https://9to5it.com/active-directory-fsmo-roles/
Active Directory FSMO Roles
First off, a quick intro into how Active Directory works:
Active Directory is a multi-master operations enabled database. In other words, it accepts changes from multiple domain controllers (masters) at the same time. Because of some well developed algorithms conflicts are usually avoided, however there are some instances in where multi-master operations simply wouldn’t work properly and hence there are a few “single-master operations” (FSMO) roles.
FSMO = Flexible Single Master Operations.
The Active Directory FSMO roles are a number of roles or tasks which are required to be run in a single-master operations mode within an Active Directory environment (forest & domain). These tasks run on a specific domain controller, however they can be split so that certain roles run on different DCs (and this is best practise).
There are 5 different types of FSMO roles and each of them are explained below. Some of them are required per domain and some are required per forest.
Forest Based Roles
There are 2 roles which are required per Microsoft Windows Forest. These are:
Schema Master
As the name suggest, this role is used to replicate the schema between all domain controllers within the forest. Because of this, this role is found within the root domain of the forest only – and therefore there is only one per forest.
Domain Naming Master
This role also resides within the root domain of the forest (and there can only be one of them). Its job is to process all changes to the directory namespace. In other words the addition or removal of child domains within the forest. It also takes care of any additions or removals of cross references to domains within other forests (e.g. domain or forest trusts).
Domain Based Roles
There are 3 roles which are required within each domain. These are:
Relative ID Master
This is a really important role, as it manages the Relative ID (RID) pool for the domain. A RID is used every time a security principal object is created within the Active Directory domain (e.g. a user, group, computer, etc). Each security principal object within the domain has its own unique Security Identifier (SID), which is made of the domain’s SID + a unique RID from the domain controller’s assigned pool.
When a domain controller’s unused RID pool is running low, it contacts the Relative ID Master to get some more. The Relative ID Master then allocates more to the domain controller from the domain’s unallocated RID pool – which is manage and maintained by the Relative ID Master. Therefore there can only be one of these per domain.
Infrastructure Master
Used to handle all cross domain object references (i.e. when an object in Domain A is referenced by another object in Domain B). A common example of this would be if you add a user in Domain A to a security group within Domain B. There can only be one of these per domain.
When the AD Recycle Bin feature is not enabled, the Infrastructure FSMO role owner is the DC responsible for updating a cross-domain object reference in the event that the referenced object is moved, renamed, or deleted. In this case, the Infrastructure Master role should be held by a domain controller that is not a Global Catalog server. If the Infrastructure Master runs on a Global Catalog server, it will not update object information, because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.
When the AD Recycle Bin feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.
For more information about the Global Catalog, see this article >> The Active Directory Global Catalog Server.
PDC Emulator
The PDC Emulator is the “worker” of all the Active Directory FSMO roles, as it does the most work by far. There can only be one of these per domain. The PDC Emulator performs the following functions:
- Time syncronisation for all computers within the domain. This is very important as time syncronisation is required by the Kerberos authentication protocol.
- Password changes performed by other domain controllers in the domain are replicated preferentially to the PDC Emulator.
- If a logon authentication fails at a given DC in the domain due to a bad password, the DC will forward the authentication request to the PDC Emulator to validate the request against the most current password. If the PDC Emulator reports an invalid password to the DC, the DC will send back a bad password failure message to the user.
- Account lockouts are processed on the PDC Emulator.
- Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
- Emulates the functions of a Windows NT 4.0 PDC in a mixed mode environment where NT 4.0 BDCs still exist (not that this would be very common anymore).
Considerations for placement of FSMO Roles
When deciding where and how to place each of the FSMO roles, take into consideration these recommendations:
- The Schema Master should be placed on the PDC of the forest root domain
- The Domain Naming master should be placed on the PDC of the forest root domain
- Place your PDC on your best hardware and in a location that contains replica Domain Controllers within the same AD site and domain
- Place the RID master on the domain PDC
- In a multi-domain forest, place the Infrastructure Master on a non-global catalog domain controller. If every domain controller is a global catalog, then there is no work for the Infrastructure Master so you can place it anywhere
- In a single-domain forest, there is no work for the Infrastructure Master so therefore it can be placed on any domain controller
For more information regarding best practises for the placement of the Active Directory FSMO roles, see Microsoft KB223346.
Transferring Active Directory FSMO Roles
If you want to know how to move one or all of the AD FSMO roles between domain controllers, then check out my Transferring Active Directory FSMO Roles article.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.