So really, what are FSMO roles ?


FSMO (pronounced – fiz-mo) roles are essentially domain controllers with higher power than their peer DCs hence the name Flexible Single Master Operation, the word flexible is perhaps in there since you do have the flexibility to move these roles around (the word floationg has been referenced at some places as well). From the name you really have to focus on the Single Master Operation part to understand that these roles have a single role attached to them that only one DC can have.

There are total of 5 FSMO roles with two at the Forest level and three at Domain level. And here is what they are.

Forest Level FSMO roles:

  1. Domain Naming Master – Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
  2. Schema Master – Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

Domain level FSMO roles: 

  1. PDC Emulator – Most famous for backwards compatibility with NT 4.0 BDC’s.  However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 
  2. RID Master – Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.
  3. Infrastructure Master – Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.

You can see your Domain level FSMOs from the ADUC (Active Directory Users & Computers) right click on the domain name and click on Operations Roles, from there you have the ability transfer these roles as well. Of Forest level FSMOs, Domain Naming Master can be looked up from the Active Directory Domains and Trusts, you have to right click on the Domains and Trusts at the top in the left pane and click on Operation Roles. And for Schema Master look up you have to register a DLL and add in an snap-in (see here).

As windows system admin you should know the importance of the FSMO roles and have good knowledge of what each one does and how to transfer and sieze them when necessary.

For more detailed reading see this great article, as you may not find a lot of FSMO information in general MS press books targeted towards MS certification (at least for Windows Server 2003 track).

Updating Schema for Windows Server 2008


Updating schema for your forest is not something you do very often, however, it is a requirement when you introduce a Windows server 2003 DC in a Windows 2000 domain or when you introduce the first Windows Server 2008 in your Windows Server 2003 domain. (There may be other times when you have to do this such as when adding Exchange to your environment). Nonetheless it is a very simple and easy task.

 I recently added a Windows Server 2008 domain tree to my existing Windows Server 2003 forest in my lab environment and here is how you do it. You start out by putting Windows Server 2008 DVD (in my case it was mounting the ISO image to the VM) on your schema master DC and from the command prompt you go to the (D:\Sources\adprep\) you can run the help option “/?” to know the syntaxes that apply here.


I ran the “adprep /forestprep”, you will have to hit C and ENTER to give assurance that all your DCs are at Windows 2000 SP4 level or above. In my case it imported about 14 new schema files “.ldf” files and successfully finished.


The next step is to run the “domainprep” syntax from within the same location and that is to be done on your infrastructute master FSMO role. (See FSMO). In my case it was a different DC, so same steps from above except for this time we only had to run the “domainprep” part.


In my case I also ran “adprep /domainprep /gpprep” to update the permissions on my existing GPOs. In future I may write a FAQ or memory refresher about FSMO roles as it is imperative to know the importance of these rules and to understand what we did here and why it could only be done on certain FSMO holders.

Extend your Windows Server 2008 Eval


You can extend the Windows Server 2008 Evaluation copy you have running for trial/demo/testing purpose for up to 240 days now.

“Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Note: Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.”

Download your Eval Copy here

More info on extending the evaluation period

Check your DCs replication


Apart from great tools such as command line Repadmin and GUI based Replmon, Dsastat (Windows Support Tool) is a command line utility that allows you to check your DCs replications, it compares and detects differences between directory partitions on domain controllers. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, the tool compares the attributes of replicated objects. You can use the tool to compare two directory trees across replicas in the same domain or, for a global catalog, across different domains.

Following is an end result from the simple command with -s syntax for server names; i.e

dsastat -s:dc1;dc2

For more information, see this

Group Policy Basics


Group Policy has been an extremly handy tool for last few years for System Admins, yet an equally complex topic to digest and you need to know it inside-out in order to effectively troubleshoot the problems that occur from time to time in your environment. Lets start with the basics of Group Policy Mechanism.

A GPO is a virtual object. The policy setting information of a GPO is actually stored in two locations: the Group Policy container (GPC) and the Group Policy template (GPT). The Group Policy container is an Active Directory container that stores GPO properties, including information about version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a directory structure within the file system that stores Administrative Template-based policy settings, security settings, script files, and information regarding applications that are available for Software Installation. The Group Policy template is located in Sysvol in the \Policies sub-directory for its domain. GPOs are identified by their globally unique identifiers (GUIDs) and stored at the domain level. Replication of a GPO to other domain controllers happens through two different mechanisms. The Group Policy container is replicated by using Active Directory replication (RPC), whereas the Group Policy template is replicated using File Replication service (FRS) in Windows Server 2003 and for Windows Server 2008 (native domain) DFSR. The settings from a GPO are only applied when the Group Policy container and Group Policy template are synchronized.

