Wednesday, 8 February 2012

Active Directory : Understanding FSMO Roles.

Flexible Single Master Operations (FSMO) is a feature of Microsoft’s Active Directory (AD).
FSMOs are specialized domain controller (DC) tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database, are the FSMOs.
The FSMO roles are also called Single Master Operations or Operations Master, FSMO is sometimes pronounced as “fizmo”.
What is the need of FSMO roles?
Active directory is multi master replication model. Meaning clients can register their records to any available Active directory domain controller and have access to resources within active directory NTDS.DIT database.
The purpose of having FSMO roles is being cause by Multi master replication model. In this model there has to be a way of preventing the conflict being happened, such as firing up adsiedit.msc and adding to the same object from different locations, which one would win? The NTDS.DIT DataBase would get confuse, Therefore we needed to have schema master so that regardless where you make the changes within the Domain changes gets okay from Schema Master first than, schema master replicates these changes to all other Domain controllers. This is the primary purpose why Microsoft comes up with FSMO roles (Operations Masters)
Knowing these FSMO roles and understanding them is Curtail for any Windows server administrator who is dealing with Active Directory and Exchange server.
The Five FSMO Roles
There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles:
1. PDC Emulator
Most famous for backwards compatibility with NT 4.0 BDC’s. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.
2. RID Master
Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 – 9999.
3. Infrastructure Master
Responsible for checking objects in other other domains. Universal group membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach.
4. Domain Naming Master
Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
5. Schema Master
Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.
Note: There is a also an important Global Catalog Role, however it’s not a FSMO role as you can have more than one Global Catalog.
FSMO Role Deployment
Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, 3 RID master and 3 Infrastructure Master, but only 1 Schema Master and Domain naming master.
Which DC is holding FSMO role?
By default, the first domain controller of the domain will be holding all the five operations master roles of the forest. But we can transfer the roles for the load balancing and for the better distribution of Active Directory replication.
We can transfer the Operations Master roles using Graphical interface or Command line interface, which I will discuss in another article.
Here I will tell you how we can identify which AD Domain controller.
RID, PDC, Infrastructure (1. 2. and 3.)
You can discover which server holds the Operation Master by opening Active Directory Users and Computers, Right click your Domain and select Properties, Operations Masters.
Domain Naming Master (4.)
To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select Properties, Operations Masters.
Schema Master (5.)
The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by default. Perhaps is this is Microsoft saying – don’t mess with the object definitions. However, you can reveal the Schema and its FSMO settings thus:
1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll
2) Run MMC, File menu, Add\Remove Snap-in, click the Add button and select,
Active Directory Schema
3) Select Active Directory Schema, Right Click, Operations Master.


Unknown said...

Thanks for the amazing article. My two cents about FSMO Roles and steps to transfer FSMO Roles.

Post a Comment