Domain Naming Master — another forest-wide FSMO role (as well as Schema Master role), i.e. in the entire Active Directory forest can be only one domain controller with operation master role Domain Naming Master.
The owner of this role is responsible for operations related with Active Directory domain names: adding, renaming and removing domains in the forest etc.
Domain Naming Master
But there are also some other tasks performed only by domain controllers with this role. According to the official information on TechNet, the full list of tasks looks like this:
- Add or remove domains within the forest — Domain Naming master is responsible for the uniqueness of each domain NETBIOS-name in the forest and doesn’t allow adding domains with the same names. All operations associated with domain name changes should be confirmed by the DC owner of this role. If the Naming Master is unavailable, you can’t add or remove a domain in the forest.
- Add or remove application directory partitions — beginning with the version of the Actives Directory introduced in Windows 2003, it became possible to create separate sections — Application Directory Partitions, which are used to store arbitrary data in AD. The data in these sections also replicates to all domain controllers, thus providing an increased level of security and availability. As an example, storage data for DNS servers (Active Directory-Integrated DNS) in the sections ForestDnsZones and DomainDnsZones. You can’t manage application partitions when Domain Naming Master is not available.
Tip. You can list all available directory partitions in the forest using ntdsutil:
ntdsutil partition management connect connect to server lon-dc01 quit list
- Add or remove object cross references to/from external directories — сross references (crossRef) are used to search the directory in the case when the server which the client is connected does not contain the required copy of the directory, and you can refer to domains outside the forest (of course if they are available). CrossRefs are stored in the Partitions container of the Configuration section, and only the Domain Naming Master has the permissions to change the contents of this container. Cross-references are of two types — internal and external. Internal crossRefs are created automatically by the system. External cross-references are created manually by Administrator, if necessary, explicitly declare the location of objects that are the AD forest. If Domain Naming Master is unavailable, you can’t create a new cross reference, or delete the old one.
- Approval of the domain rename — to rename a domain, the utility rendom.exe is used. The utility generates an XML-script with instructions that must be executed during the renaming process. This script is placed to container Partitions of the Configuration section. This container can only be updated by the domain naming master. After that, the new names of each renamed domain are written to the attribute msDS-DnsRootAlias of cross-references of objects related to these domains.
You can get current Domain Naming Master role holder using netdom utility:
netdom query fsmo
To transfer DNM role from one domain controller to another you can use the Active Directory Domains and Trusts MMC snap-in.
In Best Practices Microsoft recommends to place the Domain Naming and Schema Master roles on the same domain controller. If you have lost a DC with FSMO role Domain Naming Master, you can seize this role to any other DC, but remember that after that the original role master should not appear on the network.