Ace here again. I’ve updated this blog to just clean it up a bit, but as for the technical information about FSMOs, not much as changed. If you see anything that you feel is inaccurate, by all means please contact me.
This blog contains some quoted material from the Microsoft Official Curriculum (MOC) 6425B Course
In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion.
Active Directory is no exception. A limited number of operations are not permitted to occur at different places at the same time and must be the responsibility of only one domain controller in a domain or forest. These operations, and the domain controllers that perform them, are referred to by a variety of terms:
• Operations masters • Operations master roles • Single master roles • Operations tokens • Flexible single master operations (FSMOs)
Regardless of the term used, the idea is the same. One domain controller performs a function, and while it does, no other domain controller performs that function.
All Active Directory domain controllers are capable of performing single master operations. The domain controller that actually performs a single master operation is the domain controller that currently holds the operation’s token, or the “role holder.”.
An operation token, and thus the role, can be transferred easily to another domain controller without a reboot.
To reduce the risk of single points of failure, the operations tokens can be distributed among multiple DCs.
AD DS contains five operations master roles. Two roles are performed for the entire forest, and two roles are performed by three roles for each domain.
Forest Roles (two roles):
Domain Roles (three roles):
Relative identifier (RID)
In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.
Forest-Wide Operations Master Roles
The schema master and the domain naming master must be unique in the forest. Each role is performed by only one domain controller in the entire forest.
Domain Naming Master Role:
The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must beaccessible, or the operation will fail.
Schema Master Role:
The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator. Each role is performed by only one domain controller in the domain.
RID Master Role
The RID master plays an integral part in the generation of security identifiers (SIDs) for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a DC are unique. Active Directory domain controllers generate SIDs by assigning a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Thus, each domain controller can be confident that the SIDs it generates are unique.
The RID master role is like DHCP for SIDs. If you are familiar with the concept that you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs.
Infrastructure Master Role
In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain.
Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.
Note: The infrastructure master. You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.
Also note: This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose. One way to eliminate any issues with the Infrastructure Master Role & GC conflict is to simply make all DCs a GC. More info on this can be found in the following link:
The PDC Emulator role performs multiple, crucial functions for a domain:
• Emulates a Primary Domain Controller (PDC) for backward compatibilityIn the days of Windows NT® 4.0 domains, only the PDC could make changes to the directory. Previous tools, utilities, and clients written to support Windows NT 4.0 are unaware that all Active Directory domain controllers can write to the directory, so such tools request a connection to the PDC. The domain controller with the PDC emulator role registers itself as a PDC so that down-level applications can locate a writable domain controller. Such applications are less common now that Active Directory is nearly 10 years old, and if your enterprise includes such applications, work to upgrade them for full Active Directory compatibility.
• Participates in special password update handling for the domainWhen a user’s password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible. If a user attempts to log on immediately after changing passwords, the domain controller responding to the user’s logon request might not know about the new password. Before it rejects the logon attempt, that domain controller forwards the authentication request to a PDC emulator, which verifies that the new password is correct and instructs the domain controller to accept the logon request. This function means that any time a user enters an incorrect password, the authentication is forwarded to the PDC emulator for a second opinion. The PDC emulator, therefore, should be highly accessible to all clients in the domain. It should be a well-connected, high-performance DC.
• Manages Group Policy updates within a domainIf a Group Policy object (GPO) is modified on two DCs at approximately the same time, there could be conflicts between the two versions that could not be reconciled as the GPO replicates. To avoid this situation, the PDC emulator acts as the focal point for all Group Policy changes. When you open a GPO in the Group Policy Management Editor (GPME), the GPME binds to the domain controller performing the PDC emulator role. Therefore, all changes to GPOs are made on the PDC emulator by default.
• Provides a master time source for the domainActive Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely on timestamps, so synchronizing the time across all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC emulator. All other domain members synchronize their time with their preferred domain controller. This hierarchical structure of time synchronization, all implemented through the Win32Time service, ensures consistency of time. Universal Coordinated Time (UTC) is synchronized, and the time displayed to users is adjusted based on the time zone setting of the computer.
Note: Change the time service only one way. It is highly recommended to allow Windows to maintain its native, default time synchronization mechanisms. The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source. If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do so. See the following link and the articles it refers to, for more information.
• Acts as the domain master browserWhen you open Network in Windows, you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. These two lists, called browse lists, are created by the Browser service. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.
What happens when a FSMO Role Fails
PDC Emulator failure
The PDC Emulator is the operations master that will have the most immediate impact on normal operations and on users if it becomes unavailable. Fortunately, the PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.
Infrastructure master failure
A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.
RID master failure
A failed RID master will eventually prevent domain controllers from creating new SIDs and, therefore, will prevent you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Schema master failure
The schema master role is necessary only when schema modifications are being made, either directly by an administrator or by installing an Active Directory integrated application that changes the schema. At other times, the role is not necessary. It can remain offline indefinitely until schema changes are necessary. Seizing this role to another domain controller is a significant action. After the schema master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Domain naming master failure
The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure, the domain naming master role can remain offline for an indefinite period of time. Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Recovering from FSMO Role Failures
There are a number of steps that must be performed if any of the FSMO roles fail, and keep in mind, it’s not just based on the FSMO role failure itself, rather you must also take into account the DC, too, because it usually means the DC itself has failed, therefore the DC failure must be addressed.
If a DC fails, then you must address the DC failure as a whole, and not just the FSMO roles. This is because the DC’s account is referenced in the AD database by other DCs, and it expects it to be there to contribute and work with replication, among other AD functions. Therefore you must clean out the DC’s reference from the AD database, which also includes seizing the roles it held to other DCs.
This also includes the services a specific FSMO role held, such as the Time Service. This service runs on the PDC Emulator and must be moved to the new PDC Emulator you are seizing the role to.
For more information, with a complete and specific step by step, including any services the DC held which was FSMO role specific, please see the following article for more information:
Windows Server Monitoring and Windows Event Log Management SoftwareDevelopers of Windows administration tools that monitor in real-time system performance, security logs, and event logs, and send automated, user-defined … http://www.tntsoftware.com/