Controlling Access to Role Placements

Active Directory represents operations master role ownership through the Active Directory schema FSMO-Role-Owner attribute. The LDAP display name for this attribute is fsmoRoleOwner. The FSMO-Role-Owner attribute is a single-valued directory object reference with a value that always references an NTDS-DSA object.

The NTDS-DSA object represents a specific domain controller. For example, the distinguished name (DN) for such an NTDS-DSA object is:

CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

where RESKIT1 is the name of the domain controller in the Washington site in the Reskit.com domain.

In principle, any directory object can have a value for the FSMO-Role-Owner attribute. However, Active Directory only sets the FSMO-Role-Owner attribute of certain objects; one per role in a directory. This directory object is called the "role object" for its role. The FSMO-Role-Owner of a role object is the domain controller holding that role.

Following are the distinguished names of the role objects:

• Schema master:

CN=Schema,CN=Configuration,<root domain> (root of Schema directory partition)

• Domain naming master:

CN=Partitions,CN=Configuration,<root domain> (within Configuration directory partition)

• RID master:

CN=RID Manager$,CN=System,<any domain> (within domain directory partition)

• Primary domain controller emulator:

<any domain> (root of domain directory partition)

• Infrastructure master:

CN=Infrastructure,<any domain> (within domain directory partition)

For example, in the Reskit.com forest that has the Reskit.com, Na.reskit.com, and Eur.reskit.com domains, the eleven role objects and associated distinguished name are:

• Schema master role object for the forest Reskit.com:

CN=Schema,CN=Configuration,DC=reskit,DC=com

• Domain naming master role object for the forest Reskit.com:

CN=Partitions,CN=Configuration,DC=reskit,DC=com

• RID master role object for the domain Reskit.com:

CN=RID Manager$,CN=System,DC=reskit,DC=com

• RID master role object for the domain Na.reskit.com:

CN=RID Manager$,CN=System,DC=na,DC=reskit,DC=com

• RID master role object for the domain Eur.reskit.com:

CN=RID Manager$,CN=System,DC=eur,DC=reskit,DC=com

• Primary domain controller emulator role object for the domain Reskit.com:

DC=reskit,DC=com

• Primary domain controller emulator role object for the domain Na.reskit.com:

DC=na,DC=reskit,DC=com

• Primary domain controller emulator for the domain Eur.reskit.com:

DC=eur,DC=reskit,DC=com

• Infrastructure master role object for the domain Reskit.com:

CN=Infrastructure,DC=reskit,DC=com

• Infrastructure master role object for the domain Na.reskit.com:

CN=Infrastructure,DC=na,DC=reskit,DC=com

• Infrastructure master role object for the domain Eur.reskit.com

CN=Infrastructure,DC=eur,DC=reskit,DC=com

Note

If an object is not a role object, the value of its FSMO-Role-Owner attribute does not have an effect on Active Directory functionality.

Controlling Role Transfers

As previously defined, an operations master role transfer is the movement of a role with the cooperation of its current owner. To perform a role transfer, both domain controllers must be available and connected to each other through the network.

The ability to perform a role transfer is controlled through a special object permission on the role object itself at the new role owner. There is a different object permission for each role, granted by default to a particular group of administrators:

• Schema master: The Change Schema Master permission is granted by default to the Schema Admins group.
• Domain naming master: The Change Domain Master permission is granted by default to the Enterprise Admins group.
• RID master: The Change Rid Master permission is granted by default to the Domain Admins group.
• Primary domain controller emulator: The Change PDC permission is granted by default to the Domain Admins group.
• Infrastructure master: The Change Infrastructure Master permission is granted by default to the Domain Admins group.

If you attempt to perform a role transfer and you do not have sufficient permissions, an error occurs.

If the need arises you can change the group of administrators that is able to perform specific role transfers. For example, you might decide to create a new group called "Domain Naming Role Admins" that has exclusive permission to transfer the domain naming master role. In this case, you would create the group and then use ADSI Edit to find the domain naming master role object. Next, you would display the object properties, remove the Change Domain Master permission for Enterprise Admins, and add the Change Domain Master permission for Domain Naming Role Admins. In this way you can precisely control the set of administrators who can transfer the domain naming master role.

The act of changing who can transfer a role does not change who can use the role. In the example above, the Domain Naming Role Admins can transfer the domain naming master role, but they cannot create cross ref objects; only Enterprise Admins can do that.

For more information about setting access control permissions, see "Access Control" in this book, or see Windows 2000 Server Help.

Note

In a properly configured directory only a small number of administrators should have the right to perform operations master role transfers.

Controlling Role Seizures

As previously defined, role seizure is the movement of a role without the cooperation of its current owner. As a rule, role seizure should be avoided, but sometimes it is required.

A role seizure is controlled through the same per-role object permissions that controls role transfers, plus the Write fsmoRoleOwner property permission at the new role owner. To seize a role you need both the per-role object permission and the Write fsmoRoleOwner property permission. By default, the Write fsmoRoleOwner property permission is granted to the same groups that are granted the per-role object permissions.

Scripting Role Placement

You can also place operations master role owners programmatically for both role transfers and seizures through Microsoft® Visual Basic® Script programs.

Scripting Role Transfers

Active Directory operations master role transfers are exposed as an LDAP update operation to a root DSE operational attribute of the domain controller taking the role. There is a root DSE operational attribute corresponding to each role:

• becomeSchemaMaster
• becomeDomainMaster
• becomeRidMaster
• becomePdc
• becomeInfrastructureMaster

For more information about the root DSE operational attributes, see "Active Directory Data Storage" in this book.

For example, by running the following Visual Basic Script program using the "CScript" command on a domain controller, you can transfer the domain naming master role to that domain controller:

Set dse = GetObject("LDAP://localhost/RootDSE")

dse.Put "becomeDomainMaster", 1

dse.SetInfo

Scripting Role Seizures

Active Directory role seizures are exposed as an LDAP update operation to the FSMO-Role-Owner attribute of the role object on the domain controller seizing the role.

For example, by running the following Visual Basic Script program using the "CScript" command on a domain controller, you can seize the domain naming master role to that domain controller. If the seizure fails, it prints an error message.

Dim dse, roleObject, ntdsDsa

Set dse = GetObject("LDAP://localhost/RootDSE")

Set roleObject = GetObject( "LDAP://localhost/" &

    "CN=Partitions," &

    dse.Get("configurationNamingContext"))

Set ntdsDsa = dse.Get("dsServiceName")

roleObject.Put "fSMORoleOwner", ntdsDsa

roleObject.SetInfo

For more information about Visual Basic Script programs, see Windows 2000 Resource Kit Tools Help, which is included on the Windows 2000 Resource Kit companion CD.

© 1985-2000 Microsoft Corporation. All rights reserved.