다음을 통해 공유

Active Directory: Transferring and Seizing the RID Master role

  • 아티클

This article describes ways to move RID Master FSMO role and what manual actions may be needed after this in order to ensure your Active Directory environment works properly.

 

1. Introduction

Flexible Single Master Operation Roles (FSMO) are five special roles designated to Domain Controllers in Active Directory environment. RID master role is responsible for managing Relative Identifiers Pools needed to generate correct SID values for each Active Directory object. This role requires special attention, as it requires manual actions to be taken by the Domain Administrator after the role is seized.

 

↑ Return to Top

2. How to move a role

There are several ways you can use to transfer or seize FSMO roles in general and RID master role in particular.

↑ Return to Top

2.1 GUI. Active Directory Users and Computers

You can use the ADUC snap-in to transfer RID Master role.

  • Open Active Directory Users and Computers snap-in
  • Navigate to the domain and right click on it
  • *(Optional) Chose **Change Active Directory Domain Controller ***
  • *(Optional) Select the DC you want to assign the role *
  • Choose Operations Master
  • You will then have an option to transfer the Role to the Domain Controller that your snap-in is connected to. 

 Please note, that you cannot seize the FSMO Role using the GUI.

↑ Return to Top

2.2 Ntdsutil

Ntdsutil is a powerful command line tool for managing the Directory Services. It allows you to transfer or seize FSMO Roles. Here is how it can be done for the RID Master role:

  • Run ntdsutil command in an elevated command prompt
  • Type roles, and then press ENTER. 
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER

Note: servername is the name of the domain controller you want to assign the FSMO role to.

  • At the server connections prompt, type q, and then press ENTER.
  • Type** transfer rid master** to transfer the role (You will need seize rid master command to seize the role)
  • At the fsmo maintenance prompt, type q, and then press ENTER.
  • Type q, and then press ENTER to quit the Ntdsutil utility.

Please note, that you cannot seize the FSMO Role using the GUI.

↑ Return to Top

2.3 PowerShell

As most of Windows Server management tasks, transferring or seizing the FSMO role can be done using the PowerShell script. 

Transferring Command syntax:

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole RIDMaster

OR

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole 1

Seizing Command syntax:

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole RIDMaster -Force

OR

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole 1 -Force

↑ Return to Top

3. How to manually fix Role data after seizing

When you transfer an FSMO role, the role data is synchronized between the old and the new Masters. However, when you, for some reason, cannot do that and seize the FSMO role there, obviously, is no way this data can be synced. This can have various consequences depending on the FSMO role, but RID Master has the most crucial ones, as it can lead to the situation when two DCs are using same RID pools to create new objects. You definitely want to avoid this, so you have to perform additional manual actions to fix this data.

RID Master role data is stored in the DOMAIN\System\RID Manager$ object. The attribute we need is RidAvailablePool. It is a Large Integer value that consists of:

  • High part: 1073741823 (By default a total number of RIDS that can be created in a domain)
  • Low part: The number showing the beginning of the next RID pool to be allocated

You can use Ldp command line tool to view it in a more convenient way. It has a Large Integer Converter under the Utilities menu.

So, we need to increase that  Low part to make sure that if the previous RID Master had issued some RID pools that we are not aware of we don't get any conflicts when issuing new ones. The size of the RID pool can be checked under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\RID Block Sizeregistry key. Depending on the number of the Domain Controllers you have you may want to choose the number you increase your RID pool size by. Then, you can simply add that number to the RidAvailablePool value. You can verify that it does what you expect using the same Ldp utility.

↑ Return to Top

4. References

 

↑ Return to Top