Home 2018 December

The 7 FSMO Roles

5 FSMO roles? Oh, no. There are Hidden FSMO roles that they don’t tell you about!  They don’t want you to know about these until you run into a problem! There are really 7 FSMO Roles to know about.

Have you even been unable to demote a domain controller?  It tells you that it can’t determine the fSMORoleOwner – even though a netdom query FSMO returns all 5 roles?

You may also get: “The Directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles”

Well, there are two hidden roles: CN=Infrastructure,DC=ForestDnsZones  and CN=Infrastructure,DC=DomainDnsZones

So, the next time you are transferring FSMO roles, you need to move these two as well – before you Decom the old Role Holder!

Run adsi edit as admin.

This image has an empty alt attribute; its file name is fmso_0.png
Connect to

Right click on ADSI Edit, select Connect to the naming context 

This image has an empty alt attribute; its file name is fmso_1.png
DC=DomainDNSZones,DC=Kearan,DC=local

Click and expand the new “Default naming context” – click on the connection point, move to the right column and click Infrastructure:

This image has an empty alt attribute; its file name is fsmo_2.png
CN=Infrastructure

Right click and select properties or double click to edit.

Scroll to fSMORoleOwner

This image has an empty alt attribute; its file name is fsmo_3.png
fSMORoleOwner line

You may see something like : CN=NTDS Settings\0ADEL:aae73bb2-d552-4b61-a6e0-7ce4e09dcc47,CN=oldservername\0ADEL:234e4831-f988-4c2a-a1ca-db0f8b2643d8

This is an already decommed DC that never got the fSMO role moved.

Double click to edit.  Change the CN to match your normal FSMO role holder.  You can copy the fSMORoleOwner from the original “Default naming context” section – which is DC=yourdomain,DC=tld”

Repeat for naming context “DC=ForestDnsZones,DC=yourdomain,DC=tld”

This image has an empty alt attribute; its file name is fsmo_4.png
DC=ForestDnsZones,DC=Kearan,DC=local

The fSMORoleOwner in each of the three “Infrastructure” sections should match.

Printers Deployed via Group Policy

So, ran into a situation the other day where some printers were added to some computers they were not supposed to be on. When we went to remove them – nobody could. Access denied. Enterprise Admin could not remove the printer from the computer.
Why?
Group Policy.

There are a few ways to deploy printers via group policy.
1. Click “Deploy” on your print server. Unless you want everyone and every system in the entire domain to have that printer – do not do this. You won’t know which policy it uses to deploy the printers, you won’t know where it is applied. ( probably sets a “printer” policy on the root of the domain )
2. Create a group policy using Computer Configuration –> Policies –> Windows Settings –>Printer Connections (on older DCs)  ( Don’t do this! )
3. Create a group policy using Computer Configuration –>Preferences –> Control Panel Settings –> Printers (Nobody will be able to delete these printers)
4. Create a group policy using User Configuration –> Preferences –> Control Panel Settings –> Printers (You will be able to delete these printers – and they will show back up on next reboot, unless removed from the policy)