domain naming master fsmo role

FSMO Role: Domain Naming Master


Domain Naming Master — another forest-wide FSMO role (as well as Schema Master role), i.e. in the entire Active Directory forest can be only one domain controller with operation master role Domain Naming Master.

The owner of this role is responsible for operations related with Active Directory domain names: adding, renaming and removing domains in the forest etc.

Domain Naming Master

But there are also some other tasks performed only by domain controllers with this role. According to the official information on TechNet, the full list of tasks looks like this:

  1. Add or remove domains within the forest — Domain Naming master is responsible for the uniqueness of each domain NETBIOS-name in the forest and doesn’t allow adding domains with the same names. All operations associated with domain name changes should be confirmed by the DC owner of this role. If the Naming Master is unavailable, you can’t add or remove a domain in the forest.
  2. Add or remove application directory partitions — beginning with the version of the Actives Directory introduced in Windows 2003, it became possible to create separate sections — Application Directory Partitions, which are used to store arbitrary data in AD. The data in these sections also replicates to all domain controllers, thus providing an increased level of security and availability. As an example, storage data for DNS servers (Active Directory-Integrated DNS) in the sections ForestDnsZones and DomainDnsZones. You can’t manage application partitions when Domain Naming Master is not available.
    Tip. You can list all available directory partitions in the forest using ntdsutil:

    ntdsutil
    partition management
    connect
    connect to server lon-dc01
    quit
    list

    naming contexts

  1. Add or remove object cross references to/from external directories — сross references (crossRef) are used to search the directory in the case when the server which the client is connected does not contain the required copy of the directory, and you can refer to domains outside the forest (of course if they are available). CrossRefs are stored in the Partitions container of the Configuration section, and only the Domain Naming Master has the permissions to change the contents of this container. Cross-references are of two types — internal and external. Internal crossRefs are created automatically by the system. External cross-references are created manually by Administrator, if necessary, explicitly declare the location of objects that are the AD forest. If Domain Naming Master is unavailable, you can’t create a new cross reference, or delete the old one.
    domain naming master partitions
  1. Approval of the domain rename — to rename a domain, the utility rendom.exe is used. The utility generates an XML-script with instructions that must be executed during the renaming process. This script is placed to container Partitions of the Configuration section. This container can only be updated by the domain naming master. After that, the new names of each renamed domain are written to the attribute msDS-DnsRootAlias of cross-references of objects related to these domains.

You can get current Domain Naming Master role holder using netdom utility:

netdom query fsmo

domain naming master

To transfer DNM role from one domain controller to another you can use the Active Directory Domains and Trusts MMC snap-in.

domain naming operations master

In Best Practices Microsoft recommends to place the Domain Naming and Schema Master roles on the same domain controller. If you have lost a DC with FSMO role Domain Naming Master, you can seize this role to any other DC, but remember that after that the original role master should not appear on the network.


You may also like:

Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
READ ALSO  Accessing Domain Controller from Local DSRM Account