FSMO Role: Schema Master

2.6K

When working with Active Directory domains, admins must know how to work with the Flexible Single Master Operation Master (FSMO) roles and how these are used. One of the critical FSMO roles is the Schema Master. What does the Schema Master FSMO role do and can this role be transferred if needed?

What are Flexible Single Master Operation Master roles?

Flexible Single Master Operation (FSMO) roles are essential in managing and operating an Active Directory Domain Services environment. These specific roles prevent conflicts and ensure the smooth functioning of various tasks within the network. Here’s a closer look at each role:

1. Schema Master Role: The Schema Master controls all updates and modifications to the Active Directory schema. This is where class and attribute definitions for all objects within the Active Directory are stored. There can be only one Schema Master in the entire Active Directory forest.
2. Domain Naming Master Role: Responsible for adding and removing domains within an Active Directory forest. It ensures that each domain name is unique across the forest. As with the Schema Master, there is only one Domain Naming Master in the entire forest.
3. Infrastructure Master Role: The Infrastructure Master is tasked with updating references from objects in its domain to objects in other domains. It ensures that cross-domain object references are correctly handled. Each domain within the forest has its own Infrastructure Master.
4. RID Master Role (Relative ID Master): Within each domain, the RID Master allocates pools of unique identifiers (Relative IDs) to different domain controllers. This ensures that every object within the domain receives a unique ID. Every domain has a unique RID Master.
5. PDC Emulator Role (Primary Domain Controller Emulator): This role is essential for backward compatibility and functions as a Primary Domain Controller (PDC) for pre-Windows 2000 clients. It also handles password changes and time synchronization within the domain. Each domain has its own PDC Emulator.
6. Global Catalog Server (Optional): Although not an FSMO role, the Global Catalog Server stores a full copy of all objects in the directory for its host domain and a partial copy for all other domains in the forest. It facilitates searches and logins across the entire forest.
7. Transfer FSMO Roles and Transfer Schema Master: An important aspect of FSMO roles management is the ability to transfer roles between domain controllers if needed. This can be done for various reasons such as maintenance, hardware upgrades, or ensuring optimal performance.

Schema master in detail

Schema Master is an FSMO role in Active Directory Domain Services (AD DS) responsible for making changes to the Active Directory schema. The schema stores descriptions of all Active Directory classes and attributes. The schema partition exists on all DCs, it is named “schema naming context” and is located in LDAP://cn=schema,cn=configuration,dc=<domain>.

Domain administrators make changes to the AD schema quite rarely: for example, when you need to extend the schema using adprep/forestprep, perform AD schema update (upgrade the domain functional level), or install Exchange Server, Skype for Business Server, or other enterprise application that stores object configuration and properties in an Active Directory partition.

Overview of Schema Master Role in Active Directory Domain

There can be only one domain controller with the Schema Master role in the AD forest (it’s an enterprise-level FSMO role). Only a domain controller that owns this role can make changes to the Active Directory schema (contains a read-write copy of schema partition). After updating the forest schema, the changes are replicated from the schema master server to other domain controllers in the AD forest. This role is necessary to prevent conflicting schema changes from two domain controller servers.

The AD schema is a set of objects and their attributes used to store different data. In the screenshot below you can see the user class in the AD schema that defines all the available attributes of the user account object (like employee ID, phone number, email address, SamAccountName and UserPrincipalName, etc.).

You can fill in all of these attributes for any domain user account. You can view the attributes for any domain user account and their values using the Active Directory snap-in (ADUC console) or the ADSIEdit.msc tool. All the tabs and information you see about the properties of any Active Directory object are AD schema.

For example, you want to check the user attribute values for a built-in domain administrator account using the ADSIEdit.

Open the adsiedit.msc console and connect to the Default naming context. Find the user object in the AD hierarchy and open its Properties.

You can see the object has all the attributes that are defined in the user class (you can display only attributes that have values by pressing the Filter button).

Microsoft recommends the following best practices in placement and administration of the Active Directory schema:

1. Always make an Active Directory backup before changing the schema. Before the process of schema changes, you can shut down all domain controllers except the FSMO Schema Master role owner. After that, make a system state backup for the domain controller, perform all the necessary changes, and in case everything is well, turn on all DCs. If something went wrong, restore the running controller from a previous backup, turn on the rest DCs, and then explore the problem;
2. It is recommended to keep the Domain Naming Master and Schema Master roles on the same DC (they are rarely used and should be strictly controlled), which should be a Global Catalog (GC) server simultaneously;
3. If you have lost the server with the Schema Master role, you can seize this role to any other domain controller. But keep in mind that the original Schema Master should not appear on the network after that;
4. Perform manual schema changes only in case of extra need. If it needs to be done in any case, see paragraph 1.

If the DC owner of a Schema Master role is unavailable, changing the AD schema is impossible. However, the upgrade of the schema is usually not performed often (as a rule, when installing new DCs with a newer Windows Server version or installing some other enterprise products, such as Exchange). Temporary loss of the DC running FSMO Schema Master is not noticeable for domain users. The Schema Master role owner can remain offline for years without noticeable effect. If the server running the Schema master role is broken, you can simply assign this role to any other online domain controller.

To manage AD schema and transfer the Schema Master role between domain controllers, use the Active Directory Schema mmc snap-in. However, to enable this console, you must first register the dynamic library Schmmgmt.dll.

1. Open the elevated Command prompt;
2. Run the command:
   regsvr32 schmmgmt.dll
   

To manage an AD schema, you must be a Schema Admins Active Directory group member. By default, only the built-in domain administrator account is a member of this Active Directory group.

