administration.

When you simply logged on to the domain in New York, LA, or wherever, you could authenticate against the Backup Domain Controller, which held a read-only Accounts database. The read-only database allowed the remote people to log on using it rather than requiring them to hit the PDC.

Other types of changes are impractical to perform in multimaster fashion, such as those to the Schema and Configuration Partitions. Since these partitions and other types of changes are too sensitive to be done in a multimaster fashion, specific domain controllers are assigned to handle these operations. Since these specific domain controllers handle these particular functions (sometimes referred to as single-master operations), these are the only places within the domain or forest where the copies of these databases are read/write. Everywhere else any copy of these databases reside, it is a read-only copy.

[NOTES FROM THE FIELD] - The read-only database copies of the Schema and Configuration partition operate just like the old domain (SAM) data did under NT4.

Any changes to the SAM database in NT4 had to go to the PDC. Any changes that need to be made to the Schema, for example, go to the Schema Master.


Schema Master Domain Controller

There are certain Flexible Single Masters of Operation (FSMO) roles that are Forest Wide Operations Master Roles. This means that no matter how many domains exist in the forest, you will only have one of the those particular FSMO servers in the forest.

The Schema Master Domain Controller handles all of the updates and modifications to the Windows 2000 Active Directory Schema, and you must have access to the Schema Master to make the changes. There can be only one Schema Master in the entire forest, and you must be a member of the Schema Administrators group to make changes to the Schema.

The image below shows a single forest structure with two domain trees. Each tree has a root domain and two child domains. There is ONE Schema Master Domain Controller in this forest.



By default, the Schema Master is installed on the first domain controller in the forest, and if that domain has only one domain controller, that domain controller holds all the per-forest and per-domain FSMO roles. In most environments there is more than one domain controller installed, and it is a best practice to install at least two even in the smallest environments.

The Windows 2000 Active Directory Schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as computers, users, and printers for that forest. The domain controller that holds the Schema Master role is the only domain controller that can perform write operations to the Active Directory Schema. These Schema updates are replicated from the Schema Operations Master to all other Domain Controllers in the forest as read-only replicas. The Windows 2000 Active Directory Schema is not accessible across the domains in multimaster fashion, as it is too sensitive of a structure to allow these type of changes. Multimaster updates to the Schema, in the case where two or more domain controllers were allowed to attempt to update the schema at the same time, would most like result in continuity issues and therefore is kept to a single-master operation, where there is only one read/write copy of the Schema, which is held by the Schema Master Domain Controller.

All of the objects across all the domains in a single forest have a specific and common set of object classes and attributes assinged to them.

Object classes describe the directory objects that can be created. Users and printers are just a couple examples of this. Each object class is a collection of attributes than can be assigned to it. User objects might have a hire date attribute attached to their object that can be defined and a printer object would not. Just the same, a printer object might have an installation date attribute attached to their object and a user object would not.


Transferring FSMO Domain Controller Roles

Once additional domain controllers have been installed in the forest,it is recommended to move some of the load off of the forest root domain controller (the original domain controller installed in the forest and domain which holds all the per-forest and per-domain roles). Operations Masters role transfers take place in conjunction with the current (active) Operation Master. That is, when you move the Schema Master from the default Domain Controller to another Domain Controller in the forest, that is considered a transfer. When you use this controlled transfer process, the original Operations Master server and the new one can properly synchronize their directory databases to ensure that the directory is up to date when the "final" hand-off is made.

The Schema Master domain controller and the Domain Naming Master operation master roles should be placed on the same domain controller for best practices where security and maintenance are concerned.

[NOTES FROM THE FIELD] - If and when you should decide to start updating the domain controller role owners of the different Operations Masters, you need to be aware that the Schema Administrators are the default user accounts that have the rights to change the Schema Master role owner, the Enterprise Administrators are the default user accounts that have the rights to change the Domain Naming Master role owner, and the Domain Administrators are the default user accounts that have the right to change the domain wide Operation Master role owners.

Default does not mean that manually modified accounts CANNOT perform these functions; it simply means that with their default standard settings, these are the built-in accounts that have the proper permission level to perform the desired transfer function.

Below is a chart of which FSMO roles can be handled using which MMC Snap-In.

FSMO Role           Snap-in used for Administrator         
Schema master Active Directory Schema
Domain naming master Active Directory Domains and Trusts
Relative identifier master          Active Directory Users and Computers         
PDC emulator Active Directory Users and Computers
Infrastructure master Active Directory Users and Computers

In order to transfer the FSMO server role, it may be necessary to find out which Domain Controller holds the role if this isn't well documented in your environment.

