What are FSMO Roles?

There are changes, which could be performed across domain controllers in Active Directory by means of ‘multi-master replication’. However, performing all changes this way may not be practical, and so it must be refined under one domain controller that maneuvers such change requests intelligently. And that domain controller is dubbed as Operations Master, sometimes known as Flexible Single Master Operations (FSMO).

 

There are five FSMO roles:

 

 

PDC emulator : Allows Windows Server to act as a Windows NT primary domain controller (PDC), and it provides replication support for Windows NT-based backup domain controllers (BDCs).

Infrastructure master : Responsible for updating the group-to-user references whenever the members of groups change or receive new names.

Relative ID (RID) master :Ensures that every object created has a unique identification number.

Schema master : Responsible for maintaining and modifying the Active Directory schema.

Domain naming master : Responsible for the addition and deletion of domains in a forest.

The FSMO stands for Flexible Single Master Operations.

orest Roles (two roles):

• Domain naming
• Schema

Domain Roles (three roles):

• Relative identifier (RID)
• Infrastructure
• PDC Emulator

The FSMO stands for Flexible Single Master Operations also known as the operations master roles help you prevent conflicts in the Active Directory.

Or it can be also

FSMO is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate.

Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well.

AD DS contains five operations master roles. Two roles are performed for theentire forest, and two roles are performed by three roles for each domain.

Forest Roles (two roles):

• Domain naming
• Schema

Domain Roles (three roles):

• Relative identifier (RID)
• Infrastructure
• PDC Emulator

 

domain naming Master, Scheme Master, Infrastructure Master, RID Master, PDC Emulator.

There are five FSMO roles, two per forest, three in every Domain.

1.       Schema Master

2.       Domain Naming Master

3.       PDC emulator

4.       RID Master

5.       Infrastructure master

FSMO roles are basically a set of servicies that only certain domain controller can perform at domain and forest level. For example, maintaining domains information in forst, managing schema changes, time synchronization, generating RID etc special functions that only certain domain controller can perform. These special domain controllers are called FSMO owners. There are5 FSMO Roles

5 FSMO Roles are (Flexible Single Master Operations)

1.       Schema Master

2.       Domain Naming Master

3.       PDC emulator

4.       RID Master

5.       Infrastructure master

Basically these roles can be assigned to individual servers for the balancing as each and every role has its own task. Hence instead of keeping all those roles with single server which leads to high load, traffic .It always better to keep it aside on different servers.

 @  Schema Master and Domain Naming Master are “Forest wide Master Operations”

 @  PDC emulator, RID master and Infrastructure master are “Domain wide Master operation”

 Five operations master roles manage single-master operations in AD DS.

Two operations master roles exist in each forest:

• The schema master, which governs all changes to the schema.
• The domain naming master, which adds and removes domains to and from the forest.

In addition to the two forestwide operations master roles, three operations master roles exist in each domain:

• The primary domain controller (PDC) emulator. The PDC emulator processes all replication requests from Microsoft Windows NT 4.0 backup domain controllers and processes all password updates for clients that are not running Active Directory–enabled client software.
• The relative identifier (RID) master. The RID master allocates RIDs to all domain controllers to ensure that all security principals have a unique identifier.
• The infrastructure master. The infrastructure master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain

Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.The forest wide roles must appear once per forest, the domain wide roles must appear once per domain.There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.Forest Wide Roles:Schema MasterThe schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.Domain NamingWhen a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.Domain Wide Roles:Relative ID (RID) MasterAllocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.PDC EmulatorThe PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.It is also responsible for time synchronising within a domain.It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.Infrastructure MasterThe infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member

 

Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows incorporates methods to prevent conflicting Active Directory updates from occurring.

Single-Master Model

To prevent conflicting updates in Windows, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 3.51 and 4.0), in which the PDC is responsible for processing all updates in a given domain. Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles: 

• Schema master
• Domain naming master
• RID master
• PDC emulator
• Infrastructure master

Schema Master FSMO Role

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

RID Master FSMO Role

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows domain, the PDC emulator role holder retains the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
• Account lockout is processed on the PDC emulator.
• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment. The following information describes the changes that occur during the upgrade process:

• Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.
• Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests.
• Windows clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

Flexible Single Master Operation Roles (FSMO) Active Directory has five specialroles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to

There are five FSMO roles, two per forest, three in every Domain

FSMO is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication.