Understanding FSMO Roles
FSMO stands for
Flexible Single Master Operations. Therefore an FSMO Role, is a Flexible Single
Master Operations Role. There are 5 of these in Active Directory 2003, and in
this article I will explain the purpose of each one, and what it does.
Flexible
means that the roles can be swapped around, and the administrator can decide
which DC holds which role(s).
Single
means that only one DC can hold each role. This can apply to each domain, or to
the entire forest. I will go into more detail about this later.
The five roles are as follows:
PDC Emulator
- Synchronises
time over the domain, ensuring all clients have the same time - which is
required for kerberos authentication (logons) to work properly.
- Manages
password changes made in the domain
- Incorrect
logons are forwarded to the PDC before the error is shown to the user - to
check the password is in fact incorrect
- Account
lockouts are processed on the PDC emulator
- Group
policy management is always made on the PDC emulator, unless specified by
the administrator
- Emulates
the PDC (Primary Domain Controller) for NT4 clients in the domain.
Notes: There is one PDC Emulator per
domain, but the PDC Emulator for the forest root domain is authoratative for
all others in the forest.
RID Master
The RID Master is responsible
for handing out pools of RID's (Relative
ID's).
Each DC in a domain is allocated a pool of RID's, that it uses for new security
principal objects that are created such as security groups. When a DC starts to
run out of RIDs, it issues a request for more to the RID Master. There is one
RID Master per domain in the forest.s
Notes: There must only ever be ONE RID
Master in a domain. If an administrator siezes the RID Master role from to
another server because the original role holder is offline, the original role
holder must be formatted and reinstalled. This is due to the risk or
probability of having identical RIDs in a domain if more than one server holds
the role. This would render the affected objects invalid, and cause endless
problems on the domain.
Infrastructure Master
This role is most important when the
forest contains more than one domain. The Infrastructure Master is responsible
for updating an object's SID (Security ID) and DN (Distinguished Name) in a
query that references objects from another domain.
Notes: There is one Infrastructure
Master per domain.
Domain Naming Master
The Domain Nameing Master controls the
addition and removal of domains to and from the forest. It makes sure that no
two domains have the same name, and is the only Domain Controller in the entire
forest that can add or remove a domain.
Notes: There is only one Domain Naming
Master in the entire forest.
Schema Master
The Schema Master
controls all updates and modifications to the schema. Once the update has
completed it is replicated to all other Domain Controllers in the forest, but
it must be performed on the Schema Master first.
Notes:
There is only one Schema Master in the entire forest.
|
What happens when FSMO roles fails
|
|
|
No updates to the Active
Directory schema will be possible. Since schema updates are rare (usually
done by certain applications and possibly an Administrator adding an
attribute to an object), then the malfunction of the server holding the
Schema Master role will not pose a critical problem.
|
|
|
Domain Naming Master
|
The Domain Naming Master
must be available when adding or removing a domain from the forest (i.e.
running DCPROMO). If it is not, then the domain cannot be added or removed.
It is also needed when promoting or demoting a server to/from a Domain
Controller. Like the Schema Master, this functionality is only
used on occasion and is not critical unless you are modifying your domain or
forest structure.
|
|
|
PDC Emulator
|
The server holding the
PDC emulator role will cause the most problems if it is unavailable.
This would be most noticeable in a mixed mode domain where you are
still running NT 4 BDCs and if you are using downlevel clients (NT and
Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that
depend on the PDC would be affected (User Manager for Domains, Server
Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical
because other domain controllers can assume most of the responsibilities of
the PDC emulator.
|
|
|
RID Master
|
The RID Master provides
RIDs for security principles (users, groups, computer accounts). The failure
of this FSMO server would have little impact unless you are adding a very
large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur
only if the DC you adding the users/groups on ran out of RIDs.
|
|
|
Infrastructure Master
|
This FSMO server is only
relevant in a multi-domain environment. If you only have one domain, then the
Infrastructure Master is irrelevant. Failure of this server in a
multi-domain environment would be a problem if you are trying to add objects
from one domain to another.
|
|
|
|
|
|
|
Placing FSMO
Server Roles
|
Assuming you do have multiple domain controllers in your
domain, there are some best practices to follow for placing FSMO server roles.
The Schema Master and
Domain Naming Master should reside on the same server, and that machine should
be a Global Catalog server. Since all three are, by default, on
the first domain controller installed in a forest, then you can leave them as
they are.
Note: According to MS, the Domain Naming master needs to be on a Global
Catalog Server. If you are going to separate the Domain Naming master and
Schema master, just make sure they are both on Global Catalog servers.
The Infratructure Master
should not be on the same server that acts as a Global Catalog server.
The reason for this is the Global Catalog contains information about every
object in the forest. When the Infrastructure Master, which is responsible for
updating Active Directory information about cross domain object changes, needs
information about objects not in it's domain, it contacts the Global Catalog
server for this information. If they both reside on the same server, then
the Infratructure Master will never think there are changes to objects that
reside in other domains because the Global Catalog will keep it contantly
updated. This would result in the Infrastructure Master never replicating
changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommeds
that the PDC Emulator and RID Master be on the same server. This is not
mandatory like the Infrastructure Master and the Global Catalog server above,
but is recommended. Also, since the PDC Emulator will receive more traffic than
any other FSMO role holder, it should be on a server that can handle the load.
It is also recommended that
all FSMO role holders be direct replication partners and they have high
bandwidth connections to one another as well as a Global Catalog server.
Before you can transfer a role, you must have the appropriate
permissions depending on which role you plan to transfer:
|
Schema Master
|
member of the Schema
Admins group
|
|
Domain Naming Master
|
member of the Enterprise
Admins group
|
|
PDC Emulator
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
|
RID Master
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
|
Infrastructure Master
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
How do find out what servers
in your domain/forest hold what server roles? How do you move a server
role from one server to another? There are several tools that can be used
to find out this information.
Find out what server holds what FSMO role is by using the Netdom command
line utility
Here is another wonderful command to find the FSMO roles
(Flexible Single Master Roles) -hasfsmo. The arguments, which correspond
to the 5 roles are: schema, rid, name, infr and pdc.
Eg: finding the schema using DSQUERY
dsquery
server -hasfsmo schema