In order to determine which Domain Controller holds the role of the Schema Master in the case where you are not sure, you would need to use the Active Directory Schema snap-in.

[NOTES FROM THE FIELD] - Because editing the Schema directly is highly unadvisable, this tool is disabled by default. You need to register the DLL for the MMC snap-in before you can use it.

In order to use the Active Directory Schema MMC you need to register the schmmgmt.dll file. This is done by going to either a command prompt or to the RUN line of the start menu and typing "regsvr32.exe <systemroot>\system32\schmmgmt.dll", where <systemroot> is the installation path of the operating system on your computer.






A message will appear that shows the registration of the DLL succeeded, and you can click OK to close the dialog box.





The Active Directory Schema MMC will not automatically show up in the Administration tools folder. You will need to create a custom Microsoft Management Console and add the Active Directory Schema snap-in to the console, and then save it for future use.





This is done by typing MMC at the RUN line from the Start Menu, selecting CONSOLE from the menu bar and continuing by selecting ADD/REMOVE SNAP IN, which opens the Add Standalone Snap-In window, where you can choose the Active Directory Schema snap-in.

[NOTES FROM THE FIELD] - If you were to run MMC before you registered the schmmgmt.dll file, the option to select the Active Directory Schema would not be available under normal circumstances.

Once you've done this, you can fire it up and in the console tree, right-click Active Directory Schema, and then select "Operations Master" from the menu, which will show you the name of the current schema master in the Change Schema Master dialog box. (You do not have to change it if you are only looking to see which server it is.)




[NOTES FROM THE FIELD] - There are particular circumstances where role transfers happen automatically. If you were to run DCPROMO on the Schema Master to demote the Domain Controller to a member server, the Operation Master Role of Schema Master would be passed to whichever Domain Controller the current Schema Master could reach.

To properly control the transfer of Operation Master Roles to the other Domain Controllers, you should transfer the Operation Master Roles before performing Domain Controller demotions.


Viewing FSMO Domain Controller Roles using NTDSUTIL

NTDSUTIL is included with Windows 2000 Server, and one of its many uses is that it can be used to view the Flexible Single Master Operation roles on a specified Domain Controller.

You can start NTDSUTIL from either the RUN box in the Start Menu or from the command prompt; both will start the command-line utility the same way.




The following commands can be used once the utility has started:

E:\WINNT\System32\NTDSUTIL.exe:

 ? - Print this help information
Authoritative restore - Authoritatively restore the DIT database
Domain management - Prepare for new domain creation
Files - Manage NTDS database files
Help - Print this help information
IPDeny List - Manage LDAP IP Deny List
LDAP policies - Manage LDAP protocol policies
Metadata cleanup - Clean up objects of decommissioned servers
Popups %s - (en/dis)able popups with "on" or "off"
Quit - Quit the utility
Roles - Manage NTDS role owner tokens
Security account management - Manage Security Account Database - Duplicate SID Cleanup
Semantic database analysis - Semantic Checker

For the purposes of finding the Flexible Single Master Operation roles on a specified Domain Controller we would opt to use the ROLES command, which will put NTDSUTIL in FSMO MAINTENANCE MODE.

E:\WINNT\System32\NTDSUTIL.exe: roles
fsmo maintenance: help


? - Print this help information
Connections - Connect to a specific domain controller
Help - Print this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and Naming Contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master

Once in FSMO MAINTENANCE MODE we would enter "Select operation target" to put NTDSUTIL into that command mode.

fsmo maintenance: Select operation target
select operation target: help


? - Print this help information
Connections - Connect to a specific domain controller
Help - Print this help information
List current selections - List the current site/domain/server/Naming Context
List domains - Lists all domains which have Cross-Refs
List domains in site - Lists domains in the selected site
List Naming Contexts - Lists known Naming Contexts
List roles for connected server - Lists roles connected server knows about
List servers for domain in site - Lists servers for selected domain and site
List servers in site - Lists servers in selected site
List sites - List sites in the enterprise
Quit - Return to the prior menu
Select domain %d - Make domain %d the selected domain
Select Naming Context %d - Make Naming Context %d the selected Naming Context
Select server %d - Make server %d the selected server
Select site %d - Make site %d the selected site

select operation target:

Once in "Select operation target" mode we would then enter CONNECTIONS to put the utility into "server connections" mode.

select operation target:

select operation target: help


? - Print this help information
Connections - Connect to a specific domain controller
Help - Print this help information
List current selections - List the current site/domain/server/Naming Context
List domains - Lists all domains which have Cross-Refs
List domains in site - Lists domains in the selected site
List Naming Contexts - Lists known Naming Contexts
List roles for connected server - Lists roles connected server knows about
List servers for domain in site - Lists servers for selected domain and site
List servers in site - Lists servers in selected site
List sites - List sites in the enterprise
Quit - Return to the prior menu
Select domain %d - Make domain %d the selected domain
Select Naming Context %d - Make Naming Context %d the selected Naming Context
Select server %d - Make server %d the selected server
Select site %d - Make site %d the selected site

select operation target: Connections
server connections:


? - Print this help information
Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Print this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds %s %s %s - Set connection creds as domain, user, pwd
Use "NULL" for null password

From here you would enter "Connect to server <SERVERNAME>" (In the example below, the name of my server is mainserver)

server connections: Connect to server mainserver
Binding to mainserver ...
Connected to mainserver using credentials of locally logged on user
server connections:

Your connection is made using the credentials of the locally logged on user. There is no other information displayed after a successful connection; you are simply left at the server connections: prompt. In order to back up one menu from here to perform "List roles for connected server", you would first type QUIT at the server connections: prompt.

server connections: quit

From the select operation target: prompt you would then type "List roles for connected server"

select operation target: List roles for connected server

Server "mainserver" knows about 5 roles

Schema - CN=NTDS Settings,CN=MAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PII400,DC=home,DC=
local

Domain - CN=NTDS Settings,CN=MAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PII400,DC=home,DC=local

PDC - CN=NTDS Settings,CN=MAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PII400,DC=home,DC=local

RID - CN=NTDS Settings,CN=MAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PII400,DC=home,DC=local

Infrastructure - CN=NTDS Settings,CN=MAINSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=PII400,DC=home,DC=local

select operation target:

[NOTES FROM THE FIELD] - MAINSERVER holds all five FSMO roles. MAINSERVER is a Pentium II 400MHz system with 256MB of RAM and an 8.4 GB 5400RPM hard drive. Sitting idle, the processor runs at 8% and uses 128MB of the installed RAM.


Finding FSMO Domain Controller Roles using ADSI and WSH

You can also use Active Directory Services Interface and the Windows Script Host to show you the Flexible Single Master of Operations role owners for a specified domain or domain controller.

You would need to cut and paste the following code into a text file and then save the file as <FILENAME>.vbs.

-----CODE BEGINS HERE-----

Option Explicit
Dim WSHNetwork, objArgs, ADOconnObj, bstrADOQueryString, RootDom, RSObj
Dim FSMOobj,CompNTDS, Computer, Path, HelpText


Set WSHNetwork = CreateObject("WScript.Network")
Set objArgs = WScript.Arguments

HelpText = "This script will find the FSMO role owners for your domain." & Chr(13) &_
           Chr(10) & "The syntax is as follows:" & Chr(13) & Chr(10) &_
           "find_fsmo DC=MYDOM,DC=COM" & Chr(13) & Chr(10) &_
           """Where MYDOM.COM is your domain name.""" & Chr(13) & Chr(10) & "OR:" &_
           Chr(13) & Chr(10) & "find_fsmo MYDCNAME " & Chr(13) & Chr(10) &_
           """Where MYDCNAME is the name of a Windows 2000 Domain Controller"""


Select Case objArgs.Count
    Case 0
        Path = InputBox("Enter your DC name or the DN for your domain"&_
                        " 'DC=MYDOM,DC=COM':","Enter path",WSHNetwork.ComputerName)
    Case 1
        Select Case UCase(objArgs(0))
            Case "?"
                WScript.Echo HelpText
                WScript.Quit
            Case "/?"
                WScript.Echo HelpText
                WScript.Quit
            Case "HELP"
                WScript.Echo HelpText
                WScript.Quit
            Case Else
                Path = objArgs(0)
        End Select
    Case Else
        WScript.Echo HelpText
        WScript.Quit
End Select



Set ADOconnObj = CreateObject("ADODB.Connection")

ADOconnObj.Provider = "ADSDSOObject"
ADOconnObj.Open "ADs Provider"


'PDC FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=domainDNS)(fSMORoleOwner=*));adspath;subtree"
Set RootDom = GetObject("LDAP://RootDSE")
Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The PDC FSMO is: " & Computer.dnsHostName


'Rid FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=rIDManager)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The RID FSMO is: " & Computer.dnsHostName


'Infrastructure FSMO
bstrADOQueryString = "<LDAP://"&Path&">;(&(objectClass=infrastructureUpdate)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Infrastructure FSMO is: " & Computer.dnsHostName


'Schema FSMO
bstrADOQueryString = "<LDAP://"&RootDom.Get("schemaNamingContext")&_
                     ">;(&(objectClass=dMD)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Schema FSMO is: " & Computer.dnsHostName


'Domain Naming FSMO
bstrADOQueryString = "<LDAP://"&RootDom.Get("configurationNamingContext")&_
                     ">;(&(objectClass=crossRefContainer)(fSMORoleOwner=*));adspath;subtree"

Set RSObj = ADOconnObj.Execute(bstrADOQueryString)
Set FSMOobj = GetObject(RSObj.Fields(0).Value)
Set CompNTDS = GetObject("LDAP://" & FSMOobj.fSMORoleOwner)
Set Computer = GetObject(CompNTDS.Parent)
WScript.Echo "The Domain Naming FSMO is: " & Computer.dnsHostName
-----CODE ENDS HERE-----

After you have saved the code, you can run it by double clicking on it. The first box that will appear will be the ENTER PATH box. By default it will have the name of the local server already entered.



Selecting OK will allow the script to continue, and it will output the roles it finds on the server that you entered.


  

 


If the server entered has no roles or some other network error is encountered, you will receive an error message. (An example of the output from a Windows 2000 Professional system not in a domain is below.)



Seizing FSMO Domain Controller Roles

After the Operations Masters roles have been spread out and balanced on other Domain Controllers in the forest, it normally is not necessary to change them again unless some environment variable has changed. Operations Masters roles can be seized if the situation calls for it.

Role seizure happens when the original Operation Master halts, be it temporarily or permanently. In the case of a short temporary stoppage of an Operation Master such as a BSOD or a somewhat longer one, say a drive failure where a restore from back up might be required, it is not necessarily recommended to perform a role seizure.

[NOTES FROM THE FIELD] - The loss of WAN links can make it appear as if certain FSMO servers have been "lost" to certain network segments and remote sites when this is clearly not the case.

The Infrastructure Master and the PDC Emulator Operation Master domain controllers can temporarily go offline and alternate domain controllers can safely seize their roles. When these original Operation Master domain controllers are brought back online from their failure, they are the only two that can re-seize their original roles back without major difficulty.

When the Schema Master, Domain Naming Master, or RID Master roles are seized by other Domain Controllers for any reason, you cannot bring the original Operation Master domain controller back online without potentially suffering major forest-wide issues, or domain issues in the case RID Operations Master.

The temporary loss of the Schema FSMO Domain Controller is not visible to network users and most normal, everyday network administration. Both can continue normally in most cases. The only way the loss of the Schema Master would become evident to an Administrator would be in the case where they are trying to modify the schema manually or installing an application that modifies the schema during installation, such as Exchange 2000.

If the Schema Master remains offline for a longer than acceptable length of time for your environment, you can seize the role by following these steps;

To seize the Schema FSMO Domain Controller role using NTDSUTIL you would click on the Start menu and select RUN and then type NTDSUTIL in the RUN box

At the NTDSUTIL prompt, type the ROLES command, which will put NTDSUTIL in FSMO MAINTENANCE MODE

Once you are in FSMO MAINTENANCE MODE you can type CONNECTIONS.

Once you are in SERVER CONNECTIONS MODE you can type CONNECT TO SERVER, and then enter the fully qualified domain name.

At the SERVER CONNECTIONS prompt, type QUIT.

At the FSMO MAINTENANCE prompt, type SEIZE SCHEMA MASTER.

At the FSMO MAINTENANCE prompt, type quit

At the NTDSUTIL prompt, type QUIT.

[NOTES FROM THE FIELD] - The offline Domain Controller that has the Schema Master roles seized from it while it was out of commission must never be brought back online. The system should be completely wiped. It's a running "recommendation" by instructors and seasoned network administrators that the system drives should be reformatted twice before rebuilding the server, just to fully accentuate the need to NEVER bring the server back online as a Schema Master in that domain again.
 

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week - Active Directory Schema Master. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,


When your buddy the cheapskate says "YOU GET THIS ONE, NEXT ROUND IS ON ME," realize that he's probably leaving right after this round.


Jason Zandri
Jason@Zandri.net
www.2000trainers.com