Understanding FSMO Roles
FSMO stands for
Flexible Single Master Operations. Therefore an FSMO Role, is a Flexible Single
Master Operations Role. There are 5 of these in Active Directory 2003, and in
this article I will explain the purpose of each one, and what it does.
Flexible
means that the roles can be swapped around, and the administrator can decide
which DC holds which role(s).
Single
means that only one DC can hold each role. This can apply to each domain, or to
the entire forest. I will go into more detail about this later.
The five roles are as follows:
PDC Emulator
- Synchronises
time over the domain, ensuring all clients have the same time - which is
required for kerberos authentication (logons) to work properly.
- Manages
password changes made in the domain
- Incorrect
logons are forwarded to the PDC before the error is shown to the user - to
check the password is in fact incorrect
- Account
lockouts are processed on the PDC emulator
- Group
policy management is always made on the PDC emulator, unless specified by
the administrator
- Emulates
the PDC (Primary Domain Controller) for NT4 clients in the domain.
Notes: There is one PDC Emulator per
domain, but the PDC Emulator for the forest root domain is authoratative for
all others in the forest.
RID Master
The RID Master is responsible
for handing out pools of RID's (Relative
ID's).
Each DC in a domain is allocated a pool of RID's, that it uses for new security
principal objects that are created such as security groups. When a DC starts to
run out of RIDs, it issues a request for more to the RID Master. There is one
RID Master per domain in the forest.s
Notes: There must only ever be ONE RID
Master in a domain. If an administrator siezes the RID Master role from to
another server because the original role holder is offline, the original role
holder must be formatted and reinstalled. This is due to the risk or
probability of having identical RIDs in a domain if more than one server holds
the role. This would render the affected objects invalid, and cause endless
problems on the domain.
Infrastructure Master
This role is most important when the
forest contains more than one domain. The Infrastructure Master is responsible
for updating an object's SID (Security ID) and DN (Distinguished Name) in a
query that references objects from another domain.
Notes: There is one Infrastructure
Master per domain.
Domain Naming Master
The Domain Nameing Master controls the
addition and removal of domains to and from the forest. It makes sure that no
two domains have the same name, and is the only Domain Controller in the entire
forest that can add or remove a domain.
Notes: There is only one Domain Naming
Master in the entire forest.
Schema Master
The Schema Master
controls all updates and modifications to the schema. Once the update has
completed it is replicated to all other Domain Controllers in the forest, but
it must be performed on the Schema Master first.
Notes:
There is only one Schema Master in the entire forest.
|
What happens when FSMO roles fails
|
|||
|
No updates to the Active
Directory schema will be possible. Since schema updates are rare (usually
done by certain applications and possibly an Administrator adding an
attribute to an object), then the malfunction of the server holding the
Schema Master role will not pose a critical problem.
|
|||
|
Domain Naming Master
|
The Domain Naming Master
must be available when adding or removing a domain from the forest (i.e.
running DCPROMO). If it is not, then the domain cannot be added or removed.
It is also needed when promoting or demoting a server to/from a Domain
Controller. Like the Schema Master, this functionality is only
used on occasion and is not critical unless you are modifying your domain or
forest structure.
|
||
|
PDC Emulator
|
The server holding the
PDC emulator role will cause the most problems if it is unavailable.
This would be most noticeable in a mixed mode domain where you are
still running NT 4 BDCs and if you are using downlevel clients (NT and
Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that
depend on the PDC would be affected (User Manager for Domains, Server
Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator. |
||
|
RID Master
|
The RID Master provides
RIDs for security principles (users, groups, computer accounts). The failure
of this FSMO server would have little impact unless you are adding a very
large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs. |
||
|
Infrastructure Master
|
This FSMO server is only
relevant in a multi-domain environment. If you only have one domain, then the
Infrastructure Master is irrelevant. Failure of this server in a
multi-domain environment would be a problem if you are trying to add objects
from one domain to another.
|
||
|
Placing FSMO
Server Roles
|
Assuming you do have multiple domain controllers in your
domain, there are some best practices to follow for placing FSMO server roles.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers.
The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information. If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated. This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.
- Microsoft also recommeds that the PDC Emulator and RID Master be on the same server. This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load.
|
Permissions
|
Before you can transfer a role, you must have the appropriate
permissions depending on which role you plan to transfer:
|
Schema Master
|
member of the Schema
Admins group
|
|
Domain Naming Master
|
member of the Enterprise
Admins group
|
|
PDC Emulator
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
|
RID Master
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
|
Infrastructure Master
|
member of the Domain
Admins group and/or the Enterprise Admins group
|
|
FSMO Tools
|
How do find out what servers
in your domain/forest hold what server roles? How do you move a server
role from one server to another? There are several tools that can be used
to find out this information.
Find out what server holds what FSMO role is by using the Netdom command
line utility
- Here is another wonderful command to find the FSMO roles (Flexible Single Master Roles) -hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name, infr and pdc.
Eg: finding the schema using DSQUERY
dsquery
server -hasfsmo schema - Another tool that comes with the Support Tools is the Active Directory Relication Monitor