For security reasons, Microsoft does not recommend adding other administrator accounts to the Schema Admins group. If you need to change the AD schema, add your account to this group, log in to DC under your account, perform the desired schema modification operation, and remove your account. The Schema Admins group only needs to modify the AD schema; it doesn’t grant any additional permissions in Active Directory.

You can add or remove the admin account to Schema Admins group using the ADUC console or using PowerShell:

Add-ADGroupMember -Identity "Schema Admins" B.Jackson

Remove-ADGroupMember -Identity "Schema Admins" B.Jackson

How to Check the Active Directory Schema Version?

Each time you install a new domain controller in your domain with a new version of Windows Server, you update the version of the Active Directory schema. The following table lists all versions of Active Directory schemas:

Windows Server version	AD Schema objectVersion
Windows 2000	13
Windows 2003	30
Windows 2003 R2	31
Windows 2008	44
Windows 2008 R2	47
Windows 2012	56
Windows 2012 R2	69
Windows Server 2016	87
Windows Server 2019	88
Windows Server 2022	88

You can find out the current version of the schema in your domain using PowerShell:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

In this case, the AD schema version (objectVersion) is 87. It corresponds to the AD version of Windows Server 2016.

Moving Schema Master Role to Another Domain Controller

The Schema Master role is installed by default on the first DC in the first domain in the AD forest. You can move this FSMO role to any domain controller within the forest. But keep in mind that if the Schema Master is not available, it won’t be possible to change the AD schema.

If the DC host running the Schema Master role is broken, you can assign (move) the role to any other online domain controller.

Information about who currently holds the Schema Master FSMO role in the domain is contained in the attribute of the root object CN = Schema – fSMORoleOwner:

You can find the current FSMO role holders in the domain using the following command:

netdom query fsmo

To identify the FSMO role owners that are not in the current domain, use the command:

netdom query fsmo /domain:<DomainName>

Schema master DC1.theitbros.com

Domain naming master DC1.theitbros.com

PDC DC07.corp.theitbros.com

RID pool manager DC07.corp.theitbros.com

Infrastructure master DC07.corp.theitbros.com

The command completed successfully.

You can also quickly find the Schema master owner using the following PowerShell command:

Get-ADForest theitbros.com| ft SchemaMaster

То transfer Schema Master FSMO role you need to run the AD Schema console.

1. Open mmc.exe;
2. Click File > Add/Remove snap-in;
3. Select Active Directory Schema item and press Add > OK;
   
4. Right-click on the root of the console, select Change Active Directory Domain Controller, and select the DC on which you want to transfer the role;
5. Next, select Operation Masters and press the Change button;
   

Tip. You can’t change the Schema Master role owner from the source server.

Also, you can use the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole to transfer FSMO roles in the AD forest. To use this cmdlet you need to install and import Active Directory module.

For example, to transfer the Schema Master role to a domain controller DC02, run the command:

Move-ADDirectoryServerOperationMasterRole -Identity "dc2" SchemaMaster

Or:

Move-ADDirectoryServerOperationMasterRole -Identity "dc2" –OperationMasterRole 3

To forced seizing of the FSMO role owner with the PowerShell, use the –Force option in the above PowerShell commands. The FSMO role is forcibly sized if the role owner’s domain controller fails to boot, is broken, or cannot be recovered.

Also, you can transfer the Schema master role using the ntdsutil command.

1. Run the elevated cmd on the DC and type the ntdsutil command;
2. Type: roles;
3. On the FSMO Maintenance prompt type: connections;
4. Specify the DC name on which you want to transfer the FSMO role: connect to server DC2;
5. On the server connection prompt type: q;
6. To move the Schema master on the current DC: Transfer Schema Master;
7. Press Yes in the prompt dialog.
   

Now you can check the current Schema Master role owner.

Frequently asked questions

How do you Transfer the Schema Master FSMO Role or Other Roles between Domain Controllers?

Transferring FSMO roles, such as the schema master FSMO role or RID master FSMO role, is essential in managing an Active Directory network. It may be done through administrative tools like “Active Directory Users and Computers” or the command line. The process involves selecting the target domain controller and initiating the transfer, ensuring that both the source and target controllers are within the same Active Directory site to prevent delays.

What Happens if there’s Only One Domain Controller or Multiple Domain Controllers in a Network?

Having only one domain controller can pose a risk as it becomes a single point of failure. Multiple domain controllers, on the other hand, provide redundancy and facilitate multi-master replication. However, tasks like managing the domain’s RID master must be handled carefully to prevent conflicts.

How does the Infrastructure Master Role Interact with Global Catalog Servers?

The infrastructure master role updates references to objects in other domains. It may create cross-domain object reference issues if it coexists with a global catalog server in the same domain. This complexity can be managed by understanding the roles in Active Directory and configuring them appropriately.

Can there be More Than One RID Master or Schema Master in a Domain or Forest?

Within a particular domain, there can only be one RID master, while across the entire Active Directory forest, there is only one schema master. These limitations are part of the single master model of FSMO roles, which prevents conflicting updates and maintains consistency.

What is the Connection Between the PDC Emulator Role and the Primary Domain Controller PDC?

The PDC emulator role is vital in emulating the primary domain controller’s (PDC) behavior for legacy systems. It handles tasks like password synchronization and time coordination. The role holder for the PDC emulator might also serve as a bridge between the modern operations master roles and older systems that rely on the traditional PDC setup.

Wrapping up

Understanding the importance of the Schema Master FSMO role and knowing how to use and transfer this and other roles in Active Directory is vital for a systems administrator. Understanding how to troubleshoot and even seize roles like the Schema Master when needed is also a crucial part of managing Active Directory Domain Services, allowing admins to keep AD DS working efficiently and problem free.