You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you can use an
MMC snap-in tool. Depending on which role you want to transfer, you can use one of the fol-
lowing three MMC snap-in tools:
■
Active Directory Schema snap-in (Schema Master role)
■
Active Directory Domains and Trusts snap-in (Domain Naming Master role)
■
Active Directory Users and Computers snap-in (RID Master, Infrastructure Master, and
PDC Emulator roles)
To seize a role, you must use the ntdsutil utility. If a computer cannot be contacted due to a
hardware malfunction or long-term network failure, the role must be seized.
Locating,Transferring, and Seizing the Schema Master Role
The DC that hosts the Schema Master role controls each update or modification to the schema.You
must have access to the Schema Master to update the schema of a forest.
Refer to the first procedure that follows for instructions on how to identify the DC that is per-
forming the Schema Master operation role for your forest using the command line or the GUI.
Refer to the second procedure that follows for instructions on how to transfer the Schema Master
operations role for your forest to a different DC.The steps for seizing the role to another DC in
case of failure are outlined later in this section (see Seize the FSMO master roles) .
Temporary loss of the Schema Master is not noticeable to domain users. Enterprise and domain
administrators will not notice the loss either, unless they are trying to install an application that
modifies the schema during installation or trying to modify the schema themselves.You should seize
the schema FSMO role to the standby operations master only if your old Schema master will be
down permanently.
Locate the Schema Operations Master
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the Open box, and click OK.This registers the
Schmmgmt.dll.
4. Click OK in the dialog box showing that the operation succeeded.

5. Click Start | Run, type mmc, and then click OK.
6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active
Directory Schema, click Close, and then click OK.
7. Expand and then right-click Active Directory Schema in the top left pane, and then
select Operations Masters to view the server holding the Schema Master role as shown
in Figure 12.4.
476 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 476
Transfer the Schema Operations Master Role
1. Log on as an Enterprise Administrator in the forest where you want to transfer the
Schema Master role.
2. Click Start | Run.
3. Type regsvr32 schmmgmt.dll in the
Open box, and then click OK.This registers the
Schmmgmt.dll.
4. Click
OK in the dialog box showing that the operation succeeded.
5. Click Start | Run, type mmc, and then click OK.
6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active
Directory Schema, click Close, and then click OK.
7. Right-click Active Directory Schema in the top left pane, and then click Change
Domain Controller.
8. Click Specify Name as shown in Figure 12.5, type the name of the DC that will be the
new role holder, and then click OK.
9. Right-click Active Directory Schema again, and then click Operations Master.
10. Click Change.
Working with Forests and Domains • Chapter 12 477
Figure 12.4 Locating the Schema Operations Master
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 477
11. Click OK to confirm that you want to transfer the role, and then click Close.

Locating,Transferring, and Seizing the Domain Naming Master Role
The Domain Naming Master DC controls the addition or removal of domains in the forest,AND
adding and removing any cross-references to domains in external LDAP directories.There can be
only one Domain Naming Master in the forest.
Refer to the first procedure that follows for instructions on how to identify the DC that is per-
forming the Domain Naming Master operation role for your forest. Refer to the second procedure
that follows for instructions on how to transfer the Domain Naming Master operations role for your
forest to a different DC.The steps for seizing a role to another DC in case of failure are described
later in this section (see Seize the FSMO Master Roles).
Locate the Domain Naming Operations Master
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run, type: mmc, and then click OK.
3. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active
Directory Domains and Trusts, click Close, and then click OK.
4. Right-click Active Directory Domains and Trusts in the top left pane, and then click
Operations Masters to view the server holding the domain naming master role.
478 Chapter 12 • Working with Forests and Domains
Figure 12.5 Transferring the Schema Operations Master Role
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 478
Transer the Domain Naming Master Role
1. Click Start | Administrative Tools | Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and click Connect to Domain
Controller, unless you are already on the DC to which you are transferring to the role. In the
Enter the name of another domain controller window, type the name of the DC that will
be the new role holder, and then click OK. Optionally, in the Or, select an available
domain controller list, click the DC that will be the new role holder, and click OK.
3. In the console tree, right-click Active Directory Domains and Trusts, and then select
Operations Master.
4. Click Change.
5. Click OK for confirmation, and click Close.