 More on Group Policy later.

24 Hours of Exchange Server 2007


I would highly recommened watching this webcast series by Harold Wong, Micrsosoft on Exchange Server 2007. He starts from the basics, lays down a solid foundation and builds on some of the advanced topics and techniques. I think its worth watching If you are looking to upgrade your current Exchange 2000 or 2003 organization or moving from a Notes environment.

“Learn how you can use the new advanced management tools in the next generation of Exchange to save time. Tune in and see how to install and manage Microsoft Exchange Server 2007 with the Exchange Management Console. Our Exchange experts help you explore the features of Microsoft Exchange Server 2007, such as increased security, unified messaging, performance improvements, and ease of deployment.”

Windows Server 2008 Certs for MCSA/MCSE


I am assuming there are more folks besides me wondering about the new Windows Server 2008 track certifications and roadmaps for the MCSAs and MCSEs. This attached PDF document defines the upgrade paths. Looks like the already known replacement name for MCSA/MCSA – the MCITP (Micrsoft Certified Information Technology Professional) has two flavors i.e Server Administrator and Enterprise Administrator. Current MCSAs/MCSEs can achieve first one by passing two exams and for the latter its four for MCSAs and three for MCSEs.

I would have preferred to keep MCSA and MCSE as titles on Windows Server 2008 certification track, but I guess the change of names was inevitable just like all other things are – in IT.

Windows Server 2008 Transitions Exams for MCSA/MCSE_Roadmaps 

Admin Tools from the command line/ run command


If you are like me and often have to go and look for the command line shortcuts apart from the ones you use on daily basis and are easy to remember (i.e mstsc, dsa.msc, compmgmt.msc) for launching the administrator tools in Windows Server 2003. Here is an handy list you can print out and hang it in behind your computer until you remember them all.

AD Domains and Trusts

Active Directory Management

AD Sites and Serrvices

AD Users and COmputers


Authorization manager

Certification Authority Management

Certificate Templates

Cluster Administrator

Computer Management

Component Services

Configure Your Server

Device Manager

DHCP Managment

Disk Defragmenter

Disk Manager

Distributed File System

DNS Managment

Event Viewer

Indexing Service Management

IP Address Manage

Licensing Manager

Local Certificates Management

Local Group Policy Editor

Local Security Settings Manager

Local Users and Groups Manager

Network Load balancing

Performance Montior

PKI Viewer

Public Key Managment

QoS Control Management

Remote Desktops

Remote Storage Administration

Removable Storage

Removalbe Storage Operator Requests

Routing and Remote Access Manager

Resultant Set of Policy

Schema management

Services Management

Shared Folders

SID Security Migration

Telephony Management

Terminal Server Configuration

Terminal Server Licensing

Terminal Server Manager

UDDI Services Managment

Windows Mangement Instumentation

WINS Server manager

Enjoy !

DFSR with Active Directory


Distributed File System Replication was a major improvement over DFS and FRS, and also an intended seller feature of the R2 of Windows Server 2003. I came across a great article that describes what the DFRS does and how easily it can be setup. In domain environment, prior to installing DFSR the schema must be updated to the R2 version with the ADPREP utility from the CD2 of the Windows Server 2003 R2.

DFSR is a multimaster replication engine used to distribute copies of data across multiple servers. It can run with or without DFS Namespaces, but its most popular use is to ensure that every member of a set of servers—a replica set—contains identical data and that replication is fast and bandwidth-efficient. It has many features, including bandwidth management, replication scheduling, and an innovative compression algorithm, that together dramatically decrease the amount of network bandwidth needed to keep data synchronized across your network. Microsoft reports that using DFSR results in up to a 300 percent improvement in the speed of large-file replication and 40 percent less administrative time spent managing the replication set.”

WSUS 3.0 SP1 gets released


WSUS 3.0 SP1 was released yesterday, following are the improvements that have been made from Version 3.0.6

The improvements that SP1 offers include:

• Support for Windows Server 2008.
• New Client Servicing API.
• Support client registration.
• Filter of updates by category and classification.
• Provide applicability rule extension mechanism.
• Obtain package metadata and report update status for each client.

• Improvements for local publishing: supports publishing of drivers within the enterprise by using vendor provided catalogs. API include support for bundles and prerequisites.
• All hotfixes: WSUS 3.0 SP1 includes all the changes and hotfixes that have been issued since the release of WSUS 3.0.
• Support for Microsoft SQL Server 2005: WSUS 3.0 SP1 lets you use SQL Server 2005.

You can get it here..