FSMO Roles – In detail

There are changes, which could be performed across domain controllers in Active Directory, using the ‘multi-master replication’. However, performing all changes this way may not be practical, and so it must be refined under one domain controller that maneuvers such change requests intelligently. And that domain controller is dubbed as Operations Master, sometimes known as Flexible Single Master Operations (FSMO).

Operations Master role is assigned to one (or more) domain controllers and they are classified as Forest-wide and Domain-wide based on the extent of the role. A minimum of five Operations master roles is assigned and they must appear atleast once in every forest and every domain in the forest for the ‘Forest-wide’ and ‘Domain-wide’ roles respectively.

Forest-wide operations master roles

The following roles must appear atleast once in every forest:

    • Schema master
  • Domain naming master

Pointers:

    • On a forest level, the roles are unique.
  • At all times, there can only be one schema master and one domain-naming master.
Schema master Any update or modification done to the schema must go via the schema master domain controller. To make such updates / modification to the schema of a forest, an access has be established with the schema master.

There can be only one schema master in the entire forest.

Domain naming master The domain controller holding the domain naming master role exclusively controls the addition or removal of domains in the forest.

There can be only one domain naming master in the entire forest.

    • Any domain controller running Windows Server 2003 can hold the role of the domain-naming master.
  • A domain controller running
    Windows 2000 Server that holds the role of domain naming master must also be enabled as a global catalog server.

Domain-wide operations master roles

The following roles must appear atleast once in every domain of the forest:

    • Relative ID (RID) master
    • Primary domain controller (PDC) emulator master
  • Infrastructure master

Pointers:

    • On a domain level, the roles are unique.
  • At all times, a domain of a forest can have only one RID master, PDC emulator master, and infrastructure master.
RID master It is the task of RID master to allot sequences of relative IDs to each of the (numerous) domain controllers in its domain.When a domain controller creates a user, group, or computer object, a unique security ID (SID) is assigned to the object. The SID contains two elements:

    • One is the domain SID (which is the same name for all SIDs that’s created in a domain)
  • And the other is an RID, which is unique for each SID created in the domain.

Activities such as moving an object between domains (using Movetree.exe) must be instigated on the domain controller acting as the RID master of the domain (that currently contains the object).

PDC emulator master In order to ensure consistency, password changes from client computers must be replicated and updated to all domain controllers throughout the domain. And the PDC emulator can be configured to synchronize with an external time source.Provides consistency in password experience for users across sites. (To turn off use: AvoidPdcOnWan registry parameter). Double- checks incorrect passwords and reviews new password changes.

The domain controller configured with the PDC emulator role supports two authentication protocols:

    • The Kerberos V5 protocol
  • The NTLM protocol
Infrastructure master Tasks such as updating references from objects in its domain to objects in other domains are under the purview of the infrastructure master. The infrastructure master compares its data with that of a global catalog, which receives regular updates for objects in all domains through replication, thus making the global catalog data up to date.Say, in a scenario where the infrastructure master suspects outdated data, it fetches updated data from the GC and replicates it to the other domain controllers in a domain.

Pointers:

    • Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.
    • If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function.
    • The infrastructure master will seldom find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
  • In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

In scenarios where user / members of a group are renamed / modified, the infrastructure master is responsible for revising the group-to- user references.

When the member of a group is moved or renamed, especially if that member resides in a different domain from the group, the member would temporarily not appear in the group. It is the infrastructure master of the group’s domain’s responsibility to update the group of the new name or location of the member. This prevents the loss of group memberships associated with a user account.

Update is distributed by the infrastructure via multimaster replication.

Ways to find out, which DC holds what FSMO Roles?

1 IGo to command prompt -> type NetDOM /query FSMO -> enter
2 Determining the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain

    • Click Start -> Run, type dsa.msc -> click OK.
    • Right-click the selected Domain Object in the top left pane, and click Operations Masters.
    • Click the PDC tab to view the server holding the PDC master role.
    • Click the Infrastructure tab to view the server holding the Infrastructure master role.
  • Click the RID Pool tab to view the server holding the RID master role.

Determining the Schema FSMO Holder in a Forest

  • Click Start -> Run -> type mmc, -> click OK.

NOTE: For the Active Directory Schema snap-in to be available, you have to register the Schmmgmt.dll file. To do this, click Start -> click Run -> type regsvr32 schmmgmt.dll in the Open box -> click OK.
A message is displayed that states the registration was successful.

    • On the Console menu, click File -> Add/Remove Snap-in -> click Add -> double-click Active Directory Schema, click Close, and then click OK.
  • Right-click Active Directory Schema in the top left pane -> click Operations Masters to view the server holding the schema master role.

Determining the Domain Naming FSMO Holder in a Forest

    • Click Start -> Run, type mmc -> click OK.
    • Click File -> Add/Remove Snap-in -> click Add -> double-click Active Directory Domains and Trusts -> click Close -> click OK.
    • In the left pane, click Active Directory Domains and Trusts.
  • Right-click Active Directory Domains and Trust, and then click Operations Master to view the server holding the domain naming master role in the Forest.
3 On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

    • Type roles, and then press ENTER.
    • Type connections, and then press ENTER.
    • Type connect to server , where is the name of the server you want to use, and then press ENTER.
    • At the server connections: prompt, type q, and then press ENTER again.
    • At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
    • At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
  • Type q 3 times to exit the Ntdsutil prompt.

Comments

comments

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)