Locating,Transferring, and Seizing the
Infrastructure, RID, and PDC Operations Master Roles
The Infrastructure Master is responsible for updating references from objects in the local domain to
objects in other domains.There can be only one Infrastructure Master DC in each domain.The
RID Master processes Relative ID (RID) pool requests from all DCs in the local domain.There can
be only one RID Master DC in each domain.The PDC Emulator is a DC that advertises itself as
the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain
Master Browser, and handles Active Directory password collisions, or discrepancies.There can be
only one PDC Emulator in each domain.
Refer to the first procedure that follows for instructions on how to identify the DCs that are
performing the FSMO roles for your forest using the Active Directory Users and Computers GUI
interface. Refer to the second procedure that follows for instructions on how to transfer the
Infrastructure, RID, and PDC Master operations roles for your forest to different DCs. Again, if you
need to seize a role, follow the steps later in this section (see Seize the FSMO Master Roles).
Locate the Infrastructure, RID and PDC Operations Masters
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click Start | Run, type dsa.msc, and click OK.This is an alternate method for opening
the Active Directory Users and Computers administrative tool.
3. Right-click the selected Domain Object in the top left pane, and then click Operations
Masters.
4. Click the Infrastructure tab to view the server holding the Infrastructure Master role.
5. Click the RID tab to view the server holding the RID Master role.
6. Click the PDC tab to view the server holding the PDC Master role.
Working with Forests and Domains • Chapter 12 479
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 479
Transfer the Infrastructure, RID and PDC Master Roles
1. Click Start | Administrative Tools | Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers, and click Connect to Domain
Controller unless you are already on the DC you are transferring to. In the Enter the name of
another domain controller window, type the name of the DC that will be the new role

holder, and then click OK; or in the Or, select an available domain controller list, click the
DC that will be the new role holder, and click OK.
3. In the console tree, right-click Active Directory Users and Computers, and click All
Tasks | Operations Master.
4. Take the appropriate action below for the role you want to transfer.
5. Click the Infrastructure tab, and click Change.
6. Click the RID tab, and click Change.
7. Click the PDC tab, and click Change.
8. Click OK for confirmation, and click Close.
Seize the FSMO Master Roles
1. Log on to any working DC.
2. Click Start | Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and press Enter.
4. In ntdsutil, type ? at any prompt to see a list of available commands, and press Enter.
5. Type connections, and press Enter.
6. Type connect to server servername, where servername is the name of the server that will
receive the role, and press Enter.
7. At the server connections: prompt, type q, and press Enter.
8. Type the appropriate seizing command as shown next. See the example in Figure 12.6. If
the FSMO role is available, ntdsutil.exe will perform a transfer instead. Respond to the
Role Seizure Confirmation Dialog box.
seize Schema master
seize domain naming master
seize Infrastructure master
seize RID master
seize PDC
480 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 480
Figure 12.6 Seizing the PDC Master Role
D:\WINDOWS\system32\ntdsutil.exe: roles

fsmo maintenance: connections
server connections: connect to server DC4
Binding to DC4
Connected to DC4 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "DC4" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
Domain - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,
CN=Configuration,DC=Dogs,DC=com
PDC - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
RID - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=
Configuration,DC=Dogs,DC=com
Infrastructure - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site-
Name,C
N=Sites,CN=Configuration,DC=Dogs,DC=com
fsmo maintenance:q
9. After you seize the role, type q, and then press Enter repeatedly until you quit the
Ntdsutil tool.
Placing the FSMO Roles
It is a good idea to place the RID and PDC Emulator roles on the same DC. Down-level clients
and applications target the PDC, making it a large consumer of RIDs. Good communication

between these two roles is important. If performance demands it, place the RID and PDC Emulator
roles on separate DCs, but make sure they stay in the same site and that they are direct replication
partners with each other.
Working with Forests and Domains • Chapter 12 481
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 481
As previously stated, you should place the Infrastructure Master on a non-GC server to maintain
proper replication.Additionally, ensure that the Infrastructure Master has a direct connection object to
a GC server somewhere in the forest, preferably in the same site.There are two exceptions to this rule:
■
Single domain forest If your forest contains only one Active Directory domain, then
there can be no phantoms.The Infrastructure Master has no functionality in a single
domain forest. In that case, you can place the Infrastructure Master on any DC.
■
Multidomain forest where every DC holds the GC Again, there can be no phan-
toms if every DC in the domain hosts a GC.There is no work for the Infrastructure
Master to perform. In that case, you can place the Infrastructure Master on any DC.
Considering the forest level, the Schema Master and Domain Naming Master roles are rarely
used and should be tightly controlled. For that reason, you can place them on the same DC. Another
Microsoft-recommended practice is to place the Domain Naming Master FSMO on a GC server.
Taking all of these practices together, a Microsoft-recommended best-practice empty root domain
design would consist of two DCs with the following FSMO/GC placement:
■
DC 1:
■
Schema Master
■
Domain Naming Master
■
GC
■

DC 2:
■
RID Master
■
PDC Emulator
■
Infrastructure Master
This preferred design remains valid until performance degradation forces you to separate the
roles. Consider upgrading the hardware instead, or adding additional GCs, since the recommended
configuration is the most efficient. For extremely large forests, install additional DCs and separate
roles as needed. For these reasons and more, you need to be able to locate and assess your GC place-
ment in relation to your FSMO roles. Here is how you find GCs:
1. Log on to any working DC.
2. Click Start | Programs | Administrative Tools | Active Directory Sites and
Services.
3. Double-click Sites in the left console pane, and browse to the appropriate site, or click
Default-first-site-name if no other sites are available.
4. Expand the Servers folder, and click the name of the DC that you want to check.
5. In the DC’s folder, double-click NTDS Settings.
6. Click Action | Properties.
482 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 482
7. On the General tab, locate the Global Catalog check box to see if it is selected as
shown in Figure 12.7.
Using Application Directory Partitions
The Active Directory contains several partitions for the storage of object data.These directory parti-
tions, also called naming contexts, are contiguous Active Directory subtrees that are replicated across
DCs. As a minimum, each DC contains a replica of three partitions: the schema partition, the con-
figuration partition, and the domain partition in addition to any application directory partitions that
you might choose to create. An instance of an application directory partition on another DC is

called a replica.
The default security descriptor for objects in the application directory partition is defined by an
attribute called the security descriptor reference domain. By default, this attribute is the parent domain of
the application directory partition. If the partition is a child of another application directory parti-
tion, the default security descriptor reference domain is the security descriptor reference domain of
its parent. If it has no parent, the forest root domain becomes the default security descriptor refer-
ence domain.This attribute can be modified using the following steps.
Administer Application Directory Partitions
1. Log on as an Enterprise Administrator.
2. Click Start | Run, type ntdsutil, and click OK.
3. At the ntdsutil command prompt, type domain management.
4. At the domain management command prompt, type connection.
5. At the connection command prompt, type connect to server servername, where server-
name represents the DNS name of the DC where you want to create the application direc-
tory partition.
Working with Forests and Domains • Chapter 12 483
Figure 12.7 Locating the Global Catalog Function
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 483
6. At the connection command prompt, type quit.
7. At the domain management command prompt, consult the following list of commands
for the function you want to perform:
■
Create an application directory partition: use the command create nc
application_directory_partition domain_controller
■
Delete an application directory partition: use the command delete nc
application_directory_partition
■
Add an application directory partition replica: use the command add nc replica
application_directory_partition domain_controller

■
Remove an application directory partition replica: use the command remove nc
replica application_directory_partition
■
Display application directory partition information: use the command list
■
Add an application directory partition replica: use the command set nc reference
domain application_directory_partition domain_controller
In this context, application_directory_partition is the DN of the application directory partition that
you want to operate on, and domain_controller is the DNS name of the DC where you want to per-
form the operation. If you are operating on the DC that you connected to in step 5, use “NULL” as
the domain_controller parameter.
8. Enter q until ntdsutil exits.
Establishing Trust Relationships
External trusts are a concept left over from Windows NT, but are still necessary for sharing resources
with a Windows NT domain or any other Windows domain outside your forest. A realm trust allows
cross-platform interoperability with non-Windows Kerberos V5 (version 5) realms, such as those
commonly used with UNIX systems. As you can see, trusts are varied in properties and purposes.
The most important concepts to understand about trusts before you create them are direction and
transitivity.Always be aware of the extent of any internal access that you grant to external users.
Direction and Transitivity
Two primary attributes of trusts are direction and transitivity.The direction of trust flows from the
trusting domain to the trusted domain as shown by the arrow in Figure 12.8. Cats.com trusts
Dogs.com.The direction of access is always in the opposite direction; Dogs.com accesses resources in
Cats.com.This is a one-way trust. Likewise, Dogs.com trusts Fish.com, but does not trust Cats.com.
Two one-way trusts can combine to simulate a single two-way trust.
484 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 484
The second attribute of the trust is transitivity, or a measure of how far the trust extends. A non-
transitive trust has limits.The trusted domain, and only the trusted domain, can access resources

through the trust to the trusting domain. As shown in Figure 12.8, if the Dogs.com domain has
trusts to other domains such as Fish.com, those other domains are barred from access to Cats.com
unless they have a nontransitive trust of their own.The absence of the third leg of the trust breaks
the circle of access.This is the behavior of all trusts in Windows NT.
Conversely, transitive trusts, like the ones shown in Figure 12.9, are the skeleton keys of access.
Anyone on the trusted side of the trust relationship can enter, including anyone trusted by the
trusted domain. When a user or process requests access to a resource in another domain, a series of
hand-offs occurs within the authentication process down the trust path as shown in Figure 12.9.
When Cats.com trusts Dogs.com, they must trust all Dogs.com child domains equally at the level of
the trust.There are two types of trusts in Figure 12.9, parent and child and tree-root. All trusts shown
are bidirectional and transitive, as they are by default in Windows Server 2003. Calico.cats.com has a
trust relationship with Yellow.labs.dogs.com because of the trust path that extends through all three
intervening domains. If Calico.cats.com has no reason to trust Yellow.labs.dogs.com, then the cats
must apply permissions to limit or block the access.
Working with Forests and Domains • Chapter 12 485
Figure 12.8 The Nontransitive Trust
Dogs.com
Fish.com
Cats.com
Trust
Nontransitive
Trust
Nontransitive
Trust
Root
Domain
Domain
Domain
Figure 12.9 The Transitive Trust
Dogs.com

Labs.dogs.com
Cats.com
Yellow.labs.dogs.com
Calico.cats.com
Trust
Transitive
Trusts
Root
Domain
Domain
Child
Domain
Child
Domain
Child
Domain
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 485